Brian Sherwin's Blog

Moving at the Speed of .Net

posts - 98, comments - 62, trackbacks - 30

My Links

News

Twitter

bsherwin Ted Neward is the only guy I know that drops more f bombs than @jdages! about 31 days ago

bsherwin Did I mention I hate fluorescent lights? #GettingAHeadache about 156 days ago

bsherwin Son made it to "Life" rank last night...next stop Eagle. about 208 days ago

bsherwin @toddkaufman happy birthday man. Enjoy india. about 210 days ago

bsherwin @shawnwallace it's getting late, but happy birthday. about 241 days ago

bsherwin @jamesbender happy birthday. about 271 days ago

bsherwin @davidebbo Is code for WebActivator public. I have a slight tweak for you. about 275 days ago

bsherwin 2010 don anprm - get accessible or get sued. See Disney, Target and others for details. about 282 days ago

bsherwin If you are not making your web accessible, you are not creating a real web app.#stirtrek about 282 days ago

bsherwin @toddkaufman When does golf league start this year? about 325 days ago

Links

<< New Blog Home | Home | Silence is not Golden >>

More on Viral Coding

OK. So when does what we write become a coding template and just a simple example???

I was reading through Fritz Onion’s most excellent expose of ASP.NET (Essential ASP.NET). In the VB.NET version of the book (and I am sure somewhere in the C# version) on page 76, when discussing configuration files, the example on page 76 has a DSN with User=SA and Password = nothing. Now this has been something that has been preached for the longest time (well before he wrote the book at least). Do I think that Mr. Onion is implicitly recommending that you use SA/No password? No. Are there some who would see this code and follow the example?—why…yes I do—I’ve seen it. Further, I have seen a fair number of applications where the username and password is in plain text in the web.config file.

How come there aren’t any books out there that address encrypting sensitive information in configuration files? Is it the complexity? Is it the “secret code I don’t want to share”? I tried doing it for a client, but they didn’t understand what all the process was doing, so they had me take it out. Go figure. No wonder we can’t write secure applications. But that is a rant for another day.

Share This Post:

Print | posted on Wednesday, November 17, 2004 5:57 AM |

Feedback

# re: More on Viral Coding

Excellent idea! This would be an excellent topic for an article. I'm using the SymmCrypto provider, and a specialized method to decrypt during runtime and store it in memory. The password never touches the disk, and during coding I just used the propery of my Data class when making MSDAAB calls. For example:

SqlHelper.ExecuteDataSet(Data.connectionString, CommandType.String, strSQL)

In the spirit of full disclosure my first production app placed it in web.config as well... until the SA freaked on me - then I put it in a remote assembly. During deployment the production server only saw the dll (not the source).

Anyway, I don't think this is a complex subject - but one that deserves a full article. I look forward to reading that article should you undertake it. If not, let me know... and I might just write that one myself.

11/19/2004 9:27 PM | Steve Hartzog

# re: More on Viral Coding

I don't think the SA should be freaking out--he handed out the password in the first place. In the true spirit of coding, we should be using a least privilege account as well, so nobody should freak out right.

11/20/2004 9:05 PM | Brian Sherwin

Brian Sherwin's Blog

My Links

News

Twitter

Tag Cloud

Archives

Links

More on Viral Coding

Feedback

# re: More on Viral Coding

# re: More on Viral Coding