ASP.NET Interview Questions on Data Access Security

What are the best practices to follow to secure connection strings in an ASP.NET web application?
1. Always store connection strings in the site's Web.config file. Web.config is very secure. Users will not be able to access web.config from the browser.
2. Do not store connection strings as plain text. To help keep the connection to your database server secure, it is recommended that you encrypt connection string information in the configuration file.
3. Never store connection strings in an aspx page.
4. Never set connection strings as declarative properties of the SqlDataSource control or other data source controls.
Why is "Connecting to SQL Server using Integrated Security" considered a best practice?Connecting to SQL Server using integrated security instead of using an explicit user name and password, helps avoid the possibility of the connection string being compromised and your user ID and password being exposed.

What is the advantage of storing an XML file in the applications App_Data folder?
The contents of the App_Data folder will not be returned in response to direct HTTP requests.

What is Script injection?
A script injection attack attempts to send executable script to your application with the intent of having other users run it. A typical script injection attack sends script to a page that stores the script in a database, so that another user who views the data inadvertently runs the code.
What is SQL injection?A SQL injection attack attempts to compromise your database by creating SQL commands that are executed instead of, or in addition to, the commands that you have built into your application.What are the best practices to keep in mind when accepting user input on a web application?
Always use validation controls whenever possible to limit user input to acceptable values.
2. Always check the IsValid property of the aspx page. Run the server side code only if the IsValid property value is true. A value of false means that one or more validation controls have failed a validation check.
3. Always perform server side validation irrespective of client side validation being performed or not. This will protect your web application even if the client has by passed the client side validation by disabling javascript in the web browser.
4. Also make sure to re validate user input in the business logic layer of your application.
What are the steps to follow to avoid Script Injection attacks?
Encode user input with the HtmlEncode method. This method turns HTML into its text representation.
2. If you are using the GridView control with bound fields, set the BoundField object's HtmlEncode property to true. This causes the GridView control to encode user input when the row is in edit mode.
What are the steps to follow to avoid SQL Injection attacks?Always use parameterized queries or stored procedures instead of creating SQL commands by concatenating strings together.

Can you encrypt view state data of an aspx page?
Yes, you encrypt view state data of an aspx page by setting the page's ViewStateEncryptionMode property to true.


  1. Good job!!!

    Could you please explain
    1) why web.config file is secure.
    2) why it is always better to store connection string in web.config file.
    3) why users will not be able to access web.config file from the browser.

    1. Because files cannot be transmitted over HTTP protocol so user will not have direct access to the web.config. Hence it is safer and a professional way to always keep Connection String and other important key/value pairs in Web.Config file in ASP.Net

  2. you should set ViewStateEncryptionMode to Allways or Auto, not True.

  3. @Suresh: Web.Config file is secure in many ways.
    1) It is not served by Hence remains in the server and not visible to the end user.

    2) In case you want to protect the username and password of your DB connection string, you can encrypt it using

    aspnet_regiis -pe connectionString -app yourAppName

  4. Good one .. keep it up ..
    Can you post more queries defining WEB.CONFIG file's attributes

  5. if the user has not disabled the JavaScript then checking of IsValid property both at client side and server side won't make the page processing slow ?

  6. IsValid property executes only on server not on client side. For client side validation use JavaScript validation scripts

  7. To secure user input, one of the ways could be to give a drop down list where ever possible, so as to limit any insecure/invalid user input.

  8. very helpfull for interview point of view thanks for posting

  9. Question : What is the use of global ASAX file ?
    -> I only know that we can use Session and Application in global ASAX file.
    Question : What is the main difference between global ASAX and Web.Config file ?


If you are aware of any other questions asked in an interview, please post them below. If you find anything missing or wrong, please feel free to correct by submitting the form below.

Disclaimer - Terms of use - Contact Us