Is this an ok way to connect

Dim objConn, DSNtemp
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.ConnectionString="Provider=Microsoft.Jet.O LEDB.4.0;" &_
"Data Source= "& Server.MapPath ("dbTest.mdb")

I was told that you could go to http://www.yoursite.com/yourpath/dbTest.mdb and down load my databse, is this a real concern....

Yes it is a concern. Ideally you need to put the database outside the webroot. Just make sure that the anonymous user (IUSR_machineName) has permissions to wherever you put the db.

I am really interested with this one. Could you please give me more detail?

Thank you.

What other detail is there? If you put an Access database inside your web folders then it can be downloaded simply by typing in the path to the db as a url. The web server knows nothing about mdb files, so if a request is submitted to get the mdb file then the web server will just send it to the browser.

<s>Here's a working hack to this problem...

- Go into the website property in IIS manager.
- Go to "Home Directory" tab, "Configuration..."
- Under "Application Mappings", click "Add"
- Choose an executable, it could be notepad.exe. The one you choose will be irrelevant because it will never run.
- Put in the database file extension: ".mdb"
- Under "Verbs", choose "Limit To:" and enter "PUT"
- Click "OK", "OK", "OK"

This is tells the web server how to handle .mdb files. It tells the server that .mdb files are limited to a PUT request (which you hardly ever see, most likely it's used with front page for PUTting files onto a remote site). The likelyhood of someone trying to PUT a .mdb file onto your site is pretty slim, but more importantly it eliminates the possibility of people GETting it. The result will be a HTTP 403.1 Forbidden error in the browser.</s>

Answer withdrawn because it's "dumb". (Despite being disclaimed as a hack.)

There is a far better way of doing this. Put all the files you don't want downloaded into a single directory. In the IIS MMC Snapin, remove the "read" permission for that folder. IIS will not serve content from that folder.

In a hosting situation (where you host your website with a hosting provider), they will provide you with such a "secured" directory for placing your Access .mdb files.

Mapping .mdb files to notepad.exe is a dumb idea IMHO. WHat happens if you map it to something which ends up opening a dozen different copies of that program on the server?

Cheers
Ken

Microsoft MVP - Windows Server (IIS)
www.adOpenStatic.com

In addition to what Ken said (which is by far the most secure and clean way to do it), you can also set Integrated Security on the database and / or folder.

In IIS, open the Properties dialog for your folder (for example, /Databases) switch to the Security tab and click the Edit button. Clear Anonymous access and set Integrated Windows authentication.

Next, make sure that NTFS security settings are set on the (physical) folder. The IUSR account needs change permissions on the folder. Add any other account (like yourself), and remove other "general groups" like Users.

Now when you try to download the database, you'll be prompted for a user name and password. This allows you, the site's owner, to download the database over the Internet, for example for maintenance tasks.

Please note, allowing the database to be downloaded by anyone at all, is a security risk. It's usually much better to prevent the database from being downloaded at all. To do that, use Ken's advice, or move the database to a folder outside the Web scope, like C:\Databases. You'll then need to provide other mechanisms to content managers to edit the database. (Secure) FTP or the local network are good candidates for this.

Cheers,

Imar


---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.

Your message is very interting. How can we update that database with the newer version, I mean suppose we want to add more fields?

Many thanks
Sokha

I have my databases in a folder named 'x%' and it returns a bad request when you try to download the .mdb file within it.

Does anybody know if there is a work around or hack to bypass this 'security'?