Vulnerability in EPiServer.Forms
I was wondering if there were any changes in EPiServer 7.5+ which enabled reading of connectionstrings from external files?
I have earlier created this topic http://world.episerver.com/Modules/Forum/Pages/Thread.aspx?id=76526 which was more concerned with the earlier versions of EPiServer 7.
With the implemented method described in the above topic, I get a .NET exception complaining that the SQL-profile provider cannot read the connectionstring "EPiServerDB":
<add name="SqlProfile" type="System.Web.Profile.SqlProfileProvider, System.Web, Version=188.8.131.52, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" applicationName="EPiServerSample" />
Can you show us connectionStrings element from web.config?
Sure it looks like:
<add name="EPiServerDB" connectionString="Data Source=[DB_SERVER_HERE];Initial Catalog=[DB_HERE];Integrated Security=SSPI;MultipleActiveResultSets=True" providerName="System.Data.SqlClient" />
This is the connectionstring I want to move to an external file.
Are you still adding connection string manually or you have connectionStrings.config file as source for <connectionStrings> element?
I want to have an XML file containing connectionstrings for my dev, staging and prod development. In this XML file there is one setting that stores which of the connectionstrings to use.
So at the moment, we are not adding connectionstrings manually, but we are using the standard setup with a connectionstrings-file. If possible, we want to move all connectionstrings to an xml-file.
How does <connectionString> element looks in web.config?
And I would recommend to use configuration file transformations to deploy correct connection string for staging or production environment - cleans up config file and this is preferred way to deal with various environments and configurations.
So did you get this fixed, becasue the same thing happened when I updated to 9.7 and moved the connections strings to an external config file in the root. I also configured to use another DB for membership user management.