Permissions for Folders/Access DB to allow user to dynamically create their accoounts on the Web

I want to allow users to create accounts, login, etc. using an Access DB. I am using ASP (but could use ASP.NET - VB).

When I uploaded the files including the Database access code to DiscountASP.Net I could not access the database. If I set permissions (in the DiscountASP.Net Conrtol Panel) to allow anonymous to have read/write rights, it worked. However, from a security standpoint, that would allow anyone to read, change, or download my .mdb file (Correct?).

So how do I allow users to create an account (register) which means they would be writing to my database. Then next time they login I need to have them read from the database to verify login and password. (They will also need to be retrieving other info from the database later...and probably change data such a phone and email addresses.)

Since there will be many users I cannot do this on an individual basis. It needs to be done dynamically with out comprimising the security of the database.

Thank you...
AMP

 

Thanks for the quick reply. I had already put the .mdb file in database andhad set the permissions of read|write to "allow" for that folder. I was just concerned that the database information could be comprimised using a SQL statement (or whatever). There would not be any credit card/bank info, but would contain email and street addresses which I would not anyone to hack.

Will the permissions on the _database folder handle that? If not, what would be your suggestion? Or are the chances of them determining the file, table, and field names so small that I should not worry about it.

Thanks
AMP

 

One of the best ways to protect your database from rogue information being submitted through SQL statements is to use paramaterized Access queries for all SELECT, INSERT, ans UPDATE actions rather than building ad hoc SQL by concatenating SQL and user input.

If you Google 'sql injecttion attack' you'll find many good articles on protecting your database from being compromised by SQL statements.

 

Thanks, I really appreciate it. If anyone finds themselves in a similar situation the following web page is pretty straight forward about how to create parameterized queries and implement them in ASP

Calling MS Access Parameterized Queries from ASP
http://www.xefteri.com/articles/show.cfm?id=6

I also found this article straightforward, easy to understand, and helpful

Protecting Yourself from SQL Injection Attacks
http://www.4guysfromrolla.com/webtech/061902-1.shtml

AMP