Using the Windows Registry
You can also use a custom key in the Windows registry to store the connection string, although this is not recommended due to deployment issues.
- Security. You can manage access to selected registry keys by using access control lists (ACLs). For even higher levels of security, consider encrypting the data.
- Ease of programmatic access. .NET classes are available to support reading strings from the registry.
- Deployment. The relevant registry setting must be deployed along with your application, somewhat defeating the advantage of xcopy deployment.
Using a Custom File
You can use a custom file to store the connection string. However, this technique offers no advantages and is not recommended.
- Extra coding. This approach requires extra coding and forces you to deal explicitly with concurrency issues.
- Deployment. The file must be copied along with the other ASP.NET application files. Avoid placing the file in the ASP.NET application directory or subdirectory to prevent it from being downloaded over the Web.
Using Construction Arguments and the COM+ Catalog
You can store the database connection string in the COM+ catalog and have it automatically passed to your object by means of an object construction string. COM+ will call the object's Construct method immediately after instantiating the object, supplying the configured construction string.
Note This approach works only for serviced components. Consider it only if your managed components use other services, such as distributed transaction support or object pooling.
- Administration. An administrator can easily configure the connection string by using the Component Services MMC snap-in.
- Security. The COM+ catalog is considered a non-secure storage area (although you can restrict access with COM+ roles) and therefore must not be used to maintain connection strings in clear text.
- Deployment. Entries in the COM+ catalog must be deployed along with your .NET-based application. If you are using other enterprise services, such as distributed transactions or object pooling, storing the database connection string in the catalog presents no additional deployment overhead, because the COM+ catalog must be deployed to support those other services.
- Components must be serviced. You can use construction strings only for serviced components. You should not derive your component's class from ServicedComponent (making your component serviced) simply to enable construction strings.
Important It is critical to secure connection strings. With SQL authentication, the connection contains a user name and password. If an attacker exploits source code vulnerability on the Web server or gains access to the configuration store, the database will be vulnerable. To prevent this, connection strings should be encrypted.