DBs are isolated as a rule and work through the API layer. The client should not have any connection strings anywhere.
The connection string will be in web.config or appsettings.json on the server.

Such is the selyavi, you can try to hide the login and password in the obfuscated code, but this will protect only from users and not from a hacker / knowledgeable person, though it will make this task expensive.
In practice, they usually do this, if you have a desktop application and users connect to the database with its help, you can ask them for a login and password (i.e. the connection string is just the ip and port of the database), i.e. the database will be responsible for authorization and authentication.
ps password authorization is a relic of the past;) a beautiful example - you can authorize using a qr-code generated by an application on a mobile phone (and there is a timecode like google authenticator) and shoot it through a webcam (even the cheapest ones will do, I remember buying one for 70r , even backlit), give authorization codes to users in person.

Use DSN connection

Integrated security must be used, well, and triggers for changes. You will know who changed, if anything

Stitching the login and password into the application is a very bad approach.
To work with the database, you need to create database users and give them access rights to data. Then the user will enter his login / password every time and all responsibility for safety will be on his shoulders.
Access rights should also be thoughtfully distributed, a normal user should have maximum rights to DML. And DDL and DCL should be completely banned.
In special cases, when there is very important data, access to tables is also closed for reading and rights are given only to call certain Stored Procedures, through which the display of data is filtered in accordance with the access level.