View Full Version : Secure SQL Connection

07-18-2007, 08:01 PM
I am trying to connect to a SQL 2005 DB with the most secure connection possible. I have a SSL certificate to encrypt all data, however I feel that my webpage is vulnerable. I am connecting using an asp function within the page.

check_connectstr = "Driver={SQL Server};SERVER=" & db_server & ";DATABASE=" & db_name & ";UID=" & db_username & ";PWD=" & db_userpassword
Set checkConn = Server.CreateObject("ADODB.Connection")
checkConn.Open check_connectstr

and function

Function DBConnectionTwunk()
'Routine makes SQLServer DB Conn
db_server = "serversite.com"
db_name = "nameDB"
db_username = "user"
db_userpassword = "123456"

both bits of code reside on the page itself using <% %>. What is the best practice to get this out of the page and hidden from possible attacks. I have been trying to find some tutorial online or code help for the last couple days and have found nothing that I can use or comprehend.

Can someone PLEASE lead me in the right direction?

We want to submit info to DB, export and delete it out of the DB and process it in-house.


07-18-2007, 08:52 PM
Dude9er --

You have a couple of options, one is not necessarily better than the other:

1) Use your function. If it's inside the ASP, the username and password are never transmitted over the net. However, if anyone gets access to your source code, you are vulnerable. SOLUTION: Keep an unencrypted version of your ASP on a development box, while using SRCENC from Microsoft to encode/encrypt your source ASP. Keep the encrypted version on the webserver. NOTE: Once the files are encrypted, YOU CANNOT UNENCRYPT THEM. Not even MS can... Keep this in mind if you want to use this solution.

2) Use INCLUDES. Similar to above, but the include files are added only when needed, rather than on every page. INCLUDE files can be encrypted, while the other source material does not have to be.

3) Use DSN connections. While some people claim that DSN connections are slower, they ensure that your connection information NEVER gets transmitted over the web. It is safely tucked away behind your firewalls. If someone were to ever get the source code, that's (relatively) OK because the connection information would only say Conn.Open "DSN=myConnection" -- not really helpful. Also, only certain people (server admins, web admins) ever need to have that connection information in the first place, helping to reduce social engineering.

Let me know if you have any other questions.


07-18-2007, 09:01 PM
Daemonspyre, thanks for the feedback so far. I feel much better about the issue. I have just begun to build multiple include files, I have a question, how do I encrypt the file itself, I did a quick google and found this download, is this what I would need to do http://www.aspencrypt.com/

THANKS for the help!!

07-18-2007, 09:13 PM
ASPEncrypt is more for email and file encryption, not source code encryption.

If you just want to store the files, then use TrueCrypt (http://www.truecrypt.org).

Here's the Microsoft Script Encoder. It's a command line tool that encrypts ALL the ASP/.Net code on your pages. BE VERY CAREFUL WHEN USING IT! Like I said before, you cannot unencrypt the files once this is finished, so make sure that you are doing this on a copy of your data and away from your originals/production version.


The instructions on how to use the software (including all the switches) are located in the software and here (http://msdn2.microsoft.com/en-us/library/cbfz3598.aspx).

Couple of other notes:

1) If you are using IIS 5.1 (XP's Personal Web Server) and above, then you can run both encrypted and unencrypted ASP together. Otherwise, your entire application has to be one or the other.

2) Make sure you keep 2 (or more) copies of the production unencrypted. I cannot stress this enough. Speaking from personal experience, you do not want to have to recreate your application from scratch because you messed up the command and overwrote your original source files.