文章原标题为:终于搞清楚了ADO数据库连接中的Persist Security Info参数的作用。
ADO 用了这么久,每次用向导创建 ADO 的数据库连接字符串时总会有产生一个 Persist Security Info 属性,平时没太注意,因为设置为 True 或 False 时对数据库连接没有任何影响。不过心理还是不爽,今天有时间查询了一下资料,总算搞清楚了它的作用。
Persist Security Info 属性的意思是表示是否保存安全信息,其实可以简单的理解为“ADO 在数据库连接成功后是否保存密码信息”,True表示保存,False表示不保存。
ADO 缺省为 True(ADO.net 缺省为 False,未测试,根据参考资料上说的)
具体可以通过 ADO 的 Connect 对象的 ConnectString 属性进行验证,如下所示(以下在 Delphi7 中测试通过):
--------------------------------------
数据库连接前
ConnectString="Provider=MSDAORA.1;Password=mypassword;User ID=yzs;Data Source=ydgl22;Persist Security Info=false"
数据库连接成功后
ConnectString="Provider=MSDAORA.1;User ID=yzs;Data Source=ydgl22"
--------------------------------------
数据库连接前
ConnectString="Provider=MSDAORA.1;Password=mypassword;User ID=yzs;Data Source=ydgl22;Persist Security Info=true"
数据库连接成功后
ConnectString="Provider=MSDAORA.1;Password=mypassword;User ID=dlyx;Data Source=ydgl22"
--------------------------------------
总体来说,如果数据库连接成功后不再需要连接的密码,出于安全性考虑,还是建议将 Persist Security Info 设为 false,以防止后门程序取得数据库连接的密码(windows2003 在 sp1 前就发生过这个问题)。
以下是摘自微软的 ADO.net 资料:
Keep Persist Security Info as False
Setting Persist Security Info to true or yes will allow security-sensitive information, including the userid and password, to be obtained from the connection after the connection has been opened. If you are supplying a userid and password when making a connection, you are most protected if that information is used to open the connection, and then discarded. As a result, your option that helps to provide greater security is to set Persist Security Info to false or no.
This is especially important if you are supplying an open connection to an untrusted source or persisting connection information to disk. Keeping Persist Security Info as false helps ensure that the untrusted source does not have access to the security-sensitive information for your connection and also helps ensure that no security-sensitive information is persisted to disk with your connection string information.
Persist Security Info is false by default.
编者注:
我们在 ASP.NET 中也可以测试。我们先做一个 Persist Security Info=False 的数据库连接字符串,然后用该连接去创建 SqlConnection 对象,再调用该对象的 Open 方法,再将该对象的 ConnectionString 属性值显示出来,可以发现 Password 不见了。如果我们的 Persist Security Info 为 True,可以发现 Password 仍然存在。
相关阅读
