SQL server conn string?

Results 1 to 2 of 2

Thread: SQL server conn string?

  1. #1
    Join Date
    Dec 1969

    Default SQL server conn string?

    Hi everyone, <BR><BR>I&#039;ve never built an application on SQL Server before and now I&#039;m about to. Is trusted_connection=yes a security risk? What&#039;s the most secure conn string I can use? Most people say don&#039;t use the sa account. Is this the right way? <BR><BR>Any advice is really appreciated. <BR>Ted

  2. #2
    Join Date
    Dec 1969
    Indianapolis, IN

    Default RE: SQL server conn string?

    You shouldn&#039;t use the sa account because if you happen to leave holes anywhere in your code, it could compromise your entire server. For example, let&#039;s say you have a query screen that has a text box that users type in. You setup a statement like:<BR>"SELECT * FROM mytable WHERE value=&#039;" & mytextboxvalue & "&#039;"<BR>Someone up to no good types in "%&#039;; SHUTDOWN--" or something much more dispicable. They have a window to the server through your text box, acting as admin. Dangerous stuff. What you should do is setup an account that has read only (or very little write) to the specific database your screens are using. That way, the worst case scenario is that they can only tear up your one database, or perhaps only parts of the database, depending on how you setup security. <BR>It&#039;s not so much the connection string itself that&#039;s the problem. It&#039;s the user you&#039;ve established in that connection string that&#039;s the problem.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts