Avoid giving server connection string in web.config

Question

I am building a website using asp.net MVC. I have two connection strings in the web.config, one for local db and one for the server db. I am testing my work on local and then put it on the server. the server connection string (user name and password) is also in the web.config. Tomorrow when I sell the product, I want to make sure I don't give this web.config to the clients. but It can happen by mistake. How can I prevent this?

Answer 1

Don't use user name and password in the connection string, but use integrated security.

Instead of this.

User ID=****; Password=****;

Use this.

Integrated Security=true;

And make sure your logon user has access to the local database. And the IIS server has access to the server database.

See here for configuring IIS to be able to access SQL Server.

Answer 2

My suggestion would be to use one of two methods:

A ConnectionStrings.config or a Web.Config transform. As usual there are pros and cons for both.

Using a separate config file for connection strings

• Each developer can have a local copy of their connection strings
• ConnectionStrings can be marked to ignore and never committed to source control

However - Requires each client/developer to be individually managed

Web.config transforms

• Each connection string/build configuration can be source controlled
• Requires publish of application rather than just a build

However

• Can become difficult to maintain with large numbers of transforms.

Personally I prefer having a ConnectionStrings.config - I don't like having production credentials in source control. It also has the nice side effect of giving a build error if you've forgotten it so you can't leave them out by mistake.