Menu
Before I re-invent the wheel, is there a standard way to hide at least a password in a SQL Server connection string?
(Written in C#)
I have a highly multi-threaded app that is aware of multiple databases, and so to aid in troubleshooting and debugging there are various places where the connection string can be logged. I can't control what customers using this product use for connection strings and so it's not at all uncommon to find passwords in them. I know this because it's also not uncommon that people turn on DEBUG-level logging and send us log files along with a problem report, and those logs contain their database passwords (and as a result our support ticket system contains passwords).
I realize best practice is to NOT put passwords in connection strings, but that part is out of my control (unless of course we change our app so it refuses to run if you give it a connection string with an unencrypted password... that seems a bit draconian to me).
Really want I want it to log is:
Server=myServerAddress;Database=myDataBase;User Id=****;Password=*****;
(I'm up in the air over if User id/name is a sensitive thing or not, and/or useful to log or not -- comments on that welcome).
I could build a simple regex (eg /Password=[^;]+/), but before I do I just want to see if there are other cases I'm not considering, especially if this is done already.
409
Open SQL Server configuration manager and select the service of SQL Server instance. Right-click and click on the Properties option. After adding the startup parameter, click on the Apply button and then the OK button in the warning message window. Restart the SQL Server service to start SQL Server in single user mode.
Answer. Special characters can be escaped by encapsulating them in curly brackets {...}. When there is an un-escaped special character in the ODBC connection string the software will raise an error similar to: "Format of the initialization string does not conform to specification starting at index 90."
Using a non-standard portServer=myServerName,myPortNumber;Database=myDataBase;User Id=myUsername;Password=myPassword; The default SQL Server port is 1433 and there is no need to specify that in the connection string.
Integrated Security actually ensures that you are connecting with SQL Server using Windows Authentication, not SQL Authentication; which requires username and password to be provided with the connecting string.
Okay, this answer really belongs to @mellamokb but here's what I used:
/// <summary>
/// Accepts a SQL Connection string, and censors it by *ing out the password.
/// </summary>
/// <param name="connectionString"></param>
/// <returns></returns>
public static string CensorConnectionString(string connectionString)
{
var builder = new DbConnectionStringBuilder() {ConnectionString = connectionString};
if (builder.ContainsKey("password"))
{
builder["password"] = "*****";
}
return builder.ToString();
}
Couple notes:
104
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With