Op maandag 13 mei 2002 20:13, schreef u:
> Right now I'm running an Access-database for my site and I just thought
> "oops" when I one day realized you just have to write the DB-path in the
> address-field and you will be able to download the database. Or thats at
> least what I could do when trying. I guess there has to be some easy way of
> preventing this from being possible? I haven't really thought about it
> before and I now see why its pretty easy to go through password protections
> with databases involved if you just try to find the database, right? Could
> someone help me by telling how I can make this work? Maybe the folder
> containing the DB doesnt need to have read-rights? Cant you do that with
> the ADO-properties? Ahh.. however.. Please help! =) Tnx!

But the database outside the website directorty and only your ASP-code can 
access it.

a solution is to put the db in a folder not in the web root.
this folders must have read/write permission to let the
db interact with your asp application.
you can create a ftp access to that folder to change/maintain
the db, if you need

HTH

>......download the database. Or thats at
> least what I could do when trying. I guess there has to be some easy way
of
> preventing this from being possible?

Right now I'm running an Access-database for my site and I just thought
"oops" when I one day realized you just have to write the DB-path in the
address-field and you will be able to download the database. Or thats at
least what I could do when trying. I guess there has to be some easy way of
preventing this from being possible? I haven't really thought about it
before and I now see why its pretty easy to go through password protections
with databases involved if you just try to find the database, right? Could
someone help me by telling how I can make this work? Maybe the folder
containing the DB doesnt need to have read-rights? Cant you do that with the
ADO-properties? Ahh.. however.. Please help! =) Tnx!
--
Martin Johansson
+46 (0)70-3003320

Good suggestions.  It works for protecting it from people browsing via 
Internet Explorer using a virtual path.  However, that wouldn't protect it 
from the server administrator that had access to the physical path.  Is it 
possible to set a password in Access and pass that userid and password 
information appended to the connection string when connecting to the 
databse?

Tim

> Op maandag 13 mei 2002 20:13, schreef u:
> Right now I'm running an Access-database for my site and I just thought
> "oops" when I one day realized you just have to write the DB-path in the
> address-field and you will be able to download the database. Or thats at
> least what I could do when trying. I guess there has to be some easy way 
of
> preventing this from being possible? I haven't really thought about it
> before and I now see why its pretty easy to go through password 
protections
> with databases involved if you just try to find the database, right? 
Could
> someone help me by telling how I can make this work? Maybe the folder
> containing the DB doesnt need to have read-rights? Cant you do that with
> the ADO-properties? Ahh.. however.. Please help! =) Tnx!

But the database outside the website directorty and only your ASP-code can 
access it.

Op wo 22-05-2002, om 04:59 schreef Tim Morgan:
> Good suggestions.  It works for protecting it from people browsing via 
> Internet Explorer using a virtual path.  However, that wouldn't protect it 
> from the server administrator that had access to the physical path.  Is it 
> possible to set a password in Access and pass that userid and password 
> information appended to the connection string when connecting to the 
> databse?

Is not very useful. The administrator can look at the source of your ASP
and find the userid and password.

Ah, yes, the second option ("in Access Tools>Security>Set datbase password 
and pass this password in your ASP connection string") is exactly what I 
was/am trying to do.  But it seems I have the exact syntax for doing this 
wrong because I get the following error message:

Microsoft JET Database Engine (0x80040E4D)
Cannot start your application. The workgroup information file is missing.

It seems you know how to do this.  Would you please give me the exact 
format for passing the user id and password in the connection string?  I 
think I'm wrestling with something as simple as a ' instead of " or an 
extra comman somewhere but nothing seems to work.

Tim 

> Either deny *Read* Or *Browse* permission on directory in which database 
r> esides 

> OR 
I> n MS Access 2000 Tools->Security->Set database password.. and pass this 
p> assword in your ASP connection String

> 

> 

> 

> > Right now I'm running an Access-database for my site and I just thought
"> oops" when I one day realized you just have to write the DB-path in the
a> ddress-field and you will be able to download the database. Or thats at
l> east what I could do when trying. I guess there has to be some easy way 
of
p> reventing this from being possible? I haven't really thought about it
b> efore and I now see why its pretty easy to go through password 
protections
w> ith databases involved if you just try to find the database, right? 
Could
s> omeone help me by telling how I can make this work? Maybe the folder
c> ontaining the DB doesnt need to have read-rights? Cant you do that with 
t> he
A> DO-properties? Ahh.. however.. Please help! =) Tnx!
-> -
M> artin Johansson
+> 46 (0)70-3003320

If you are that worried about your system administrator having access to your system, you have a lot
more to worry about than your code.

-----Original Message-----
From: Cecil Westerhoff [mailto:cwesterh@w...]
Sent: Tuesday, May 21, 2002 7:17 PM
To: ASP Databases
Subject: [asp_databases] Re: How to increase DB-security?


Op wo 22-05-2002, om 04:59 schreef Tim Morgan:
> Good suggestions.  It works for protecting it from people browsing via 
> Internet Explorer using a virtual path.  However, that wouldn't protect it 
> from the server administrator that had access to the physical path.  Is it 
> possible to set a password in Access and pass that userid and password 
> information appended to the connection string when connecting to the 
> databse?

Is not very useful. The administrator can look at the source of your ASP
and find the userid and password.

Op wo 22-05-2002, om 15:53 schreef Tom Achtenberg:
> If you are that worried about your system administrator having access to your system, you have a lot more to worry about than
your code.

The original poster did not like the possibility that the administrator
could read his Access data. I only pointed out that his solution was not
a real solution. If the administrator can access your Access file, he
can also access your ASP-code and find the username and password. He was
worried, not me.

Either deny *Read* Or *Browse* permission on directory in which database 
resides 

OR 
In MS Access 2000 Tools->Security->Set database password.. and pass this 
password in your ASP connection String







> Right now I'm running an Access-database for my site and I just thought
"oops" when I one day realized you just have to write the DB-path in the
address-field and you will be able to download the database. Or thats at
least what I could do when trying. I guess there has to be some easy way of
preventing this from being possible? I haven't really thought about it
before and I now see why its pretty easy to go through password protections
with databases involved if you just try to find the database, right? Could
someone help me by telling how I can make this work? Maybe the folder
containing the DB doesnt need to have read-rights? Cant you do that with 
the
ADO-properties? Ahh.. however.. Please help! =) Tnx!
--
Martin Johansson
+46 (0)70-3003320

Why to put a password???
The only thing u have to do is to put your Data Base in a non shared
directory.

eg:   you want to make a site in c:\site
don't share the directory c:\site but make 2 sub-directories: WWW and DB and
share only the directory WWW

c:\Site --> don't share
       |--- c:\site\db --> don't share (data base directory)
       |--- c:\site\www --> put this directory as your main http ;-)

So, it's impossible to download your data base.

----- Original Message -----
From: "Tim Morgan" <eastcoastpilot@h...>
To: "ASP Databases" <asp_databases@p...>
Sent: Wednesday, May 22, 2002 7:37 PM
Subject: [asp_databases] Re: How to increase DB-security?


> Ah, yes, the second option ("in Access Tools>Security>Set datbase password
> and pass this password in your ASP connection string") is exactly what I
> was/am trying to do.  But it seems I have the exact syntax for doing this
> wrong because I get the following error message:
>
> Microsoft JET Database Engine (0x80040E4D)
> Cannot start your application. The workgroup information file is missing.
>
> It seems you know how to do this.  Would you please give me the exact
> format for passing the user id and password in the connection string?  I
> think I'm wrestling with something as simple as a ' instead of " or an
> extra comman somewhere but nothing seems to work.
>
> Tim
>
> > Either deny *Read* Or *Browse* permission on directory in which database
> r> esides
>
> > OR
> I> n MS Access 2000 Tools->Security->Set database password.. and pass this
> p> assword in your ASP connection String
>
> >
>
> >
>
> >
>
> > > Right now I'm running an Access-database for my site and I just
thought
> "> oops" when I one day realized you just have to write the DB-path in the
> a> ddress-field and you will be able to download the database. Or thats at
> l> east what I could do when trying. I guess there has to be some easy way
> of
> p> reventing this from being possible? I haven't really thought about it
> b> efore and I now see why its pretty easy to go through password
> protections
> w> ith databases involved if you just try to find the database, right?
> Could
> s> omeone help me by telling how I can make this work? Maybe the folder
> c> ontaining the DB doesnt need to have read-rights? Cant you do that with
> t> he
> A> DO-properties? Ahh.. however.. Please help! =) Tnx!
> -> -
> M> artin Johansson
> +> 46 (0)70-3003320
>
>

I was trying to put in a password and pas it with the database conection 
string because the Wrox ASP 3.0 textbook strongly recommended this for 
sercurity reasons.  Ironically, they did not mention putting it in a non-
shared directory.  I'm not saying that putting it in another directory 
wouldn't help but it appears that the authors know of some other problems 
with not passwording the database (which they didn't elaborate on).

Tim

> Why to put a password???
The only thing u have to do is to put your Data Base in a non shared
directory.

eg:   you want to make a site in c:\site
don't share the directory c:\site but make 2 sub-directories: WWW and DB 
and
share only the directory WWW

c:\Site --> don't share
       |--- c:\site\db --> don't share (data base directory)
       |--- c:\site\www --> put this directory as your main http ;-)

So, it's impossible to download your data base.

----- Original Message -----
From: "Tim Morgan" <eastcoastpilot@h...>
To: "ASP Databases" <asp_databases@p...>
Sent: Wednesday, May 22, 2002 7:37 PM
Subject: [asp_databases] Re: How to increase DB-security?


> Ah, yes, the second option ("in Access Tools>Security>Set datbase 
password
> and pass this password in your ASP connection string") is exactly what I
> was/am trying to do.  But it seems I have the exact syntax for doing this
> wrong because I get the following error message:
>
> Microsoft JET Database Engine (0x80040E4D)
> Cannot start your application. The workgroup information file is missing.
>
> It seems you know how to do this.  Would you please give me the exact
> format for passing the user id and password in the connection string?  I
> think I'm wrestling with something as simple as a ' instead of " or an
> extra comman somewhere but nothing seems to work.
>
> Tim
>
> > Either deny *Read* Or *Browse* permission on directory in which 
database
> r> esides
>
> > OR
> I> n MS Access 2000 Tools->Security->Set database password.. and pass 
this
> p> assword in your ASP connection String
>
> >
>
> >
>
> >
>
> > > Right now I'm running an Access-database for my site and I just
thought
> "> oops" when I one day realized you just have to write the DB-path in 
the
> a> ddress-field and you will be able to download the database. Or thats 
at
> l> east what I could do when trying. I guess there has to be some easy 
way
> of
> p> reventing this from being possible? I haven't really thought about it
> b> efore and I now see why its pretty easy to go through password
> protections
> w> ith databases involved if you just try to find the database, right?
> Could
> s> omeone help me by telling how I can make this work? Maybe the folder
> c> ontaining the DB doesnt need to have read-rights? Cant you do that 
with
> t> he
> A> DO-properties? Ahh.. however.. Please help! =) Tnx!
> -> -
> M> artin Johansson
> +> 46 (0)70-3003320
>
>