0

I've built an installer that creates a website, application pool, and then assigns the website to the app pool. As part of this I allow the user to input different settings for various connection strings (allows the developer to set them to DEV / UAT etc.). I then modify the web.config with the settings input by the user.

As this is something that will only be installed by a small bunch of developers I'm not concerned with the security of the input (I'm aware they could put in anything), but more with whether it's considered bad practice to modify the web.config in this way?

I've read a few questions on here regarding how people do this and generally in each one there is someone saying that it's not a good idea to do this. The second answer on this question states that doing so will restart your application. I can see how this could cause problems if your user is in the middle of using the app, but for my scenario this isn't relevant. Is this the only reason to consider when doing this?

Community
  • 1
  • 1
sr28
  • 4,728
  • 5
  • 36
  • 67

3 Answers3

1

web.config is like the .htaccess file, in wordpress some plugins automatically updates these files accordingly.
This links might help you, I did have this same question the other day

Change a web.config programmatically with C# (.NET)

Community
  • 1
  • 1
andrex
  • 983
  • 5
  • 14
  • how come Wordpress is involved? – Raptor Sep 19 '14 at 08:39
  • Thanks for the answer, but I know how to do it. It's more a question of whether I SHOULD be doing it and whether there are any downsides to doing so. – sr28 Sep 19 '14 at 08:39
  • 1
    @Raptor I'm just saying that it's the same as .htaccess and I know in wordpress this file is problematically change. In short it would be **no** (not bad as long as it's needed), I thought it would be better if there were some examples sorry for the little bit of off topic. – andrex Sep 19 '14 at 08:41
1

The warnings are usually applied when someone is talking about having an asp.net website update its own web.config file. But as I understand it, you're talking about updating it from your installer, and this happens before the site is used, so it should be fine.

And, of course, think about it the other way - what's your alternative to manipulating these files programmatically? Do you have any means at your disposal for manipulating these files that doesn't, at some point, have some program open the file and write to it?

Notepad? It's a program.

IIS Manager? It's a program.

Your installer? It's a program.

Damien_The_Unbeliever
  • 234,701
  • 27
  • 340
  • 448
  • I thought this was the case, but doubt started creeping in when I started noticing people were saying there were other approaches that should be used. I still suspected that this didn't apply to my situation but thought it better to be sure. Thanks. – sr28 Sep 19 '14 at 08:55
1

Just a (perhaps obvious) thought: Be careful not to overwrite any manual changes added after the installation.

If I had made some custom changes to a config file, I would not want them to be overwritten by a program. It does not sound as if this would happen in your scenario though, so if the solution works for you, I can't see any real problem.

Kjartan
  • 18,591
  • 15
  • 71
  • 96
  • I agree, though as this is only being done through an installer it will be creating it for the first time, so won't be overwriting anything (just creating it). – sr28 Sep 19 '14 at 08:56