Comment On Disconnection String

"In ASP.NET programming," writes Chad Braun-Duin, "database connection strings are stored in configuration files, and the standard way of getting your connection string from these files looks like this:" [expand full text]
« PrevPage 1 | Page 2Next »

Re: Disconnection String

2012-06-15 10:55 • by Sayer (unregistered)
383210 in reply to 383206
I don't know why anyone bothers to post technical rebuttals that have the chance of being shot down - when it's much easier to appear sophisticated by just bitching about the evils of hungarian notation.

Re: Disconnection String

2012-06-15 10:57 • by M (unregistered)
383211 in reply to 383196
Jeff:
Jaime:
Jeff:
KattMan:
Another WTF is how ASP.Net defaults breaks PCI compliance.

Connection strings have usernames and passwords in them in plain text when usign them this way. Either encrypt them or do not use the config file to store them, have the config file point to something else that has them and that is encrypted.
But, to decrypt them, you need the key. Where do you get that? From another file? Shouldn't that be encrypted too?
DPAPI. It's secure against everyone except administrators or those with physical access to the box. Almost nothing can help you in those two cases.
Hey Jamie, are you a salesman? (Saleswoman?) Your answer surely makes me think so.

1. Answer a technical question with a buzzword.

2. Assurance that it "is secure" -- an unachievable state, but a nice marketing term.

3. No discussion of how this magic might achieve its lofty promise.


DPAPI isn't magic, but it is a pretty standard way of handling encryption in windows without worrying too much about key management. Wikipedia has a decent description, just look up "Data Protection API"

Re: Disconnection String

2012-06-15 11:13 • by PedanticCurmudgeon
383218 in reply to 383199
Nagesh:
"Sock puppet"? It's only a sock puppet if a reasonable person could think the names denotes an actual person. Effectively, "Nagesh" is just the accepted spelling variant for "Anonymous" here.
My point was that you posted as Fake Nagesh with correct spelling and grammar, and didn't use any of these words: ain't, massage, scarecrow. You also didn't post any lame pictures purporting to be from Hyderabad. That sets a bad precedent.

Re: Disconnection String

2012-06-15 11:16 • by Mantorok (unregistered)
383219 in reply to 383201
Pedant:
Willing to hazard good money that all the commented out crap was an initial effort to store all their configuration in a database, including the connection strings.

All was going well until, hang on, seem to be getting some deep recursion here...


lol my thoughts exactly, funny how a few commented-out variables can lead to such a conclusion that is probably 99.9% accurate :-)

Re: Disconnection String

2012-06-15 11:35 • by Nagesh (unregistered)
383225 in reply to 383218
PedanticCurmudgeon:
My point was that you posted as Fake Nagesh with correct spelling and grammar, and didn't use any of these words: ain't, massage, scarecrow. You also didn't post any lame pictures purporting to be from Hyderabad.

No, that is <em>my</em> point. By publishing cogent messages (as cogent as I can make them, anyway) under the shared Nagesh moniker, I hope to dilute it enough that the "fun" will wear off and the wiseguys will stop polluting the comment threads. (Anyone reading this is hereby cordially invited to join forces).

Re: Disconnection String

2012-06-15 11:42 • by Nagesh (unregistered)
383226 in reply to 383225
Also, the being use of the wrong kind of marking up abeve ain't being attempt at metahumor. Just the failure of using preview frist adn the comment system ain't being allowing to massage the message post posting.

Re: Disconnection String

2012-06-15 12:44 • by Meep (unregistered)
383245 in reply to 383198
Todd Lewis:
TRWTF is not doing this in Perl. Then nobody would expect it to be right anyway, so no disappointment.

[I actually like Perl. It's like python for people who aren't afraid of punctuation.]


Python is just like Perl for people who aren't afraid of someone reading their code.

Re: Disconnection String

2012-06-15 14:12 • by Nagesh
383261 in reply to 383159
emurphy:
KattMan:
Connection strings have usernames and passwords in them in plain text when usign them this way. Either encrypt them or do not use the config file to store them, have the config file point to something else that has them and that is encrypted.


Well, you can encrypt them in the config file, so I assume "this way" refers to this (unused) part:

sColumns = "DataLink, Platform, Login, Password, Server, Database"


Encryption is less of a big deal if you're dealing with an intranet app, or if the login only has read access to data that you want to share with the general public anyway.


Encryption is general painful. Best leave password in plain text on webserver.

Re: Disconnection String

2012-06-15 14:14 • by Nagesh
383263 in reply to 383199
Nagesh:
PedanticCurmudgeon:
Nagesh:
Um, I'm not fluent in VB.NET, but I can't see any "look it up by position" in the code snippet here. What they are doing seems to be to ask if the key at position 0 is 'ConnectionString', and then look it up by key. In all other cases -- including when 'ConnectionString' is the key in some non-zero position -- then they pretend that whatever the key at position 0 is, is the right connection string to use!

That's much more of a WTF than doing something that works but in a unnecessarily roundabout way.
Did someone forget to switch sock-puppet names again?

"Sock puppet"? It's only a sock puppet if a reasonable person could think the names denotes an actual person. Effectively, "Nagesh" is just the accepted spelling variant for "Anonymous" here.


I am telling you not to be anonymous, but post using real name, like I am.

Re: Disconnection String

2012-06-15 14:15 • by PedanticCurmudgeon
383264 in reply to 383225
Nagesh:
PedanticCurmudgeon:
My point was that you posted as Fake Nagesh with correct spelling and grammar, and didn't use any of these words: ain't, massage, scarecrow. You also didn't post any lame pictures purporting to be from Hyderabad.

No, that is <em>my</em> point. By publishing cogent messages (as cogent as I can make them, anyway) under the shared Nagesh moniker, I hope to dilute it enough that the "fun" will wear off and the wiseguys will stop polluting the comment threads. (Anyone reading this is hereby cordially invited to join forces).
We actually tried something similar before with the "no laughing matter" jerk. It didn't work, but he seems to have gotten bored and left a few months later. Good luck. You'll need it.

Re: Disconnection String

2012-06-15 15:35 • by Top Coder (unregistered)
Lots of the old guys were funnier than Nagesh

Re: Disconnection String

2012-06-15 15:49 • by D-Coder
383274 in reply to 383273
Top Coder:
Lots of the old guys were funnier than Nagesh
All of the old guys were funnier than Nagesh. Even the not-funny ones.

Even the dead ones.

Re: Disconnection String

2012-06-16 00:18 • by feugiat (unregistered)
383288 in reply to 383149
DB:
Frist frist.


First idiot is what you are.

Re: Disconnection String

2012-06-16 00:19 • by feugiat (unregistered)
383289 in reply to 383150
bewbs:
second!

.
.
.
.not spam


Second idiot, but first dickhead.

Re: Disconnection String

2012-06-16 00:22 • by feugiat (unregistered)
383291 in reply to 383163
Nagesh:
The major atrocity here is that instead of simply getting the connection string by key ('ConnectionString' in this case), they first look it up by position. This makes no sense. Later, if the lookup-by-position works, then they get it by key.

Um, I'm not fluent in VB.NET, but I can't see any "look it up by position" in the code snippet here. What they are doing seems to be to ask if the key at position 0 is 'ConnectionString', and then look it up by key. In all other cases -- including when 'ConnectionString' is the key in some non-zero position -- then they pretend that whatever the key at position 0 is, is the right connection string to use!

That's much more of a WTF than doing something that works but in a unnecessarily roundabout way.


Very fluent, I see.

The thing with [0] is what the position-lookup refers to.

Re: Disconnection String

2012-06-16 14:38 • by Nagesh (unregistered)
383299 in reply to 383291
feugiat:
Nagesh:
Um, I'm not fluent in VB.NET, but I can't see any "look it up by position" in the code snippet here. ...


Very fluent, I see.

The thing with [0] is what the position-lookup refers to.

Oh, that makes sense. I somehow got into my head that a "lookup by position" would involve a loop over all possible positions checking if the key was right at one of them. Apparently I underestimated the WTFery even as I was explaining it. Sigh.

Re: Disconnection String

2012-06-16 14:40 • by wbrianwhite
383300 in reply to 383153
M:
Chronomium:
The worst part is probably all the variables defined at the start of the code, especially those commented out. Only two of them are actually used, while the rest imply that some sort of heavy-duty database punching was attempted at some point.


Maybe they tried putting all the connection strings in a database table?

Not removing the obviously useless code is definitely a WTF. Also, who the heck is still using hungarian notation? sHere, sThere, sEverywhere.


You can put every database connection string except one in the database. Nothing wrong with that. Allows an easy UI to update the conn string that applies across your whole server farm

Re: Disconnection String

2012-06-17 12:09 • by qbolec (unregistered)
Out of curiosity I tried to join this forum using login "Nagesh" written with Cyrylic "a", but all I've got was this cryptic error message:
"Sign in name must start with a-z/A-Z character and cannot contain > or <."

I believe this message has some curious implications for security model employed by this forum, in particular in terms of escaping HTML entities...

Re: Disconnection String

2012-06-17 18:25 • by Nagesh'); DROP TABLE 'Articles';-- (unregistered)
383316 in reply to 383311
qbolec:
Out of curiosity I tried to join this forum using login "Nagesh" written with Cyrylic "a", but all I've got was this cryptic error message:
"Sign in name must start with a-z/A-Z character and cannot contain > or <."

I believe this message has some curious implications for security model employed by this forum, in particular in terms of escaping HTML entities...

Hey, at least they're validating input. That's something.

Re: Disconnection String

2012-06-17 22:58 • by ThatGuy (unregistered)
383318 in reply to 383155
It's not up to the language to enforce PCI compliance. Saying it's ASP.NET's fault is like blaming a hammer for not building a house properly.

And BTW, you can always use integrated windows authentication to connect to your DB in ASP.NET... and voila, no password.

Re: Disconnection String

2012-06-18 12:40 • by Nagesh (unregistered)
383361 in reply to 383165
PedanticCurmudgeon:
Did someone forget to switch sock-puppet names again?

I'm not him, but it seems like a good strategy to me: if we all post as "Nagesh", "Nagesh" won't stand out that much anymore)

Re: Disconnection String

2012-06-18 12:45 • by Captcha:bene (unregistered)
383363 in reply to 383194
Hmmmm:
Hewes:
Wow...

Just wow, seriously, you said this?

You must be new here.

-100 internets for falling for obvious troll...

-25 internets for misusing the word "troll".

Re: Disconnection String

2012-06-19 07:37 • by Annon Too (unregistered)
383437 in reply to 383189
Yes, I picked up on that as well.

The DAL which is only get's a connection string, presumably for some other code abortion to use somewhere else is not a Data Access Layer.

Re: Disconnection String

2012-06-21 07:16 • by dick (unregistered)
383578 in reply to 383149
DB:
Frist frist.

I once knew a guy who would never stop running the same joke over and over again. He was a real looser.

Re: Disconnection String

2012-07-02 14:43 • by Jasmine (unregistered)
Does this company name start with TMA? Cuz I think you're finding out why I quit that job :)
« PrevPage 1 | Page 2Next »

Add Comment