Webservice and database security

[armm1388]

hello

Is necessary to use from webservice for security of DB?
I put my connection string (which has username and password of db) in web.config.
Is it Security weakness?
Must I put connection string in Webservice?
If I put my connection string to webservice, the database security is be provided?

Thanks very much

[FunkyDexter]

I've moved your thread into the General Development forum. I don't think we have a perfect fit for this particular question but this seemed about the best.

As for whether you need a web service, strictly speaking you don't but it's probably a good idea if your database contains sensitive data or is likely to attract hackers for some reason or is something you couldn't recover from if you were hacked. Basically, all security is about layers. The more layers the better but each layer costs time, effort and/or money.

Having your username and password in the config file means they shouldn't
normally get served up to a user's browser. But a determined hacker might find their way into the web server and find a way of accessing the config file to get the connection data. If you were using a web service then a hacker would have to break into the web server to get the details of the web service and then break into that to get the connection details of the DB - it's an extra wall for them to climb over.

Nothing you do will ever make your database "safe", you can just make it "safer".

[szlamany]

I always felt that if they could get to the WEB.CONFIG file they have already breached the physical server and you basically lost that battle already. That means they can looks for passwords in CONFIG files or try to exploit other credentials to get to the DB.

When my users login initially I pass them a GUID that the server created. Each AJAX POST to a web service from that point forward passes along that GUID for identification. If the server cannot find that GUID in the allowed list of users - they are denied. I can use this to time-out users after a certain time of inactivity. I also register "alerts" based on these GUID's so that data being displayed on other users web pages can be refreshed based on updates by other users...

[Tygre]

Azure Key Has something called User Secrets. I don't know if this pertains to you but you essentially create a hidden web info config file within your local machine that has your database and user password stored.
In your actual application tell the location of the web config to look for it.




https://docs.microsoft.com/en-us/asp...1&tabs=windows

[NeedSomeAnswers]

As for whether you need a web service, strictly speaking you don't but it's probably a good idea if your database contains sensitive data or is likely to attract hackers for some reason or is something you couldn't recover from if you were hacked. Basically, all security is about layers. The more layers the better but each layer costs time, effort and/or money.

While its true you dont need to have it, i would strongly advise it.

If you dont have a web service between your web application and your database then firstly you have to open ports for traffic directly to your database through your firewall (assuming you have a DMZ and if you dont then that a whole other security risk you have), and secondly you have to send SQL Statements directly from you web pages which mean they are a target for SQL Injection attacks.

Neither of things are advisable !!!

[sapator]

You can of course encrypt your web.config file contents so even if they locate the file they can't read the passwords.
Of course if they can get full access to your server then they can decrypt but if that happens then there is no point talking about web services and such as your primary concern would be to secure the server - servers.