开发者

avoid giving userid/pass in connection string

im using a shared hosting company to host my site and db. they are both being hosted on the same server.

to access the db i am currently supplying userid and password in the connection string within the web config.

this just makes me really 开发者_如何学JAVAuncomfortable.

is there i way to avoid giving userid/pass in web.config connection string?


You can switch to OS authentication:

Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;

In this case grant db access to the account your site runs under. Or, just encrypt your connectionStrings section in web.config.

Update: I'm not sure how this happens in hosting environments (the hoster should have some FAQ), but if your server is dedicated one and you have administrative privilegies on your Sql Server you can do that like

create login [NT AUTHORITY\NETWORK SERVICE] from windows
create user [NT AUTHORITY\NETWORK SERVICE] for login [NT AUTHORITY\NETWORK SERVICE]
exec sp_addrolemember 'db_datareader',[NT AUTHORITY\NETWORK SERVICE]

The account to grant access to is one the application pool in IIS is running under. NetworkService is default for IIS 6.0 but if the server is shared you probably have a custom account (granting access to NetworkService on shared server will expose your db to any service running under NetworkAccount).

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜