Connection string in app.config (not in web app)?

[Guest]

Like a web app can store its connection string in the web.config file, can a
windows forms or console app or windows service store its connection string
in app.config?

Is it advisable?
I know the web application is best to store its strings in there as the web
server will flatly refuse to serve up that file, but I've heard that it will
server up an aspx file if you ask for $::myfile.aspx$ or something like that.
But for a winapp, is it just easier to have a class called 'consts' and have
static strings in that?

Or is it the 'done thing' to use application configuration settings?

Please advise

Thanks

 

[Dmitriy Lapshin [C# / .NET MVP]]

Hi,

Hard-coding the connection string is probably not a good idea - should
connection parameters change and you are bound to re-build and re-deploy the
application. Therefore, storing the connection string in app.config is
advisable. If you care about the security, you can store it encrypted and
probably digitally signed.

 

[Bonj]

Hard-coding the connection string is probably not a good idea - should
connection parameters change and you are bound to re-build and re-deploy
the application. Therefore, storing the connection string in app.config is
advisable.

Is this an app.config that has to remain in the same folder as the .exe when
it is running, or is compiled into it? I don't want something that's not
embedded into the .exe file.

If you care about the security, you can store it encrypted and probably
digitally signed.

How do I do this, and how do I connect the app.config to the program in the
first place? I don't posess any "certificates" if that's what you mean.

 

[Joel Martinez]

I believe the security hole you refer to was only in the classic ASP
days, there was an issue where IIS would serve the actual contents of
the file (ie. code) if you used some wierd NTFS syntax to request the
file.

And yes, if you're concerned about security, please encrypt the
connection string.

Joel Martinez
http://www.onetug.org - Orlando .NET User Group
http://www.codecube.net - blog

 

[Scott Allen]

The app.config is not embedded, it lives in the same folder.

WinForms and Console apps will generally use the user's credentials
when connecting, or prompt the user for credentials if the database
does not accept Windows logins. Generally all you'll need in the
config file then is the parameters like server name, port, database
name, etc.

 

[Bonj]

yeah, true.
I don't want the reliance on a text file living in the same directory, so I
might aswell just hardcode it into a "Consts" class.... Don't ask me why - I
guess some users might think it's a log file and delete it.

 

[Bonj]

I believe the security hole you refer to was only in the classic ASP
days, there was an issue where IIS would serve the actual contents of
the file (ie. code) if you used some wierd NTFS syntax to request the
file.

yes, that's it... comical how they could have let it slip really.