6
votes

You use Microsoft Visual Studio 2010 and Microsoft .NET Framework 4 to create an application.The application connects to a Microsoft SQL Server 2008 database. The application uses a Microsoft ADO.NET SQL Server managed provider.When a connection fails, the application logs connection information, including the full connection string.The information is stored as plain text in a .config file.

You need to ensure that the database credentials are secure.

Which connection string should you add to the .config file?

A.Data Source=myServerAddress; Initial Catalog=myDataBase; Integrated Security=SSPI; Persist Security Info=false;

B.Data Source=myServerAddress; Initial Catalog=myDataBase; Integrated Security=SSPI; Persist Security Info=true;

C.Data Source=myServerAddress; Initial Catalog=myDataBase; User Id = myUsername; Password = myPassword; Persist Security Info=false;

D.Data Source=myServerAddress; Initial Catalog=myDataBase; User Id = myUsername; Password = myPassword; Persist Security Info=true;

According to the guide, the answer is 'A'. But in my opinion, the Answer is 'C'. If we are using Integrated Security = SSPI, we don't need to supply UserID and Password. So, Persist Security Info=false has no effect.

As far as I know, Persist Security Info only takes effect if the connection string has User Credentials.

Could you please advise me which one is correct? Thanks.

1

1 Answers

5
votes

You are right. Persist Security Info=false has effect only if user name and password provided in connection string. But question is "What should you store in .config file" and considering that "information is stored as plain text" you should not store UID and PWD in config file. If you store C, PWD and UID can be extracted from .config file. But if you store A, there is no credentials to extract.

I'm not sure, why A has "Persist Security Info=false", but looks like it is a good practice. See MSDN examples: