Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 12 of 12

Thread: Security

  1. #1
    Regular Coder
    Join Date
    Jul 2002
    Location
    51° 03' -78" N -114° 05' 72" W
    Posts
    617
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Security

    I was wondering I am considering useing a user name / login page with asp and I was wondering how secure is asp for real! I mean I understand everything is server side and it seems that when you try to directly download a file it only downloads the html part of the file which is great but how do you stop people from directly accessing the database file say if someone figures out what the name of the mdb file is and does a direct link to that file and downloads it or creates there own asp page that access it through the web to view the info on the page from the database

    I guess what I am asking is how do you stop that!

  • #2
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Well, some hosts have a database directory that is above the website directory. So when you specifiy the path to the file you have to do "./mydb.mdb" versus "mydb.mdb" so you can't see the file from the web.

    Also if you are that concerned with security, use MySQL instead of Access. Then there isn't a file in the website root to download at all.

    You also can password protect Access dbases I believe.
    OracleGuy

  • #3
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post
    Well the safest way is to have the database file outside of your directory.

    Like say your site is http://www.serviceprovider.com/~yoursite and the physical location is c:\inetpub\wwwroot\hostedusers\yoursite then storing your database in c:\databases would be completely out of reach of users trying to access it via linking to it.

    Also, as far as I'm aware you can't link to .mdb files across the net like you can on MySQL and msSQL.
    Omnis mico antequam dominus Spookster!

  • #4
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post
    Doh! Same post time roughly.
    Omnis mico antequam dominus Spookster!

  • #5
    Regular Coder
    Join Date
    Jul 2002
    Location
    51° 03' -78" N -114° 05' 72" W
    Posts
    617
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ok so I was wondering say that I do decide to put the file.mdb in say c:\Database\asp\file.mdb for example and my asp file is located say on E:\webserver\website1\file.asp how would i reference to the file.mdb as if i put a literal path of C:\Database\asp\file.mdb in the website then it returns the following

    "The Path parameter for the MapPath method must be a virtual path. A physical path was used."



    oh and to the first reference useing ./file.mdb where do i put the file.mdb in the physical path! say referncing to the following!
    i.e. E:\webserver\wesite1\file.asp


  • #6
    Senior Coder
    Join Date
    Jun 2002
    Location
    41° 8' 52" N -95° 53' 31" W
    Posts
    3,660
    Thanks
    0
    Thanked 0 Times in 0 Posts
    sConnString = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=" & _
    Mid(Server.MapPath("\"), 1, InStrRev(Server.MapPath("\"),"\")-1) & "\database\databasename.mdb;" & _
    "Persist Security Info=False;"

    Always works for me....
    Former ASP Forum Moderator - I'm back!

    If you can teach yourself how to learn, you can learn anything. ;)

  • #7
    Senior Coder
    Join Date
    Jun 2002
    Location
    41° 8' 52" N -95° 53' 31" W
    Posts
    3,660
    Thanks
    0
    Thanked 0 Times in 0 Posts
    P.S. You probably also want to strip out unwanted characters from a login screen, for instance limiting what is processed to alphanumeric characters, like:

    Code:
    Function ExtractAlphaNumeric(byVal str)
       If IsNull(str) Then str = ""
       Dim eanRegEx
       Set eanRegEx = New RegExp
       eanRegEx.Pattern = "[^a-zA-Z0-9]"
       eanRegEx.Global = True
       ExtractAlphaNumeric = eanRegEx.Replace(str,"")
    End Function
    
    username = ExtractAlphaNumeric(Request.Form("username"))
    Of course, in that case you also want to make sure that they can only use such characters when registering.

    I haven't brought this up before, but there's a good reason for doing this, mainly called "SQL Injection attacks". Basically you want to keep malicious people from being able to execute SQL statements that could be written in your login fields.
    Former ASP Forum Moderator - I'm back!

    If you can teach yourself how to learn, you can learn anything. ;)

  • #8
    Senior Coder
    Join Date
    Jun 2002
    Location
    41° 8' 52" N -95° 53' 31" W
    Posts
    3,660
    Thanks
    0
    Thanked 0 Times in 0 Posts
    P.S. I have a prefabricated registration/login script with the correct directory structure and everything already set up available here:

    http://www.solidscripts.com/displayscript.asp?sid=12

    It also contains a simple database query tool compliments of webmonkey.com, be sure to password protect that!
    Former ASP Forum Moderator - I'm back!

    If you can teach yourself how to learn, you can learn anything. ;)

  • #9
    Senior Coder Mhtml's Avatar
    Join Date
    Jun 2002
    Location
    Sydney, Australia
    Posts
    3,531
    Thanks
    0
    Thanked 1 Time in 1 Post
    You don't use mappath() with a physical path.

    MapPath("db\mydb.mdb") will map the physical path to the file off the root of your site folder.

    So if your website is in the folder "\mysite\" which is in the "webserver" folder on drive "e:\" using mappath("db\mydb.mdb") will complete the physical path "e:\webserver\mysite\db\mydb.mdb". That is all it is doing, mapping the physical path.

    So to do it you just leave out the mappath() function.
    Eg;
    Code:
    Connection.Open "DRIVER={microsoft Access Driver (*.mdb)}; DBQ=E:\webserver\mysite\db\mydb.mdb;"
    Omnis mico antequam dominus Spookster!

  • #10
    Regular Coder
    Join Date
    Jul 2002
    Location
    51° 03' -78" N -114° 05' 72" W
    Posts
    617
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ok Those are all great ideas! But I have noticed that when you do a view source on the asp file you cant see the db info anyhow! So I was wondering not that I want to be able to or do I want others to be able to is there a way someone can view the original asp source code maybe a glich in something that was exsposed but not pached properly???

  • #11
    Regular Coder
    Join Date
    Jan 2003
    Posts
    867
    Thanks
    4
    Thanked 8 Times in 8 Posts
    They shouldn't be able to. There have been security bugs and exploits in the past that have allowed people to view asp code which is extremely dangerous. As of right know there are no widespread, known flaws if your webserver is up to date.

  • #12
    Regular Coder
    Join Date
    Jul 2002
    Location
    51° 03' -78" N -114° 05' 72" W
    Posts
    617
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thats great to know


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •