For the properties:
Persist Security Info=true
and
Persist Security Info=false
Can you tell me what is the difference between them, and if I don't put it in my connection what will happen?
connect.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;
Data Source=C:/Users/Nourah/Downloads
/Phase3/Salary.accdb;
Persist Security Info=False;";
Even if you set Persist Security Info=true OR Persist Security Info=false
it won't show a difference up front. The difference is happening in the background.
When Persist Security Info=False, security-sensitive
information, such as the password, is not returned as part of the
connection if the connection is open or has ever been in an open
state.
If you set Persist Security Info=True, Windows will remember the password specified in the connection string.
That's the difference.
MSDN Explanation
Setting Persist Security Info true or false will come into effect only if you mention username and password in the connection string. If you mention username and password in the connection string and set Persist Security Info as false then the credentials cannot be extracted, but if you set Persist Security Info as true while giving credentials in the connection string, windows will remember the credentials, and it can be extracted programmatically.
I found this answer here from Dan Guzman, SQL Server MVP:
I suggest you specify FALSE or omit the keyword entirely since it is
the default, even during development. The only time you need to
specify TRUE is if the application uses SQL authentication and
subsequently retrieves the password from the connection object, which
in my experience is rarely done or needed. Performance is not a
concern.
Related
I have been trying to understand what using trusted_connection=true in a SQL Server connection string (from within C#) means. I understand that it uses the current Windows user credentials to connect to the database. But does it mean the database server and the current user can be in different domains, same domain or in different but trusted domains ?
trusted_connection=true means Integrated Security=SSPI;
If this is not present in connection string then you need to specify userid and password in connection string as:
server=yourservername;database=yourdatabase;user id=YourUserID;password=password
If any of two (Trusted_Connection=true or Integrated Security=true/SSPI) is present , then the Windows credentials of the current user are used to authenticate against SQL Server and any useriD=userid and password=password text will be ignored.
Whichever number of users may present and fromwhichever user you may have logged in, it will ignore the stuff if:
Trusted_Connection=true
You use Microsoft Visual Studio 2010 and Microsoft .NET Framework 4 to create an application.The application connects to a Microsoft SQL Server 2008 database.
The application uses a Microsoft ADO.NET SQL Server managed provider.When a connection fails, the application logs connection information, including the full connection string.The information is stored as plain text in a .config file.
You need to ensure that the database credentials are secure.
Which connection string should you add to the .config file?
A.Data Source=myServerAddress; Initial Catalog=myDataBase; Integrated Security=SSPI; Persist Security Info=false;
B.Data Source=myServerAddress; Initial Catalog=myDataBase; Integrated Security=SSPI; Persist Security Info=true;
C.Data Source=myServerAddress; Initial Catalog=myDataBase; User Id = myUsername; Password = myPassword; Persist Security Info=false;
D.Data Source=myServerAddress; Initial Catalog=myDataBase; User Id = myUsername; Password = myPassword; Persist Security Info=true;
According to the guide, the answer is 'A'. But in my opinion, the Answer is 'C'. If we are using Integrated Security = SSPI, we don't need to supply UserID and Password. So, Persist Security Info=false has no effect.
As far as I know, Persist Security Info only takes effect if the connection string has User Credentials.
Could you please advise me which one is correct? Thanks.
You are right. Persist Security Info=false has effect only if user name and password provided in connection string. But question is "What should you store in .config file" and considering that "information is stored as plain text" you should not store UID and PWD in config file.
If you store C, PWD and UID can be extracted from .config file. But if you store A, there is no credentials to extract.
I'm not sure, why A has "Persist Security Info=false", but looks like it is a good practice.
See MSDN examples:
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlconnection.connectionstring(v=vs.71).aspx
http://msdn.microsoft.com/en-us/library/ff647552.aspx
I moved a webapp from my personal machine to my work machine, along with the database I've been using to test. When clicking the submit button that inserts the data, I get the error, can't find server/instance. I'm thinking that being on a domain here is part of the problem. Here is my connection string, and I've tried several forms of it already.
Data Source=\\bkirkland_lpt.domain.com\brandon;Initial Catalog=STATUS;integrated security=SSPI;persist security info=False;Trusted_Connection=Yes;");
I see a couple problems here.
First, it looks like you are using the wrong data source. The data source should be in the format [ServerName]\[InstanceName]. Based on your code, I would suggest
Data Source=bkirkland_lpt.domain.com\brandon;Initial Catalog=STATUS;integrated security=SSPI;persist security info=False;Trusted_Connection=Yes;
Additionally, I notice you are using Integrated Security. This means that the user you are running under must be granted permissions on the database. My guess is that your domain user does not have access to the database that you moved.
\bkirkland_lpt.servicesource.com\brandon is a shared folder path, not a host name. Try bkirkland_lpt.servicesource.com
Try to enclose the server name in []. Try to replace the servername with localhost and see if it makes any difference (if it is all on your local machine). I also would use proper casing and True vs Yes as parameter value.
Data Source=[bkirkland_lpt.domain.com]\brandon;Initial Catalog=STATUS;Integrated Security=SSPI;Persist Security Info=False;Trusted_Connection=True;
Data Source=localhost\brandon;Initial Catalog=STATUS;Integrated Security=SSPI;Persist Security Info=False;Trusted_Connection=True;
I define the password in connstring and open the connection using them I just debug the code and break this thing.
cmd.Connection.ConnectionString
they give me every information about the things I defined in connectionstring but not my password.
It is a security issue I know that but anyone tell me how I can run a command using the same connectionstring if I want to use them same thing.
I have the connectionstring in global variable but tell me if it's possible to execute a command by getting the connectionstring from the connection I open.
Add Persist Security Info=True to your connectionstring.
By default, the password is removed from the connectionstring once the connection has been opened. This is for security purposes, so as to keep the password around in memory only as long as needed.
Here is some information in the docs about this.
I changed my project connection string through Code, as a result, Connection strings in all Config files changed. but problem is here that in datasets, some tables have different connection strings:
app.config connection string: "Datasource=USERPC; initial Catalog=MYDataBase; integrated security=False; User ID=sa; Password=user"
tablAdapter Connection string: "Datasource=USERPC; initial Catalog=MYDataBase; integrated security=False; User ID=sa"
what is my problem and How can i do solve it?
Go to Project Properties -> Settings Tab set there Connection String Value to application level instead of app.config. If you are using typed dataset the connectionstring defined by them itself so better do not alter them. For using conenctionstring in you code. Go directed as above. Then create a property or function that will access the value using Settings CLass.
In vb we use My.Settings.Default.ConnStringName
Are you sure, that your connection strings won't work. Cause all what is missing is the password and if i remember correctly if you fill in a password and read the connection string afterwards back you won't see the password anymore. But that's not a bug, it's a security feature.
To override this behavior you should take a look into the Remarks section of the SqlConnection