Just so your only response isn't monksnake, I'll chip in my two cents by giving a radically different answer.
I usually put it into server side includes file and put an asp extension on it.
At some point you have to determine when a solution is "good enough". The end user does not see the code in the ASP file, only the HTMl that is generated. So as long as you don't Response.Write the connection string, put it in a javascript comment, etc. then you are safe enough keeping it in it's own include file.
Now, while it is possible that someone could either hack into your system and read the file or find an exploit for IIS that allows them to read the file, you really have bigger problems then them being able to log into your database at this point.
One additional piece of security if your using something like SQL Server (not Access): Setup a user specifically for the website connection, build everything as stored procedures, then lockdown that users access to only allow execution of the stored procedures. Now even if someone does manage to get access tot he include file they are left with the choice of guessing a new username/password or finding something else on the system to monkey with. My bet is that in this exceedingly unlikely case they probably will go find something else to mess with.
And it means that if you one day hire an outside developer to work on the site you aren't also giving them the keys to the database.
Sorry, just some long-winded thoughts
-T
Best MS KB Ever:
![[monkey]](/data/assets/smilies/monkey.gif "[monkey] [monkey]")
![[snake]](/data/assets/smilies/snake.gif "[snake] [snake]")
<.![[smile]](/data/assets/smilies/smile.gif "[smile] [smile]")
.