I have an ASP.NET page that uses the MySQL.NET library to access a MySQL DB on the server. My question is about storing the connection string in the web.config. The MySQL.NET connection string looks like:
"server=localhost;user=user;database=db;password=pw"
I have to assume having the pw in the web.config as plain text isn't a good thing. What are my options to getting around this?
You can encrypt the connection string in your web.config.
For more information : Securing Connection Strings
You can encrypt Web.config using "Protected Configuration". See here on MSDN for a full overview of the process:
http://msdn.microsoft.com/en-us/library/dtkwfdky(v=vs.100).aspx
Related
We have an ASP .NET (MVC) app and are using Entity Framework 6 to connect to our databases. The DbContext is constructed in a standard way and it loads the connection string on our behalf. The generated code looks like this:
public partial class MyContext : DbContext
{
public MyContext(string connectionName)
: base("name=" + connectionName)
{
}
}
We set the connection string in a local web.config also in a standard way:
<configuration>
<connectionStrings>
<add name="DefaultConnection"
connectionString="metadata=...;provider connection string="...""
providerName="System.Data.EntityClient" />
When we publish the app to Azure we navigate to the Azure Portal, then to the Web App's Settings, then to the list of Connection Strings. There we add the EF connection string that we had used locally. When we restart and visit the app we get a run-time error depending on the type of connection string we choose.
For a Custom type we get the following run-time error:
Keyword not supported: 'data source'.
For SQL Server or SQL Database we get the following run-time error:
Keyword not supported: 'metadata'.
This really seems like a straightforward story so we are wondering what is going wrong.
The problem is the escaped quotes: ".
The connection strings in web.config have quotes escaped because they are serialized in an XML attribute. When entering a connection string in the Azure portal you should provide the raw unescaped string. Something like this:
metadata=...;provider connection string="Data Source=..."
David Ebbo's answer is good for confirming that the Environment is set up as you expect. It is also helpful to pay attention to the .pubxml file when publishing via the wizard in Visual Studio: it will try to populate connection strings as well.
'custom' should be correct here. In that case, the providerName is left unchanged, so if you have System.Data.EntityClient in your config, that should remain after the Azure runtime changes it.
Try going to Kudu Console and click on Environment to make sure the conn string looks correct there.
If you have this line in web.connfig
<add name="Entities" connectionString="metadata=res://*/TestDB.csdl|res://*/TestDB.ssdl|res://*/TestDB.msl;provider=System.Data.SqlClient;provider connection string="Data Source=XXXXXXXX.database.windows.net,1433;Initial Catalog=YourDB;User ID=YourUser;Password=XXXXXX"" providerName="System.Data.EntityClient" />
Add this in azure portal:
Name Column => Entities
Value Column => metadata=res://*/TestDB.csdl|res://*/TestDB.ssdl|res://*/TestDB.msl;provider=System.Data.SqlClient;provider connection string="Data Source=XXXXXXXX.database.windows.net,1433;Initial Catalog=YourDB;User ID=YourUser;Password=XXXXXX"
"Custom" - In the drop selection box
Make sure (as stated in first answer) to replace " with "
Just recording my own experiences in addition to answers already recorded here
This was my final connection string (on mutliple lines for clarity)
metadata=res://*/Models.mBT.csdl|res://*/Models.mBT.ssdl|res://*/Models.mBT.msl;
provider=System.Data.SqlClient;
provider connection string="
Data Source=tcp:myazureserver.database.windows.net,1433;
Initial Catalog=databasename;
User ID=z#myazureserver;
Password=xyz"
To convert from a "normal" connection string to one that is accepted by EF:
The connection string type in the application settings has to be "other" not "SQL Azure"
The connection string value automatically replaces anything published in web.config
The metadata name Models.mBT.csdl (and the other two) comes from this:
Firstly, mBT is the name of my .edmx file
With regards to the Model. bit, see the answer from #leqid here: MetadataException: Unable to load the specified metadata resource
You can inspect your obj directory and see these three metadata files are in a subfolder called Models, so you need to prepend with Models.
I use ASP.NET for web and Oracle for the database. For communicating between ASP.NET and Oracle I use ODP.NET. I have specified the connection string in web.config file as such:
<connectionStrings>
<add name="main" connectionString="Data Source=AGAPUSTEST; User Id=agapus;Password=pswd;"/>
</connectionStrings>
When I try to establish connection using this connection string I get "Integrated Security is an invalid connection string attribute" error. As you can see I have not specified this attribute in the configuration file. So at some point this attribute probably gets added automatically.
I used to have the connection string hard coded and I didn't have any problems at all. Do you have any ideas how to solve this?
Luckily I have found the solution. I'd provided the web config content but I had not given you the code I use to access the connection string from code behind. Here's the code:
string conString = ConfigurationManager.ConnectionStrings[0].ConnectionString;
As I was suspecting Integrated Security attribute being added automatically I was almost sure that some other connection string was retrieved. I tired changing ConnectionStrings[0] to ConnectionStrings["main"] and voila, it worked. So although there's only one connection string in the configuration file, the 0th one is not the one I needed. When I displayed the 0th connection string look what I got:
data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true
I'm sure you guessed where it comes from, from the machine.config file. So to make everything clean and safe I've once more been convinced that accessing by name is most of the time a better idea.
Looks like they are talking about this problem here:
https://community.oracle.com/thread/585813?tstart=405
Seems the solution could be to use User Id=/ in the connection string and see if that works
Also make sure to have your sqlnet.ora have "SQLNET.AUTHENTICATION_SERVICES = (NTS)"
private string conString = "Data Source=173.56.33.6;Database=musicapp;User ID=guest;Password=guest";
I was working on local database at that time my application was successfully interacting with mysql database.when put the database on server, my application still taking the old connection string and data is stored in local database and not on server.
what is wrong?
I'd remove hard coded connection strings all together. There is a dedicated section of your config file for this very purpose:
<connectionStrings>
<add name="MusicApp" connectionString="Data Source=173.56.33.6;Database=musicapp;User ID=guest;Password=guest;" />
</connectionStrings>
Which you can then read out:
string connection = ConfigurationManager.ConnectionStrings["MusicApp"].ConnectionString;
I think your problem is that you have the connection string hard-coded in your code (as a private string that you show above). A much better way is to store it in the config file, use Settings in VS and select ConnectionString as type.
Make sure whether you updated your connection string when you transfered your DB to server. In any case it is best to store connection string in web.config, so that you can modify it when ever your db is changed or transferred to another location. This change in connection string in your web.config wouldn't require you to rebuild your application. Although if your connection string is hard-coded in code, then you would require to rebuild your application when ever you change the connection string.
if Data Source=173.56.33.6; is the location of your server database try this instead Data Source=\173.56.33.6;
i have a website built in asp.net connecting to a sql 2000 db. within my web.config file, i have a connection string referencing a DSN. in order for my db connection to work i have to include the username and password within the string. for security reasons, is there any way to connect to my db without displaying the username and password. maybe a method to encrypt the information?? the trusted connection string method did not work for me.
current method
Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=myPassword;
trusted method (did not work in my server environment)
Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;
You can encrypt connection strings in your web.config file.
See How To: Secure Connection Strings When Using Data Source Controls on MSDN.
For MySQL with port number
<add name="constring" connectionString="Server=localhost;Uid=root;Database=databasename;Port=3306;" providerName="MySql.Data.MySqlClient"/>
I want to keep encrypted connection string and stmp information in the web.config.
can I store Connection String and SMTP information in web.config encrypted and where I need just decrypted and use?
OR
What is the point/event where i can encrypt the Connection String and SMTP and save in the web.config? (and if the changes happen in web.config in that, is existing session expired?)
What is the best solution?
Thanks
It's easy to do with aspnet_regiis.exe- look at the pe/pd/pef and pdf options. You can also do it programmatically. It works by encrypting a specific configuration section. In your case that is the connectionStrings and smtp sections.
You can use either DPAPI or RSA and you can encrypt on either a machine wide basis or on a specific user account.