locked
Which user credentials should be used in connection string? RRS feed

  • Question

  • User-1184601206 posted

    Hi there,

    I have a web application project that includes the original ASPNETDB SQL server database account tables, views and stored procedures plus three more tables that I created. I don't provide the login/register option yet, perhaps I will later on. But I have web pages that display read-only data from the three tables that I created. My question is the following:

    In my connection string I included the user name and password that was given to me by my web hoster. Is this correct? This seems an overkill to me since all I want is that people can view the read-only data from the three tables. Should I create a new SQL server user with minimal privileges and include that user name in my connection string? Or do I need to do something else?

    Any help is highly appreciated and many thanks in advance.

    Have a great day...

    Regards

    Michael

     

     

    Wednesday, August 8, 2012 9:19 PM

Answers

  • User1779161005 posted

    Ideally, yes -- only give your app the privileges needed. But if it's hosted you might not be able to create new accounts, so you might be stuck with the one account. In that case, you have to weight the security tradeoffs. Security is about risk management.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, August 8, 2012 9:27 PM