Connection Strings in ADO.NET

A connection string contains initialization information that is passed as a parameter from a data provider to a data source. The data provider receives the connection string as the value of the DbConnection.ConnectionString property. The provider parses the connection string and ensures that the syntax is correct and that the keywords are supported. Then the DbConnection.Open() method passes the parsed connection parameters to the data source. The data source performs further validation and establishes a connection.

Connection string syntax

A connection string is a semicolon-delimited list of key/value parameter pairs:

keyword1=value; keyword2=value;

Keywords are not case-sensitive. Values, however, may be case-sensitive, depending on the data source. Both keywords and values may contain whitespace characters. Leading and trailing white space is ignored in keywords and unquoted values.

If a value contains the semicolon, Unicode control characters, or leading or trailing white space, it must be enclosed in single or double quotation marks. For example:

Keyword=" whitespace  ";
Keyword='special;character';

The enclosing character may not occur within the value it encloses. Therefore, a value containing single quotation marks can be enclosed only in double quotation marks, and vice versa:

Keyword='double"quotation;mark';
Keyword="single'quotation;mark";

You can also escape the enclosing character by using two of them together:

Keyword="double""quotation";
Keyword='single''quotation';

The quotation marks themselves, as well as the equals sign, do not require escaping, so the following connection strings are valid:

Keyword=no "escaping" 'required';
Keyword=a=b=c

Since each value is read till the next semicolon or the end of string, the value in the latter example is a=b=c, and the final semicolon is optional.

All connection strings share the same basic syntax described previously. The set of recognized keywords depends on the provider, however, and has evolved over the years from earlier APIs such as ODBC. The .NET Framework data provider for SQL Server (SqlClient) supports many keywords from older APIs, but is generally more flexible and accepts synonyms for many of the common connection string keywords.

Typing mistakes can cause errors. For example, Integrated Security=true is valid, but IntegratedSecurity=true causes an error.

Connection strings constructed manually at run time from unvalidated user input are vulnerable to string-injection attacks and jeopardize security at the data source. To address these problems, ADO.NET 2.0 introduced connection string builders for each .NET Framework data provider. These connection string builders expose parameters as strongly typed properties and make it possible to validate the connection string before it's sent to the data source.

Important

Microsoft recommends that you use the most secure authentication flow available. If you're connecting to Azure SQL, Managed Identities for Azure resources is the recommended authentication method.

In this section

Connection String Builders
Demonstrates how to use the ConnectionStringBuilder classes to construct valid connection strings at run time.

Connection Strings and Configuration Files
Demonstrates how to store and retrieve connection strings in configuration files.

Connection String Syntax
Describes how to configure provider-specific connection strings for SqlClient, OracleClient, OleDb, and Odbc.

Protecting Connection Information
Demonstrates techniques for protecting information used to connect to a data source.

See also