«

Hi everybody,
I currently have my SQL Server connection string in an
Application variable in the global.asa.

Could that be a security risk?

I have heard that with Cold Fusion, when there is a page error.... the
actual Connection String is written to the screen as part of the error
page....

I'm quite sure that would not occur in ASP but just wanted to be sure,
and get a few expert opinions....

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

> I have heard that with Cold Fusion, when there is a page error.... the
> actual Connection String is written to the screen as part of the error
> page....

That sounds kind of weird to me...

> I'm quite sure that would not occur in ASP but just wanted to be sure,
> and get a few expert opinions....

global.asa should be fine, as long as you're not running a very early and
unpatched version of IIS 4.0.

Keep in mind, though, that your ASP pages are only as secure as the server
they're hosted on. No matter how deep you bury your connection string, it
is accessible to anyone who can penetrate the file system. Even if you bury
your connection string in a DLL, if your ASP pages can access it, then an
intruder could write an ASP page that uses response.write to display it (or,
if the connection string isn't a property, they could retrieve information
from running commands directly against the database via the DLL).

It's all about trade-offs...

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/