如何避免将数据库密码以明文形式存储在源代码中? [英] How do I avoid having the database password stored in plaintext in sourcecode?
问题描述
在我正在开发的网络应用程序中,我目前在连接数据库时使用了一个简单的解决方案:
In the web-application I'm developing I currently use a naive solution when connecting to the database:
Connection c = DriverManager.getConnection("url", "username", "password");
这很不安全.如果攻击者获得了对源代码的访问权,他也获得了对数据库本身的访问权.我的 Web 应用程序如何连接到数据库而不在源代码中以明文形式存储数据库密码?
This is pretty unsafe. If an attacker gains access to the sourcecode he also gains access to the database itself. How can my web-application connect to the database without storing the database-password in plaintext in the sourcecode?
推荐答案
您可以将连接字符串存储在 Web.config 或 App.config 文件中,并加密保存它的部分.这是我在之前的一个项目中用来加密连接字符串的一篇非常好的文章:
You can store the connection string in Web.config or App.config file and encrypt the section that holds it. Here's a very good article I used in a previous project to encrypt the connection string:
http://www.ondotnet.com/pub/a/dotnet/2005/02/15/encryptingconnstring.html
这篇关于如何避免将数据库密码以明文形式存储在源代码中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!