Security and the ADODB.Connection object

Results 1 to 2 of 2

Thread: Security and the ADODB.Connection object

  1. #1
    Join Date
    Dec 1969
    Posts
    267

    Default Security and the ADODB.Connection object

    Does anyone know how to open an ADO connection without revealing the user/password settings in the ConnectionString? <BR><BR>I have a function that returns an open ADODB.Connection object, but I don&#039t want the user/developer to know what userid and password was used.<BR><BR>Look at this snippet:<BR>**Function InitDBConn()<BR>****Dim dbConn<BR><BR>****Set dbConn = Server.CreateObject("ADODB.Connection")<BR>*** *dbConn.Open "dsn=stuff;uid=user;pwd=userpwd"<BR><BR>****Se t InitDBConn = dbConn<BR>**End Function<BR><BR><BR>Now, if the user does this...<BR>**Set NewDbConn = InitDbConn()<BR>**Response.Write NewDbConn<BR>They will be able to see all the parameters in the Connection object, including the userid and password.<BR><BR>1) Does anyone know how to secure the attributes of the ADODB.Connection object? <BR>2) Is there a way to have the ADO Connection object read the parameters from a file? <BR>3) If the ADO Connection object reads parameters from a file, would the parameters still show up if the user did a Response.Write?<BR><BR>Thanks,<BR>JP

  2. #2
    Jason Buck Guest

    Default RE: Security and the ADODB.Connection object

    Yes, you are on the right path. I use an Include file<BR>&#060;!--#include virtual="/trust/dbcon.txt" --&#062;<BR>for the begining of my database connection. Then another<BR>Include file to close my connection.<BR>&#060;!--#include virtual="/trust/closecon.txt" --&#062;<BR><BR>Of course the path to the include is revealed. Which ultimately leads to the connection string information.<BR><BR>So this is where you have to get tricky.<BR><BR>Save your include file in a non-web accessable directory.<BR><BR>When the user logs in. Copy the Include file temporarily from the C:NONWEB (Non web Accessible) to C:Trustdbcon.txt(Virtual Director). &#060;%<BR>dim fn1<BR> <BR> fn1 = "C:NonWEBdbcon.txt"<BR>copyto1 = "C: rustdbcon.txt" <BR><BR> set fso1 = CreateObject("Scripting.FileSystemObject")<BR> fso1.CopyFile fn1, copyto1,true<BR><BR>Now check the UserLogin and Password from database table or whatever. If they are good, then leave dbcon in trust.<BR>If bad:<BR><BR>Then do the following<BR><BR>Else<BR><BR>copyto1 = "C: rustdbcon.txt" <BR><BR> set fso1 = CreateObject("Scripting.FileSystemObject")<BR> fso1.DeleteFile copyto1,true<BR><BR>response.redirect login.htm (Or whereever you have the user enter login information)<BR><BR>I hope I was clear in explaining this to you.<BR><BR>If not,<BR><BR>please contact me.<BR><BR>Jason<BR>webmaster@wnj.com<BR> <BR><BR><BR>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •