如何在web.config中编辑连接字符串 [英] How to edit connection string in web.config

问题描述

我想为图书馆创建软件.用于连接数据库，我使用了Codefirst过流.
我的项目中有一个表单，用户可以在其中输入服务器名称，用户ID和密码.
现在我不知道我的连接字符串要保存在哪里.
如果我将connectionString保存到web.config或app.config中，那么当用户更改服务器名称(或用户名或密码)时如何进行编辑?
从本质上讲，我们将连接字符串存储在web.config中是正确的吗?(因为任何人都可以用记事本打开它并获取用户名和密码)

I want to create a software for a library. for connection to database i used Codefirst overfolw.
I have a form in my project that user enter server name and user id and password in it.
Now I don''t Know that where my connection string to save.
if I save connectionString to web.config or app.config , how edit it when user change your server name(or username or password)?
and essentially is correct that we store connection string in web.config ?(because any one can open it with notepad and get username and password)

推荐答案

您要根据用户输入在运行时创建连接字符串.因此，将连接字符串存储在web.config文件中并不是一个好的解决方案，特别是对于Web应用程序，在该Web应用程序中，您将有多个用户同时访问您的应用程序(它们将互相覆盖！).

您需要做的是基于用户输入创建一个新的连接字符串对象.您可以将SqlConnectionStringBuilder类用于此目的.
请参阅 https://msdn.microsoft.com/en-us/library/ms254947(v = vs.110).aspx [

In your scenario, you want to create the connection string at run time, based on the user input. So storing the connection string in the web.config file is not a good solution, espectially for a web application where you are going to have multiple users accessing your application at the same time (they will overwrite each other!).

What you need to do is to create a new connection string object based on the user input. You can use the SqlConnectionStringBuilder class for that purpose.
See https://msdn.microsoft.com/en-us/library/ms254947(v=vs.110).aspx[^]

If you are using Entity Framework, you can pass a connection string to the DbContext constructor:

public DbContext(string nameOrConnectionString)
    Member of System.Data.Entity.DbContext

摘要:
使用给定的字符串作为将要建立连接的数据库的名称或连接字符串，构造一个新的上下文实例.有关如何使用它创建连接的信息，请参见类说明.

参数:
nameOrConnectionString:数据库名称或连接字符串.


重要提示:连接字符串注入攻击的风险！

当使用动态字符串串联来构建基于用户输入的连接字符串时，可能会发生连接字符串注入攻击.如果字符串未经验证且恶意文本或字符未转义，则攻击者可以潜在地访问服务器上的敏感数据或其他资源.

已警告您！

Summary:
Constructs a new context instance using the given string as the name or connection string for the database to which a connection will be made. See the class remarks for how this is used to create a connection.

Parameters:
nameOrConnectionString: Either the database name or a connection string.


IMPORTANT: risk of connection string injection attack!

A connection string injection attack can occur when dynamic string concatenation is used to build connection strings that are based on user input. If the string is not validated and malicious text or characters not escaped, an attacker can potentially access sensitive data or other resources on the server.

You''ve been warned!

存储连接字符串，如

Store your connection string like

<add name="MyConnection" connectionString="Data Source=(local);Initial Catalog=mydb;Integrated Security=False;user id={0};password={1};" providerName="System.Data.SqlClient" />

像
一样访问

Access it like

string con = string.Format(System.Configuration.ConfigurationManager.ConnectionStrings["MyConnection"].ConnectionString, "usernameHere", "passwordHere");

您应将ConnectionString 存储在web.config中.没有人可以从浏览器访问它.

请参考-以编程方式在ASP中添加或更新连接字符串.Net Web.Config文件 [ ^ ]

You should store the ConnectionString in web.config. No one can access that from browser.

Refer - Programmatically Add or Update Connection String in ASP.Net Web.Config File[^]

这篇关于如何在web.config中编辑连接字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！