我怎样才能安全地存储和访问的连接字符串的详细信息? [英] How can I safely store and access connection string details?
问题描述
我目前工作的一个ASP.NET MVC的网站,我已经长到了一个地步,我需要一个数据库集成到网站。
I'm currently working on a ASP.NET MVC web site, and I've come up to a point where I need to integrate a database into the website.
通常我只会适当的连接字符串添加到的Web.config
文件:
Normally I would simply add the appropriate connection string to the Web.config
file:
<add name="MainDB"
connectionString="Server=localhost; Database=TopSecretData; User Id=Joe;
password=password" providerName="System.Data.SqlClient" />
不过,显然有一个明显的安全漏洞,如果我离开我的用户名和密码就在的Web.config
,特别是当它的源代码控制之下。
But there's obviously a glaring security flaw if I leave my User Id and password right in the Web.config
, especially when it's under source control.
总之:我如何保存我的连接字符串的详细信息,而无需其公开可见
推荐答案
最佳做法是加密连接字符串部分。使用ASPNET_REGIIS.EXE,它可以在不同的地方找到:
Best practice is to encrypt your connection strings section. Use aspnet_regiis.exe, which can be found in various places:
- 开始 - 的Visual Studio - Visual Studio工具 - Visual Studio命令提示符
- C:\\ WINDOWS \\ Microsoft.NET \\框架\\ v4.0.30319(确保您以管理员身份运行)
在
<configuration>
<connectionStrings>
<add name="MainConnectionString"
connectionString="data source=Ratbert;database=Sales;username=ASPNET;password=$Double_Rainbow2011"
providerName="System.Data.SqlClient"/>
</connectionStrings>
</configuration>
运行此命令:
aspnet_regiis –pef connectionStrings c:\PathToWebSite
或者,如果上面的命令不起作用(你得到aspnet_regiis的帮助文本),尝试
Or, if the above command doesn't work (and you get the aspnet_regiis help text), try
aspnet_regiis -pe connectionStrings -app "/" -site 6
这里的6作为报道的IIS网站的ID。
where the "6" is the ID of the site as reported in IIS.
在
<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
<EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>Rsa Key</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>Bf677iFrUFW ... +4n4ZZKXCTUAu2Y=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>UDEZ ...QfXUmM5rQ==</CipherValue>
</CipherData>
</EncryptedData>
</connectionStrings>
现在,它是乱码,你不能编辑它。
解密是这样的:
Now that it is garbled, you can't edit it. Decrypt like this:
aspnet_regiis –pdf connectionStrings c:\PathToWebSite
或者
aspnet_regiis -pd connectionStrings -app "/" -site 6
然后更改和重新加密。
And then change and re-encrypt.
要读取连接字符串,请使用ConfigurationManager中静态类。
To read the connection string, use the ConfigurationManager static class.
string connStr =
ConfigurationManager
.Connectionstrings["MainConnectionString"]
.ConnectionString.ToString();
var myConnection = new SqlConnection(connStr);
myConnection.Open();
这篇关于我怎样才能安全地存储和访问的连接字符串的详细信息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!