Hi everyone!

I'm developing a fair sized web application and it's my first go at MVC - both desigining and writing it. I'm using VS.Net 2005 and have made a decision not to use the new ASP.net MVC framework (if I'm right that's just for 2008 anyhow). Anyway, I have this setup:
  1. ASP.Net website, webpages & codebehind only for page control (event) interaction and handing everything else off to controller middle tier.
  2. Controller .Net DLL for buisness logic, calculations from input values passed-from above, and handing any database interactivity-requirements over to model, 3rd tier.
  3. Model is a second .Net DLL with classes to conect to, and interact with a database, passing values back through the above layout to the client.
  4. An additional, secondary part of the model is the database itself, with stored procedures.
Now then, this gets interesting when I think about the connection string.
  • Previously, I've always placed this in a web.config file, but passing it down the layers seems an additional burden and possibly open to man-in-the-middle attacks.
  • I completely want to avoid hardcoding the string anywhere for obvious reasons (if the database changes).
  • My train of thought is to place an xml config file at the same directory location as the model DLL(s), and though I can secure access to the folder using Windows security.
I'm wondering whether I'm taking the best approach and want to throw this one open in order to welcome any comments on the security, any used practices in your organisations which might be better to take or any other tips or thoughts from you all please.

Many thanks!!
Alex