Improving Web Application Security: Threats and - CGISecurity

Chapter 7: Building Secure Assemblies 167Version 1.1 of the .NET Framework loads the user profile for the ASPNET account onWindows 2000. On Windows Server 2003, the profile for this account is only loaded ifthe ASP.NET process model is used. It is not loaded explicitly by Internet InformationServices (IIS) 6 if the IIS 6 process model is used on Windows Server 2003.Note Version 1.0 of the .NET Framework does not load the ASPNET user profile, which makesHKEY_CURRENT_USER a less practical option.Reading from the RegistryThe following code fragment shows how to read an encrypted database connectionstring from under the HKEY_CURRENT_USER key using theMicrosoft.Win32.Registry class.using Microsoft.Win32;public static string GetEncryptedConnectionString(){return (string)Registry.CurrentUser.OpenSubKey(@"SOFTWARE\YourApp").GetValue("connectionString");}For more information about how to use the code access security RegistryPermissionto constrain registry access code for example to limit it to specific keys, see “Registry”in Chapter 8, “Code Access Security in Practice.”Data AccessTwo of the most important factors to consider when your code accesses a databaseare how to manage database connection strings securely and how to construct SQLstatements and validate input to prevent SQL injection attacks. Also, when you writedata access code, consider the permission requirements of your chosen ADO.NETdata provider. For detailed information about these and other data access issues, seeChapter 14, “Building Secure Data Access.”For information about how to use SqlClientPermission to constrain data access toSQL Server using the ADO.NET SQL Server data provider, see “Data Access” inChapter 8, “Code Access Security in Practice.”