I have a legacy ASP application that I need to release on a modern server. It uses ADO with SQLOLEDB to talk to MS SQL Server. It's logging on to SQL with username and password.
我有一个遗留的ASP应用程序需要在现代服务器上发布。它使用ADO和SQLOLEDB来与MS SQL Server对话。它使用用户名和密码登录到SQL。
The app relies on a peculiar behavior of the ADO Connection object that seems to have changed. These days (in ADODB.Connection.6), when you provide a connection string to a Connection and then retrieve it back, you don't get back an exact copy of the original string; specifically, the username and password are stripped from it, and some extra parameters are added.
该应用程序依赖于ADO连接对象的一种特殊行为,这种行为似乎已经发生了变化。现在(在adodb . connector .6中),当您向一个连接提供一个连接字符串,然后检索它时,您不会得到原始字符串的确切副本;具体地说,用户名和密码将被删除,并添加一些额外的参数。
It looks like older versions of ADO did not strip the credentials in this scenario; the application would never work if it did, and it works. Question - is this documented? Is there a way to enforce the legacy behavior in new ADO?
看起来ADO的旧版本在这个场景中并没有删除凭证;如果应用程序成功了,它将永远不会工作,而且它也能工作。问题:这是有文件记载的吗?在新ADO中,是否有办法强制执行遗留行为?
I really don't want to downgrade ADO on a shared server.
我真的不想降级共享服务器上的ADO。
EDIT: just isolated it to a minimal test case. Works on Connection.2.80 on Windows 2003 (msado15.dll v. 2.82.5011.0), fails on Connection.6 on Windows 2008 (dll v.6.1.7600.17036).
编辑:将它隔离到最小的测试用例中。用于连接。2.80对Windows 2003 (msado15)。dll v. 2.82.5011.0),在Windows 2008上连接失败。6 (dll v.6.1.7600.17036)。
EDIT2: officially, the old MDAC 2.8, which ADO is a part of, is not supported on Vista and higher. So downgrade is not really an option.
EDIT2:正式地说,旧的MDAC 2.8 (ADO是ADO的一部分)在Vista和更高版本中不受支持。因此,降级并不是真正的选择。
1 个解决方案
#1
5
What you're looking for is probably the "Persist Security Info" property. The property is documented here and here (assuming you're using the SQLOLEDB provider; but most providers I've dealt with behave the same in this regard). Basically, when this property is set to False, sensitive information, such as passwords, will be stripped from the connection string when it is read. Conversely, when the property is set to True, the connection string will be returned exactly as it was supplied (including any sensitive information).
您正在寻找的可能是“持久安全信息”属性。这里和这里都记录了该属性(假设您使用的是SQLOLEDB提供者;但我接触过的大多数供应商在这方面的表现都是一样的)。基本上,当该属性设置为False时,敏感信息(如密码)将在读取连接字符串时被从连接字符串中删除。相反,当属性被设置为True时,连接字符串将按照提供的方式返回(包括任何敏感信息)。
I have only found one blog post (but no official documentation) that states that the default value for this property changed from True to False at Windows Vista, which would correspond with Windows Server 2008. This matches your observations.
我只发现了一篇博客文章(但没有官方文档)指出,Windows Vista的这个属性的默认值从True变为False,这将与Windows Server 2008相对应。这匹配你的观察。
It should be noted that the new default of False is considered more secure since there is less risk of accidentally revealing sensitive information. The recommended solution here is to re-engineer the application so that it doesn't need to rely on getting the password back from the ConnectionString property.
应该指出的是,由于不小心泄露敏感信息的风险较低,新的默认的错误被认为更安全。这里推荐的解决方案是重新设计应用程序,以便它不需要依赖于从ConnectionString属性获取密码。
With that disclaimer out of the way, you can explicitly set the "Persist Security Info" property through the connection string by adding ;Persist Security Info=True. It may also be possible to set the property on the Connection object before opening it (in case you can't change the connection string), but I'm not entirely sure if that would work (you may have to manually set the Provider property first).
通过这个免责声明,您可以通过添加;Persist Security Info=True,显式地通过连接字符串设置“Persist Security Info”属性。在打开连接对象之前,也可以在其上设置属性(以防您无法更改连接字符串),但我不能完全确定这是否可行(您可能必须首先手动设置Provider属性)。
' untested examples
' Method 1
connString = "Provider=SQLOLEDB;"
connString = connString & "Data Source=example;"
connString = connString & "Initial Catalog=exampleDB;"
connString = connString & "User Id=user;"
connString = connString & "Password=1234;"
connString = connString & "Persist Security Info=True"
Set conn = Server.CreateObject("ADODB.Connection")
conn.Open connString
' Method 2
connString = "Data Source=example;"
connString = connString & "Initial Catalog=exampleDB;"
connString = connString & "User Id=user;"
connString = connString & "Password=1234;"
Set conn = Server.CreateObject("ADODB.Connection")
conn.Provider = "SQLOLEDB"
conn.Properties("Persist Security Info").Value = True
conn.Open connString
#1
5
What you're looking for is probably the "Persist Security Info" property. The property is documented here and here (assuming you're using the SQLOLEDB provider; but most providers I've dealt with behave the same in this regard). Basically, when this property is set to False, sensitive information, such as passwords, will be stripped from the connection string when it is read. Conversely, when the property is set to True, the connection string will be returned exactly as it was supplied (including any sensitive information).
您正在寻找的可能是“持久安全信息”属性。这里和这里都记录了该属性(假设您使用的是SQLOLEDB提供者;但我接触过的大多数供应商在这方面的表现都是一样的)。基本上,当该属性设置为False时,敏感信息(如密码)将在读取连接字符串时被从连接字符串中删除。相反,当属性被设置为True时,连接字符串将按照提供的方式返回(包括任何敏感信息)。
I have only found one blog post (but no official documentation) that states that the default value for this property changed from True to False at Windows Vista, which would correspond with Windows Server 2008. This matches your observations.
我只发现了一篇博客文章(但没有官方文档)指出,Windows Vista的这个属性的默认值从True变为False,这将与Windows Server 2008相对应。这匹配你的观察。
It should be noted that the new default of False is considered more secure since there is less risk of accidentally revealing sensitive information. The recommended solution here is to re-engineer the application so that it doesn't need to rely on getting the password back from the ConnectionString property.
应该指出的是,由于不小心泄露敏感信息的风险较低,新的默认的错误被认为更安全。这里推荐的解决方案是重新设计应用程序,以便它不需要依赖于从ConnectionString属性获取密码。
With that disclaimer out of the way, you can explicitly set the "Persist Security Info" property through the connection string by adding ;Persist Security Info=True. It may also be possible to set the property on the Connection object before opening it (in case you can't change the connection string), but I'm not entirely sure if that would work (you may have to manually set the Provider property first).
通过这个免责声明,您可以通过添加;Persist Security Info=True,显式地通过连接字符串设置“Persist Security Info”属性。在打开连接对象之前,也可以在其上设置属性(以防您无法更改连接字符串),但我不能完全确定这是否可行(您可能必须首先手动设置Provider属性)。
' untested examples
' Method 1
connString = "Provider=SQLOLEDB;"
connString = connString & "Data Source=example;"
connString = connString & "Initial Catalog=exampleDB;"
connString = connString & "User Id=user;"
connString = connString & "Password=1234;"
connString = connString & "Persist Security Info=True"
Set conn = Server.CreateObject("ADODB.Connection")
conn.Open connString
' Method 2
connString = "Data Source=example;"
connString = connString & "Initial Catalog=exampleDB;"
connString = connString & "User Id=user;"
connString = connString & "Password=1234;"
Set conn = Server.CreateObject("ADODB.Connection")
conn.Provider = "SQLOLEDB"
conn.Properties("Persist Security Info").Value = True
conn.Open connString