如何避免将数据库密码存储在源代码中的纯文本中? [英] How do I avoid having the database password stored in plaintext in sourcecode?
问题描述
在web应用程序中,我正在开发我当前连接到数据库时使用一个朴素的解决方案:
连接c = DriverManager.getConnection(url,username,password);
这很不安全。如果攻击者获得对源代码的访问权限,他也可以访问数据库本身。
您可以存储数据库密码,而不是将数据库密码存储在源代码中。在Web.config或App.config文件中的连接字符串,并加密保存它的部分。这是一个很好的文章,我在以前的项目中使用加密连接字符串:
http://www.ondotnet.com/pub/a/dotnet/2005/02/15/encryptingconnstring.html p>
In the web-application I'm developing I currently use a naive solution when connecting to the database:
Connection c = DriverManager.getConnection("url", "username", "password");
This is pretty unsafe. If an attacker gains access to the sourcecode he also gains access to the database itself. How can my web-application connect to the database without storing the database-password in plaintext in the sourcecode?
You can store the connection string in Web.config or App.config file and encrypt the section that holds it. Here's a very good article I used in a previous project to encrypt the connection string:
http://www.ondotnet.com/pub/a/dotnet/2005/02/15/encryptingconnstring.html
这篇关于如何避免将数据库密码存储在源代码中的纯文本中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!