When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips

Sections:
Sample Chapters
Commonly Asked Message Board Questions
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
XML Info
Information:
Feedback
Author an Article
ASP ASP.NET ASP FAQs Message Board Feedback

The 4 Guys Present: ASPFAQs.com

Jump to a FAQ
Enter FAQ #:
..or see our 10 Most Viewed FAQs.

4GuysFromRolla.com : ASP FAQS : Databases, General


Question:

How can I secure an Access database that I use on my Web site? That is, I don't want users to be able to guess the URL of my Access .mdb file and download my database!


[Print this FAQ]

Answer: When creating Web applications with an Access database, developers often save the Access database to a Web accessible folder. That is, they may save the actual .mdb file as: C:\INetPub\wwwroot\MyDB.mdb. The downside to this approach is that anyone who knows (or can guess) the URL to the .mdb file can download the Access database and examine all of your information.

While it may seem that the risk of a user guessing the URL to your Access database's .mdb file is low, there's always the risk. Also, if, for some reason, there is an error in connecting to the database, or an error in an include file that contains an error, a user may be able to easily find out the URL to your Access database. (For more information on the potential security hole concerning include files, be sure to read: Security Alert - Using includes Improperly from non-Debugged ASP Pages can allow Visitors to View your souce code.)

To answer this question of how to protect your Access database's .mdb file, we turn to an ASPMessageboard.com post from Chris:

*** BEGIN QUOTE ***
The way to do it is to put your database in a location that is only accessible on the server-side, not client-side. The key to this is putting it in a directory that is higher than the wwwroot.
If you're running your own server (eg, IIS) do it like this:

[my website]
--[html]
--[private]

Put the content of your website (eg, images, .htm pages, .asp pages) in the [html] directory, and make this the wwwroot. Put things you want hidden from the client in the [private] directory. When you need to access things in the [private] directory (eg, your database) you can directly reference the path on the server, or work it out.

So, FileName = "C:\my website\private\my database.mdb"
Or, FileName = Replace(Server.MapPath("\"), "html", "private") & "\my database.mdb"

If you're not running your own server then look on your Host's server for a directory above the root called "private" or "data" or something. If you can't find it, email them.
*** END QUOTE ***

Also, for more information on how to configure folders so that they cannot be visited via the Web, be sure to read this helpful article: How to configure HTTP READ-Protected Folders!

There you have it! An easy way to protect your Access database file. Happy Programming!

FAQ posted by Scott Mitchell at 8/24/2001 10:12:26 AM to the Databases, General category. This FAQ has been viewed 81,254 times.

Do you have a FAQ you'd like to suggest? Suggestions? Comments? If so, send it in! Also, if you'd like to be a FAQ Admin (creating/editing FAQs), let me know! If you are looking for other FAQs, be sure to check out the 4Guys FAQ and Commonly Asked Messageboard Questions!

Most Viewed FAQs:

1.) How can I format numbers and date/times using ASP.NET? For example, I want to format a number as a currency. (761643 views)
2.) I am using Access and getting a 80004005 error (or a [Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine cannot open the file '(unknown)' error) when trying to open a connection! How can I fix this problem? (207777 views)
3.) How can I convert a Recordset into an array? Also, how can I convert an array into a Recordset? (202549 views)
4.) How can I quickly sort a VBScript array? (196039 views)
5.) How can I find out if a record already exists in a database? If it doesn't, I want to add it. (156019 views)
6.) How do I display data on a web page using arrays instead of Do...While...MoveNext...???... (152331 views)
7.) When I get a list of all files in a directory via the FileSystemObject, they aren't ordered in any reasonable way. How can I sort the files by name? Or by size? Or by date created? Or... (140381 views)
8.) For session variables to work, must the Web visitor have cookies enabled? (110162 views)
9.) Can I send emails without using CDONTS? (107083 views)
10.) How can I take the result of a SELECT...MULTIPLE or a group of same-named checkboxes and turn it into a query? That is, if the user selects 3 answers, how can I construct a query that looks for all 3? (106308 views)
Last computed at 9/17/2007 3:22:00 AM


ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article