View Full Version : Security

02-08-2003, 02:12 AM
I was wondering I am considering useing a user name / login page with asp and I was wondering how secure is asp for real! I mean I understand everything is server side and it seems that when you try to directly download a file it only downloads the html part of the file which is great but how do you stop people from directly accessing the database file say if someone figures out what the name of the mdb file is and does a direct link to that file and downloads it or creates there own asp page that access it through the web to view the info on the page from the database

I guess what I am asking is how do you stop that! :)

02-08-2003, 02:51 AM
Well, some hosts have a database directory that is above the website directory. So when you specifiy the path to the file you have to do "./mydb.mdb" versus "mydb.mdb" so you can't see the file from the web.

Also if you are that concerned with security, use MySQL instead of Access. Then there isn't a file in the website root to download at all.

You also can password protect Access dbases I believe.

02-08-2003, 02:53 AM
Well the safest way is to have the database file outside of your directory.

Like say your site is http://www.serviceprovider.com/~yoursite and the physical location is c:\inetpub\wwwroot\hostedusers\yoursite then storing your database in c:\databases would be completely out of reach of users trying to access it via linking to it.

Also, as far as I'm aware you can't link to .mdb files across the net like you can on MySQL and msSQL. :)

02-08-2003, 02:55 AM
Doh! Same post time roughly. :)

02-08-2003, 08:50 AM
Ok so I was wondering say that I do decide to put the file.mdb in say c:\Database\asp\file.mdb for example and my asp file is located say on E:\webserver\website1\file.asp how would i reference to the file.mdb as if i put a literal path of C:\Database\asp\file.mdb in the website then it returns the following

"The Path parameter for the MapPath method must be a virtual path. A physical path was used."


oh and to the first reference useing ./file.mdb where do i put the file.mdb in the physical path! say referncing to the following!
i.e. E:\webserver\wesite1\file.asp


02-08-2003, 11:19 AM
sConnString = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & _
Mid(Server.MapPath("\"), 1, InStrRev(Server.MapPath("\"),"\")-1) & "\database\databasename.mdb;" & _
"Persist Security Info=False;"

Always works for me....

02-08-2003, 11:24 AM
P.S. You probably also want to strip out unwanted characters from a login screen, for instance limiting what is processed to alphanumeric characters, like:

Function ExtractAlphaNumeric(byVal str)
If IsNull(str) Then str = ""
Dim eanRegEx
Set eanRegEx = New RegExp
eanRegEx.Pattern = "[^a-zA-Z0-9]"
eanRegEx.Global = True
ExtractAlphaNumeric = eanRegEx.Replace(str,"")
End Function

username = ExtractAlphaNumeric(Request.Form("username"))

Of course, in that case you also want to make sure that they can only use such characters when registering.

I haven't brought this up before, but there's a good reason for doing this, mainly called "SQL Injection attacks". Basically you want to keep malicious people from being able to execute SQL statements that could be written in your login fields.

02-08-2003, 11:53 AM
P.S. I have a prefabricated registration/login script with the correct directory structure and everything already set up available here:


It also contains a simple database query tool compliments of webmonkey.com, be sure to password protect that!

02-08-2003, 02:47 PM
You don't use mappath() with a physical path.

MapPath("db\mydb.mdb") will map the physical path to the file off the root of your site folder.

So if your website is in the folder "\mysite\" which is in the "webserver" folder on drive "e:\" using mappath("db\mydb.mdb") will complete the physical path "e:\webserver\mysite\db\mydb.mdb". That is all it is doing, mapping the physical path.

So to do it you just leave out the mappath() function.

Connection.Open "DRIVER={microsoft Access Driver (*.mdb)}; DBQ=E:\webserver\mysite\db\mydb.mdb;"


02-10-2003, 10:46 AM
Ok Those are all great ideas! But I have noticed that when you do a view source on the asp file you cant see the db info anyhow! So I was wondering not that I want to be able to or do I want others to be able to is there a way someone can view the original asp source code maybe a glich in something that was exsposed but not pached properly???

02-10-2003, 03:11 PM
They shouldn't be able to. There have been security bugs and exploits in the past that have allowed people to view asp code which is extremely dangerous. As of right know there are no widespread, known flaws if your webserver is up to date.

02-10-2003, 10:13 PM
Thats great to know :)