2

I am developing a ASP.NET MVC 5 web application with Entity Framework 6 using a MySQL database. My Connection string in web.config looks like this:

<connectionStrings>
         <add name="IdentityDB" connectionString="Data Source=localhost; User Id=user;Password=Password;database=myDatabase;" providerName="MySql.Data.MySqlClient"/>  
</connectionStrings>

So, my question is: Are there some security issues about the connection string being in web.config? Because when I publish the application, the web.config file will be in www.

Is that a problem? How can I hide the connection string or the password?

Thanks, Beardy Bear

code_dredd
  • 5,915
  • 1
  • 25
  • 53
Beardy Bear
  • 123
  • 1
  • 11
  • 1
    I have not developed using ASP.NET + Entity Framework, so my question is: is the `web.config` file accessible to the outside world? In other words, if I directly try something like `yourhost.domain/web.config`, will the file be given to me? If so, then you *do* have a security issue in your hands. Have you checked the documentation to see how you *should* be doing this? – code_dredd Sep 21 '16 at 07:52
  • 3
    The visibility of web.config file depends on directory & file permissions of the server (allow or deny). If you really want to obscure/encrypt DB connection string, see similar problem: http://stackoverflow.com/questions/1706613/encrypting-connection-string-in-web-config. In MVC sense, if you're trying to enter e.g. `http://domain/web.config` by default MVC will treat it as a controller request instead of file request, thus the action will show 404 page. – Tetsuya Yamamoto Sep 21 '16 at 08:12

1 Answers1

2

Its not a security vulnerability until or unless your server can be accessed by unauthorized persons because webconfig is only available on server and if server is accessed than they can get that connection string or you have given public access to your webconfig.

There are two cases either your database is hosted on same server which is the usual case if so than if server can be accessed than database if straight in front of the user.

In other case if database is not on same server than they can have benefits from connection string and they can connect to it.

Keeping the connection string in webconfig has benefit of changing it in seconds without deploying whole project again, sometimes we need to change.

Zain Ahmad Khan
  • 477
  • 7
  • 23