p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

asp_databases thread: Database Security


Message #1 by Adil Hindistan <Adilhn@y...> on Tue, 19 Dec 2000 17:07:00 +0200
I am not sure if this subject was discussed before but I need some advise to

secure the database (especially .mdb files). First of all it is possible to

type the full path (if it is known) of the database and receive the file. A

friend of mine suggested that I remove the read acess of the database from

the IIS. This seems to work but I am not sure up to what extend this can be

thought as secure.



Also to be able to update the database, we need to give write access to the

mdb file which makes me anxious too. What if someone is able to upload his

own .asp file to modify the database (a case, recently happened to a friend)

? Using passwords for opening databases and using DNS seem to be something

nice practises as using DNS gives you the ability to move the database to a

folder outside the  Web site. But I prefer OLEDB (so this is not an option

for me).



I would be glad to see some URL on this subject, if exists.



Thanks



Adil Hindistan, CE-93

www.scorion.net

ICQ:26477783 



--- 

FREE SOFTWARE DEVELOPMENT CODE, CONTENT, AND

INSIGHTS IN YOUR INBOX!

Get the latest and best C++, Visual C++, Java, Visual Basic, and XML tips, tools, and 

developments from the experts.  Sign up for one or more of EarthWeb?s

FREE IT newsletters at http://www.earthweb.com today!  

---

You are currently subscribed to asp_databases as: $subst('Recip.EmailAddr')

To unsubscribe send a blank email to leave-asp_databases-$subst('Recip.MemberIDChar')@p2p.wrox.com

Message #2 by pdf@b... on Tue, 19 Dec 2000 12:11:37 -0500

One suggestion would be to keep the database in a directory that is not

accessible via the web.  Using IIS for an example, if your site is stored in

\Inetpub\wwwroot\ then put the database in the \Inetpub\ directory and use ODBC

to setup the connection to it.  That way, you cant get to it with an http

connection.



-Peter Foti











Adil Hindistan <Adilhn@y...> on 12/19/2000 10:07:00 AM



Please respond to "ASP Databases" <asp_databases@p...>



To:   "ASP Databases" <asp_databases@p...>

cc:    (bcc: Peter Foti)



Subject:  [asp_databases] Database Security







I am not sure if this subject was discussed before but I need some advise to

secure the database (especially .mdb files). First of all it is possible to

type the full path (if it is known) of the database and receive the file. A

friend of mine suggested that I remove the read acess of the database from

the IIS. This seems to work but I am not sure up to what extend this can be

thought as secure.



Also to be able to update the database, we need to give write access to the

mdb file which makes me anxious too. What if someone is able to upload his

own .asp file to modify the database (a case, recently happened to a friend)

? Using passwords for opening databases and using DNS seem to be something

nice practises as using DNS gives you the ability to move the database to a

folder outside the  Web site. But I prefer OLEDB (so this is not an option

for me).



I would be glad to see some URL on this subject, if exists.



Thanks



Adil Hindistan, CE-93

www.scorion.net

ICQ:26477783





--- 

NEED TECHNICAL TIPS, TOOLS, AND INSIGHTS?  Is FREE okay?

Visit EarthWeb for the latest in IT Management, Software Development, 

Web Development, Networking & Communications, and Hardware & Systems.  

Click on http://www.earthweb.com for FREE articles, tutorials,

and discussions from the experts.

---

You are currently subscribed to asp_databases as: $subst('Recip.EmailAddr')

To unsubscribe send a blank email to leave-asp_databases-$subst('Recip.MemberIDChar')@p2p.wrox.com

Message #3 by techcon3000@y... on Wed, 20 Dec 2000 05:09:02 -0000
You really have a couple of options.  You could use an ODBC connection to the database, however you run
into a problem with the number of simultaneous users you can have connected to the database.  With Access, this should be a major
concern as it is already very limited in this area.  Like you stated, the best option is an OLEDB connection to the database.  Below
is a connection string that I used for a SQL server datafile residing on the same system as IIS.  Your data file does not need to be
in the same folder as the site's pages.  As you can see, the location of the file is mapped in the connection string (under the
"Initial File Name")



strConnect = "Provider=SQLOLEDB;Persist Security Info=False;UserID=userid;Password=password;Initial Catalog=catalogname;Initial File
Name=C:\MSSQL7\Data\file.MDF"



Dim objConn

Set objConn = Server.CreateObject("ADODB.Connection")

objConn.Open strConnect



Please forgive the fact that this connection string uses a SQL server to connect to.  I haven't used Access for the connection
string in quite some time and this is all that I have available.  Make sure you change the "Provider", "UserID", "Password",
"Catalog" (which is the table), and "Initial File Name" information in the string.



As for your problem of someone uploading their own ASP page to IIS, you will need to go into the properties for your site through
the IIS management console and update the settings there so that the visitors are unable to post to the site.  If you wanted to, you
could set up a specific web user on the database with the permissions that you wanted the user to have.  Then, in the connection
string above, you would set up the UserID and Password to have that info.



Let me know if this helps,

Travis

--- 

NEED TECHNICAL TIPS, TOOLS, AND INSIGHTS?  Is FREE okay?

Visit EarthWeb for the latest in IT Management, Software Development, 

Web Development, Networking & Communications, and Hardware & Systems.  

Click on http://www.earthweb.com for FREE articles, tutorials,

and discussions from the experts.

---

You are currently subscribed to asp_databases as: $subst('Recip.EmailAddr')

To unsubscribe send a blank email to leave-asp_databases-$subst('Recip.MemberIDChar')@p2p.wrox.com

Message #4 by Adil Hindistan <Adilhn@y...> on Wed, 20 Dec 2000 09:52:23 +0200
Well, sure it helps. I've marked your post as I'll need it later, when 

I'm

moving to SQL.



I think that there must be a similar OLEDB statement to use with Access 

but

honestly I even failed to manage to retrieve data from password 

protected

mdb files (I remember posting here my cry for help :) ).



I've been notified by Wrox Staff that there is a new list dedicated to

database security and they posted my message there, but I just realized 

that

it is the first message in that list :)



Anyway, I'll be happy to see further suggestions here but I think I'll 

have

to dig in usenet too.



Adil Hindistan, CE-93

www.scorion.net

ICQ:26477783



> -----Original Message-----

> From: techcon3000@y... [mailto:techcon3000@y...]

> Sent: 20 Aral=FDk 2000 =C7ar=FEamba 07:09

> To: ASP Databases

> Subject: [asp_databases] Re: Database Security

>

>

> You really have a couple of options.  You could use an ODBC

> connection to the database, however you run into a problem

> with the number of simultaneous users you can have connected

> to the database.  With Access, this should be a major concern

> as it is already very limited in this area.  Like you stated,

> the best option is an OLEDB connection to the database. 

> Below is a connection string that I used for a SQL server

> datafile residing on the same system as IIS.  Your data file

> does not need to be in the same folder as the site's pages. 

> As you can see, the location of the file is mapped in the

> connection string (under the "Initial File Name")

>

> strConnect =3D "Provider=3DSQLOLEDB;Persist Security

> Info=3DFalse;UserID=3Duserid;Password=3Dpassword;Initial

> Catalog=3Dcatalogname;Initial File Name=3DC:\MSSQL7\Data\file.MDF"

>

> Dim objConn

> Set objConn =3D Server.CreateObject("ADODB.Connection")

> objConn.Open strConnect

>

> Please forgive the fact that this connection string uses a

> SQL server to connect to.  I haven't used Access for the

> connection string in quite some time and this is all that I

> have available.  Make sure you change the "Provider",

> "UserID", "Password", "Catalog" (which is the table), and

> "Initial File Name" information in the string.

>

> As for your problem of someone uploading their own ASP page

> to IIS, you will need to go into the properties for your site

> through the IIS management console and update the settings

> there so that the visitors are unable to post to the site. 

> If you wanted to, you could set up a specific web user on the

> database with the permissions that you wanted the user to

> have.  Then, in the connection string above, you would set up

> the UserID and Password to have that info.

>

> Let me know if this helps,

> Travis



---

FREE WEB DEVELOPMENT CODE, CONTENT, AND INSIGHTS

IN YOUR INBOX!

Get the latest and best HTML, XML, and JavaScript tips, tools, and 

developments from the experts.  Sign up for one or more of EarthWeb's

FREE IT newsletters at http://www.earthweb.com today!  

---

You are currently subscribed to asp_databases as: $subst('Recip.EmailAddr')

To unsubscribe send a blank email to leave-asp_databases-$subst('Recip.MemberIDChar')@p2p.wrox.com

Message #5 by techcon3000@y... on Wed, 20 Dec 2000 15:59:29 -0000
I found a sample on the Wrox site of an Access connection string:



  objConn.Open "Provider=Microsoft.Jet.OLEDB.4.0;" & _

               "Data Source=C:\datastores\Movie2000.mdb;" & _

               "Persist Security Info=False"



Maybe this will help more than the SQL string. :)



Travis



--- 

FREE SOFTWARE DEVELOPMENT CODE, CONTENT, AND

INSIGHTS IN YOUR INBOX!

Get the latest and best C++, Visual C++, Java, Visual Basic, and XML tips, tools, and 

developments from the experts.  Sign up for one or more of EarthWeb?s

FREE IT newsletters at http://www.earthweb.com today!  

---

You are currently subscribed to asp_databases as: $subst('Recip.EmailAddr')

To unsubscribe send a blank email to leave-asp_databases-$subst('Recip.MemberIDChar')@p2p.wrox.com

Message #6 by Adil Hindistan <Adilhn@y...> on Thu, 21 Dec 2000 11:52:42 +0200
Oops, how did I miss that ? It's indeed possible to use absolute path,

instead of relative :)



Thanks for reminding



Adil Hindistan, CE-93

www.scorion.net

ICQ:26477783



> -----Original Message-----

> From: techcon3000@y... [mailto:techcon3000@y...]

> Sent: 20 Aral=FDk 2000 =C7ar=FEamba 17:59

> To: ASP Databases

> Subject: [asp_databases] Re: Database Security

>

>

> I found a sample on the Wrox site of an Access connection string:

>

>   objConn.Open "Provider=3DMicrosoft.Jet.OLEDB.4.0;" & _

>                "Data Source=3DC:\datastores\Movie2000.mdb;" & _

>                "Persist Security Info=3DFalse"

>

> Maybe this will help more than the SQL string. :)

>

> Travis

>



--- 

FREE SOFTWARE DEVELOPMENT CODE, CONTENT, AND

INSIGHTS IN YOUR INBOX!

Get the latest and best C++, Visual C++, Java, Visual Basic, and XML tips, tools, and 

developments from the experts.  Sign up for one or more of EarthWeb?s

FREE IT newsletters at http://www.earthweb.com today!  

---

You are currently subscribed to asp_databases as: $subst('Recip.EmailAddr')

To unsubscribe send a blank email to leave-asp_databases-$subst('Recip.MemberIDChar')@p2p.wrox.com


  Return to Index