Database Security

Discussion in 'Databases' started by Mpressler, Jun 6, 2003.

Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.
  1. My website is www.madvisory.com.

    If I upload an access database named "db" to the root directory, a user can type in www.madvisory.com/db.mdb and can proceed to download the database.

    On other webhosts, when I FTP in, I can get access not only to the www folder (which is really the root directory), but also to a folder called db, which exists above the root. This folder cannot be accessed by someone going to www.madvisory.com, but can be accessed by my asp pages. This doesn't seem to be the case on discountasp.net

    Does anyone have any thoughts on database security (other than putting a password on my database file)?

    Thanks,
    Matt
     
  2. Bruce

    Bruce DiscountASP.NET Staff

    Try put it into the cgi-bin directory which doesn't have any IIS read permission (different from NTFS permission)

    quote:Originally posted by Mpressler

    My website is www.madvisory.com.

    If I upload an access database named "db" to the root directory, a user can type in www.madvisory.com/db.mdb and can proceed to download the database.

    On other webhosts, when I FTP in, I can get access not only to the www folder (which is really the root directory), but also to a folder called db, which exists above the root. This folder cannot be accessed by someone going to www.madvisory.com, but can be accessed by my asp pages. This doesn't seem to be the case on discountasp.net

    Does anyone have any thoughts on database security (other than putting a password on my database file)?

    Thanks,
    Matt
    </blockquote id="quote"></font id="quote">
     
  3. Wouldn't that be a problem if you have a DB you want to have online? I have pretty much this exact question. I put up a webforum and the documentation makes it clear that you should put the DB outside of the Web path. But that does not seem possible.

    quote:Originally posted by bruce

    Try put it into the cgi-bin directory which doesn't have any IIS read permission (different from NTFS permission)

    quote:Originally posted by Mpressler

    My website is www.madvisory.com.

    If I upload an access database named "db" to the root directory, a user can type in www.madvisory.com/db.mdb and can proceed to download the database.

    On other webhosts, when I FTP in, I can get access not only to the www folder (which is really the root directory), but also to a folder called db, which exists above the root. This folder cannot be accessed by someone going to www.madvisory.com, but can be accessed by my asp pages. This doesn't seem to be the case on discountasp.net

    Does anyone have any thoughts on database security (other than putting a password on my database file)?

    Thanks,
    Matt
    </blockquote id="quote"></font id="quote">
    </blockquote id="quote"></font id="quote">
     
  4. Bruce

    Bruce DiscountASP.NET Staff

    If IIS read permission is disabled, you should have no problem at all.

    quote:Originally posted by mczet

    Wouldn't that be a problem if you have a DB you want to have online? I have pretty much this exact question. I put up a webforum and the documentation makes it clear that you should put the DB outside of the Web path. But that does not seem possible.

    quote:Originally posted by bruce

    Try put it into the cgi-bin directory which doesn't have any IIS read permission (different from NTFS permission)

    quote:Originally posted by Mpressler

    My website is www.madvisory.com.

    If I upload an access database named "db" to the root directory, a user can type in www.madvisory.com/db.mdb and can proceed to download the database.

    On other webhosts, when I FTP in, I can get access not only to the www folder (which is really the root directory), but also to a folder called db, which exists above the root. This folder cannot be accessed by someone going to www.madvisory.com, but can be accessed by my asp pages. This doesn't seem to be the case on discountasp.net

    Does anyone have any thoughts on database security (other than putting a password on my database file)?

    Thanks,
    Matt
    </blockquote id="quote"></font id="quote">
    </blockquote id="quote"></font id="quote">
    </blockquote id="quote"></font id="quote">
     
Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.

Share This Page