One of the best practices in ASP.NET is to save your database connection strings in the Web.config file instead of hard-coding it in your code. This allows you to change database servers easily, without needing to modify your code.
As an additional protection, it is always better to use integrated Windows security to access your database, rather than using SQL Server authentication, and thus including your SQL server credentials in the connection string. Either way, it's not such a good idea to save your connection strings as plain text in Web.config -- you should ideally encrypt the connection strings so that it leaves no chance for a potential hacker to easily get more information about your database server.
ASP.NET provides built in functionalities to encrypt sections of your web.config file. You can take advantage of this and easily mask your sensitive configuration data. you will first need to move the connection strings for your Sitefinity project from the data.config file (which is the default location for these) into web.config file.
You probably have this in your ~\ App_Data\Sitefinity\Configuration\data.config file:
As an additional protection, it is always better to use integrated Windows security to access your database, rather than using SQL Server authentication, and thus including your SQL server credentials in the connection string. Either way, it's not such a good idea to save your connection strings as plain text in Web.config -- you should ideally encrypt the connection strings so that it leaves no chance for a potential hacker to easily get more information about your database server.
ASP.NET provides built in functionalities to encrypt sections of your web.config file. You can take advantage of this and easily mask your sensitive configuration data. you will first need to move the connection strings for your Sitefinity project from the data.config file (which is the default location for these) into web.config file.
You probably have this in your ~\ App_Data\Sitefinity\Configuration\data.config file:
Now Cut the node <connectionStrings></connectionStrings> and insert it into your web.config file. You can place it just after the <configSections> </configSections> node in there.
Remove the dbType="MsSql" part from it.
At this point, we’ve moved our connection string to our web.config file. Now, we will encrypt it.
Open a command prompt window by typing CMD in your “Run” or “Search programs and files” textbox in Windows. Type cd c:\Windows\Microsoft.NET\Framework\v4.0.30319 to enter the folder, containing aspnet_regiis.exe file that we will need.
Type aspnet_regiis –pef connectionStrings C:\Sitefinity\Projects\Quantum , replacing C:\Sitefinity\Projects\Quantum with the path to your Sitefinity project.
The above connection string now looks like this (.NET has replace your connection string with an encrypted one) :
No code is required to decrypt the connection string in Sitefinity, .NET would automatically do that for you!