Do the right thing - never use SQL Server's native security. Use a
trusted connection (using the I_USR account) to a limited set of stored
procedures that control all access to the database - just like Microsoft
recommends.
You'll never have the username or password lying around in a connection
string again. If someone breaksinto the SAM then you've got a lot more
to worry about than the loss of the I_USR account password. ;-)

But isn't their a significant performance hit when using this form of
authentication? Can connection pooling be used? I was under the
impression that every db access would cause a new connection to be
formed and therefore using the integrated auth would be frowned on in a
performance type light? Am I all wet?

Thanks,

John

-----Original Message-----
From: Chip Andrews [mailto:chipandrewsusa.net]
Sent: Thursday, January 10, 2002 10:14 AM
To: Eli Allen; focus-mssecurityfocus.com
Subject: Re: [SQL connection string security]

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]