Do you know the right way to define a connection string?
  v1.0 Posted at 27/04/2018 8:16 AM by Tiago Araujo
The bad practice below because the application can now do anything it wants to the SQL server (e.g. DROP other databases).


Bad example - The connection string use 'sa' in Uid

If using SQL Authentication
Server=DRAGON;Database=SSWData2005;Uid=SSWWebsite;Pwd=password;Application Name=SSWWebsite
If using Windows Authentication (Recommended)
Server=DRAGON;Database=SSWData2005;Integrated Security=True;Application Name=SSWWebsite

 ​Good example - The connection string with Application Name
  • Application Name (e.g. SSWWebsite)

    • This makes profiling the database easier as you can filter by Application Name
  • Application Specific Login/Windows Integrated security with a Domain Account for the application (e.g. SSWWebsite)
    • These logins should only have access to the databases they use (e.g. SSWData2005)​

Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address: