Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New Coder
    Join Date
    Aug 2004
    Posts
    71
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Secure SQL Connection

    I am trying to connect to a SQL 2005 DB with the most secure connection possible. I have a SSL certificate to encrypt all data, however I feel that my webpage is vulnerable. I am connecting using an asp function within the page.

    Code:
    DBConnectionTwunk()
    	check_connectstr = "Driver={SQL Server};SERVER=" & db_server & ";DATABASE=" & db_name & ";UID=" & db_username & ";PWD=" & db_userpassword
    Set checkConn = Server.CreateObject("ADODB.Connection")
    	checkConn.Open check_connectstr
    	countrec=0
    and function

    Code:
    Function DBConnectionTwunk()
    'Routine makes SQLServer DB Conn
    	db_server = "serversite.com"
    	db_name = "nameDB"
    	db_username = "user"
    	db_userpassword = "123456"
    both bits of code reside on the page itself using <% %>. What is the best practice to get this out of the page and hidden from possible attacks. I have been trying to find some tutorial online or code help for the last couple days and have found nothing that I can use or comprehend.

    Can someone PLEASE lead me in the right direction?

    We want to submit info to DB, export and delete it out of the DB and process it in-house.

    THANKS!!!

  • #2
    Regular Coder
    Join Date
    Mar 2007
    Posts
    505
    Thanks
    1
    Thanked 19 Times in 19 Posts
    Dude9er --

    You have a couple of options, one is not necessarily better than the other:

    1) Use your function. If it's inside the ASP, the username and password are never transmitted over the net. However, if anyone gets access to your source code, you are vulnerable. SOLUTION: Keep an unencrypted version of your ASP on a development box, while using SRCENC from Microsoft to encode/encrypt your source ASP. Keep the encrypted version on the webserver. NOTE: Once the files are encrypted, YOU CANNOT UNENCRYPT THEM. Not even MS can... Keep this in mind if you want to use this solution.

    2) Use INCLUDES. Similar to above, but the include files are added only when needed, rather than on every page. INCLUDE files can be encrypted, while the other source material does not have to be.

    3) Use DSN connections. While some people claim that DSN connections are slower, they ensure that your connection information NEVER gets transmitted over the web. It is safely tucked away behind your firewalls. If someone were to ever get the source code, that's (relatively) OK because the connection information would only say Conn.Open "DSN=myConnection" -- not really helpful. Also, only certain people (server admins, web admins) ever need to have that connection information in the first place, helping to reduce social engineering.

    Let me know if you have any other questions.

    HTH!
    To say my fate is not tied to your fate is like saying, 'Your end of the boat is sinking.' -- Hugh Downs
    Please, if you found my post helpful, pay it forward. Go and help someone else today.

  • #3
    New Coder
    Join Date
    Aug 2004
    Posts
    71
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Daemonspyre, thanks for the feedback so far. I feel much better about the issue. I have just begun to build multiple include files, I have a question, how do I encrypt the file itself, I did a quick google and found this download, is this what I would need to do http://www.aspencrypt.com/

    THANKS for the help!!

  • #4
    Regular Coder
    Join Date
    Mar 2007
    Posts
    505
    Thanks
    1
    Thanked 19 Times in 19 Posts
    ASPEncrypt is more for email and file encryption, not source code encryption.

    If you just want to store the files, then use TrueCrypt.

    Here's the Microsoft Script Encoder. It's a command line tool that encrypts ALL the ASP/.Net code on your pages. BE VERY CAREFUL WHEN USING IT! Like I said before, you cannot unencrypt the files once this is finished, so make sure that you are doing this on a copy of your data and away from your originals/production version.

    http://www.microsoft.com/downloads/d...displaylang=en

    The instructions on how to use the software (including all the switches) are located in the software and here.

    Couple of other notes:

    1) If you are using IIS 5.1 (XP's Personal Web Server) and above, then you can run both encrypted and unencrypted ASP together. Otherwise, your entire application has to be one or the other.

    2) Make sure you keep 2 (or more) copies of the production unencrypted. I cannot stress this enough. Speaking from personal experience, you do not want to have to recreate your application from scratch because you messed up the command and overwrote your original source files.
    To say my fate is not tied to your fate is like saying, 'Your end of the boat is sinking.' -- Hugh Downs
    Please, if you found my post helpful, pay it forward. Go and help someone else today.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •