发表新帖
发表新帖

How do I avoid having the database password stored in plaintext in sourcecode?

前端 未结
关注
6 1593
情书的邮戳
情书的邮戳 2021-01-01 12:17

In the web-application I\'m developing I currently use a naive solution when connecting to the database:

Connection c = DriverManager.getConnection(\"url\",
相关标签:
6条回答
  • 傲寒
    2021-01-01 12:19

    Unless I am missing the point the connection should be managed by the server via a connection pool, therefore the connection credentials are held by the server and not by the app.

    Taking this further I generally build to a convention where the frontend web application (in a DMZ) only talks to the DB via a web service (in domain), therefore providing complete separation and enhanced DB security.

    Also, never give priviliges to the db account over or above what is essentially needed.

    An alternative approach is to perform all operations via stored procedures, and grant the application user access only to these procs.

    0 讨论(0)
  • 隐瞒了意图╮
    2021-01-01 12:27

    I can recommend these techniques for .NET programmers:

    • Encrypt password\connection string in config file
    • Setup trusted connection between client and server (i.e. use windows auth, etc)

    Here is useful articles from CodeProject:

    • Encrypt and Decrypt of ConnectionString in app.config and/or web.config
    0 讨论(0)
  • 再見小時候
    2021-01-01 12:27

    Assuming that you are using MS SQL, you can take advantage of windows authentication which requires no ussername/pass anywhere in source code. Otherwise I would have to agree with the other posters recommending app.config + encryption.

    0 讨论(0)
  • 轻奢々
    2021-01-01 12:29
    1. Create an O/S user
    2. Put the password in an O/S environment variable for that user
    3. Run the program as that user

    Advantages:

    1. Only root or that user can view that user's O/S environment variables
    2. Survives reboot
    3. You never accidentally check password in to source control
    4. You don't need to worry about screwing up file permissions
    5. You don't need to worry about where you store an encryption key
    6. Works x-platform
    0 讨论(0)
  • 别那么骄傲
    2021-01-01 12:36

    You can store the connection string in Web.config or App.config file and encrypt the section that holds it. Here's a very good article I used in a previous project to encrypt the connection string:

    http://www.ondotnet.com/pub/a/dotnet/2005/02/15/encryptingconnstring.html

    0 讨论(0)
  • 遇见更好的自我
    2021-01-01 12:42

    In .NET, the convention is to store connectionstrings in a separate config file.

    Thereon, the config file can be encrypted.

    If you are using Microsoft SQL Server, this all becomes irrelevant if you use a domain account to run the application, which then uses a trusted connection to the database. The connectionstring will not contain any usernames and passwords in that case.

    0 讨论(0)
 看不清?
提交回复
热议问题