A Secure Way of Building Connection Strings

(Page 1 of 5 )

Data sources hold some of the most important enterprise information. Securing this information is a top priority for any enterprise. Data sources are accessed through the connection string, a collection of name/value pairs connected with UserID, Password, Data Source Name, etc. that specify the run time parameters for connecting to databases. This article covers the use of SqlConnectionStringBuilder for MS SQL Server in securing information.

Introduction

The connection string is built using the name/value pairs stored in a secure location by concatenating the individual name/value pairs, the attributes, together. Sometimes parts of the connection string may come from the information entered by the user in some kind of a dialog box. In the earlier ADO.NET 1.1 version you could just concatenate the individual name/value pairs, which sometimes can result in a run time error because the connection string is not parsed at compilation.

The other serious objection was the process of building the connection string. Pure concatenation easily gave access to spurious insertions -- the SQL injection. This is where the string builder class comes in handy. Simply stated, this class takes user input and comes up with a tamper-proof connection string. The connection string builder greatly reduces injection, thereby providing increased security. However for each of the data providers you will need a different builder because the connection information is different. The present tutorial looks at the SqlConnectionStringBuilder for MS SQL Server.

Connection Strings

Connection string formulation depends on the database product. The MS SQL Server 2005 connection string may use a different set of name/value pairs than, say, Oracle Server 10g. While constructing and managing the string is one of the concerns, securing and protecting it is another. Connection string key/value pairs are the same as those used in the earlier version with a couple of additional key/value pairs added in ADO.NET 2.0. They are not case sensitive.

The reader is advised to look up some 20 or so Key Value pairs used in SQL 2005 server at MSDN. You will come across these later in this tutorial while reviewing the Object Browser. Typical information contained in the connection string includes the Server (or the Data source), UserID, Password, and the Database. It may also include other related information such as the connection timeout, whether asynchronous processing is allowed or not, and so forth.

Overview of the tutorial

The tutorial consists of two parts. In part 1, the SqlConnectionStringBuilder class will be introduced and the class members will be reviewed with an example. The typical connection used to access the SQL 2005 Server will be used. In part 2, another example will be used to create a connection string by supplying user inserted information in a form. The connection to SQL Server will be opened and closed to verify the correctness of the connection string. To test this, a user will be created in the SQL server with dbo permissions to a database on the server.

Next: Reviewing member properties of the class >>
 

More MS SQL Server Articles
More By Jayaram Krishnaswamy

Comments On: A Secure Way of Building Connection Strings

· Security is one of the most important concerns and the hassle free SQL Connection...   >>> Post your comment now!