2

I am developing a ASP.NET MVC 5 web application with Entity Framework 6 using a MySQL database. My Connection string in web.config looks like this:

<connectionStrings>
         <add name="IdentityDB" connectionString="Data Source=localhost; User Id=user;Password=Password;database=myDatabase;" providerName="MySql.Data.MySqlClient"/>  
</connectionStrings>

So, my question is: Are there some security issues about the connection string being in web.config? Because when I publish the application, the web.config file will be in www.

Is that a problem? How can I hide the connection string or the password?

Thanks, Beardy Bear

Improve this question
2
  • 1
    I have not developed using ASP.NET + Entity Framework, so my question is: is the web.config file accessible to the outside world? In other words, if I directly try something like yourhost.domain/web.config, will the file be given to me? If so, then you do have a security issue in your hands. Have you checked the documentation to see how you should be doing this? Commented Sep 21, 2016 at 7:52
  • 3
    The visibility of web.config file depends on directory & file permissions of the server (allow or deny). If you really want to obscure/encrypt DB connection string, see similar problem: stackoverflow.com/questions/1706613/…. In MVC sense, if you're trying to enter e.g. http://domain/web.config by default MVC will treat it as a controller request instead of file request, thus the action will show 404 page. Commented Sep 21, 2016 at 8:12

1 Answer 1

Reset to default
2

Its not a security vulnerability until or unless your server can be accessed by unauthorized persons because webconfig is only available on server and if server is accessed than they can get that connection string or you have given public access to your webconfig.

There are two cases either your database is hosted on same server which is the usual case if so than if server can be accessed than database if straight in front of the user.

In other case if database is not on same server than they can have benefits from connection string and they can connect to it.

Keeping the connection string in webconfig has benefit of changing it in seconds without deploying whole project again, sometimes we need to change.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.