The 5th annual nopCommerce conference will take place in India on the 10th-11th of October. Please find more about this event here

Move connection string from settings.txt in app_data to webconfig.

Posted: December 10, 2013 at 7:58 AM Quote #111115
Hi,

Microsoft has by default the connection string / (also encrypted if you want ) in the web.config.

I came across settings.txt in app_data during upgrade. I would recommend/ suggest to follow Microsoft path. If you use Windows identity, your database cannot be accessed, if no SQL connections allowed. However, if you have sql connections allowed and app_data\settings.txt would be readable that would have dramatic effect(s).

If I would be working at Microsoft, I would hardcode that web.config or .config would never be able to leave the web server. For text files I would not do that.

J.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: December 10, 2013 at 9:21 AM Quote #111126
This might be evidence for: https://www.nopcommerce.com/boards/t/26955/my-site-hacked-by-pharamacy100couk.aspx
This post/answer is useful
-1
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: December 10, 2013 at 11:43 AM Quote #111142
Quantis001 wrote:
app_data\settings.txt would be readable that would have dramatic effect(s).

Why should it be readable? By default IIS doesn't allow access to files located into \App_Data. So no worries about it

Quantis001 wrote:
It's absolutely not related somehow to your "suggestion". Why do you think that this site was hacked because of it?
This post/answer is useful
1
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Interested in the dedicated Premium support services provided by core developers? Please visit http://www.nopcommerce.com/supportservices.aspx

Regards,
Andrei Mazulnitsyn
Posted: December 10, 2013 at 3:03 PM Quote #111192
Hi Andrei,

Sure, you are right for app_data..app_code etc. Shouldn't be served. However, that file is in the middle of other files, and has been added by Microsoft recently. In the past it has always been web.config similar to htaccess file on Apache. If somebody does not know that this app_data is a special directory and might install apache or other software (other than MS IIS) wrong. See link below how it is explained in the past:

http://www.iis.net/learn/application-frameworks/install-and-configure-php-applications-on-iis/translate-htaccess-content-to-iis-webconfig

Microsoft is also triggering PHP/ JAVA community to take benefit of hosting with Microsoft IIS. If somebody just reads the wrong post..or believes it works similar...most likely that person will also give acces to web.config...so maybe we cannot avoid that....I guess you are right.

J.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: January 21, 2014 at 11:36 PM Quote #114563
Hi,

Further to above, I have two question regarding the connection string:
1. Is there any way to encrypt it  and still have the application run without any further modifications? Unfortunately this is required by a lot of security consultants
2. Is there any way to create Release/Debug versions?
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: October 13, 2014 at 11:41 AM Quote #132972
I'd also like to know the best way to do this - I want to use the standard web.config 'release' and 'dev' for my deployment to use different database connection strings.

Thanks!
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: October 21, 2014 at 8:39 AM Quote #133548
hoping to get some help here, we need the connection string in the web.config to support deployment to different environments (the 'normal .net way').

How do we tell nopcommerce to look in the web.config vs. a 'settings.txt' file ?

Thanks!!!
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: August 08, 2016 at 11:48 PM Quote #173102
It seems unnecessary to re-invent the wheel and complicate the matter to put connection string in Settings.txt, an awkward design for an otherwise well-designed app.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
Posted: August 09, 2016 at 9:22 PM Quote #173174
I personally don't see any issue with having the connection string within App_Data
It shouldn't be a heavy lift to encrypt the connection string using a machine key or something similar.
An .NET specific deployment platform such as Octopus Deploy can handle transforms of all types with very little difficulty.  Its lowest usage tier is free and should easily meet your needs.
For deployments to different environments, once Settings.txt is setup, there should be little to no reason to update that file going forward.
This post/answer is useful
0
This post/answer is not useful

Please login or register
to vote for this post.

(click on this box to dismiss)
- c
Premium support services
  • Dedicated premium support services provided by core developers are intended for persons who run mission critical websites, work on projects with tight deadlines, or want to get dedicated support.
Professional services
  • Want to open a new store? Want to take your store to the next level? Need a custom extension? We can customize nopCommerce to fit your store perfectly. Request a quote to get started.