Don Thanks for your response. The issue I have is that the password for our database is stored either in the ODBC registry or within our ASP page as plain text. One option I have is to encrypt the password in the database connnection string and have a function with a key in a external file that can unlock it.
The problem remains though - that if the web server is hacked, the hacker can still navigation there way to the file containing the key to unlock the password. Does that make any sense ? Cheers Neil On Fri, Nov 20, 2009 at 3:18 PM, Don Cohen <don-mysq...@isis.cs3-inc.com>wrote: > Tompkins Neil writes: > > I wondered if anyone else had any thoughts on this issue ? > > >> Following my previous email. I've now configured my database > connection > > >> using a ODBC DNSLESS SSL connection. However the problem still > remains, > I'm not sure what dnsless means (that you allow only certain ip > addresses?) or what difference it makes. > > > >> the > > >> password is stored in the ASP file in plain text. Does anyone have > any > > >> recommendations on how to overcome this issue ? > Is the issue that you're worried that your web server will serve the > contents of the asp file? And I gather that you want the file to > access the DB without the user having to supply a password. > I'll just guess that asp files are similar to php files. > One thing you could do is have that file read the password from > another file that is in some place where the web server does not look. > > > > Secure the access to the ASP-source file. > > > You *could* encrypt it but then you have to store the key for it > somewhere > > > the ASP can access and ..... Catch 22. >
