Results 1 to 7 of 7
  1. #1
    Join Date
    Jul 2009
    Posts
    21

    Unanswered: Database Security

    Hi,
    I currently have a database in MS SQL2008 which is accessed via a VB2008 app on a Local Area network. The password for the database is hardcoded within app.config file in the program. However I want to transfer the database out to the web. To that end I have set up virtual server to host the database and transferred a copy of the database with some dummy data to the site. I have written an ASP 3.5 app to login to that test database. The ASP app lets me have a secure user login via authentication within the web.config file. (SHA1). Works fine and brings me back a selection of records to a gridview. I can also make the connection from the VB2008 LAN app. However, I can not figure out how to make this latter a secure connection as is the case with the ASP program. Note: the VB2008 type app is required as it has a large number of modules for speedy data entry, etc. which will not be incorporated wtihin the web app.


    Anyone any ideas.

    Yours
    Morke

  2. #2
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,912
    I am not totally clear: Do you want to encrypt the connection to the database, or the connection string for the connection? I suspect the latter, in which case this is a VB.NET application problem not a SQL Server one.

  3. #3
    Join Date
    Jul 2009
    Posts
    21
    Hi,
    I am looking for a solution which will allow secure access to the database.
    Morke

  4. #4
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,912
    That wasn't the question.

    Ok - I'll be really specific:
    Are you storing a password in plain text in your app.config file? Is it this that is insecure?


    Is your connection to the database unencrypted? Is it this that is insecure?


    If neither of these things are what is preventing "secure access to the database", please can you describe very clearly (in different terms) what the present situation is and what you want your final situation to be.

  5. #5
    Join Date
    Jul 2009
    Posts
    21
    In the VB.NET application the password is in plain text in app config. As the PCs on the LAN are all in a secure area this is sufficiently secure for accessing the data.
    On the asp.net version I can encrypt the connection string,(web.config) thereby preventing someone sniffing the login name and password.
    Morke

  6. #6
    Join Date
    Feb 2004
    Location
    One Flump in One Place
    Posts
    14,912
    Just to be sure you understand - encrypting the connection string in web.config does not encrypt the connection to SQL Server. You understand this right? It does prevent someone reading it from the config file but does not prevent someone intercepting communication between the application and SQL Server.

    In other words, whether or not your connection information is encrypted at the client will not affect the security of the connection itself. In order to encrypt the connection you need a trusted certificate on SQL Server and you need to specify encrypted in the connection string.

    If I have missed you meaning again I think I'll step out and let someone else have a go since I am clearly not getting it

  7. #7
    Join Date
    Jul 2009
    Posts
    21
    Ok! Let me rephrase everythig. The question is how can one access an internet based MSSql database securley over the internet with a VB2008.Net (not ASP) application?
    Morke

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •