Okay, About every month someone asks "How do I protect my Access database? Experienced developer's always suggest placing the database outside of the web root. Most developers suggest that you get a real Relational Database Management System :). Well there is a bug in the system that can be taken advantage of if you can't do either of the above First of all I did this using a DSNless connection to Access2000, win2kserver, IIS5. It has also been tested on IIS4 and works flawlessly DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=\\nas2.orcsweb.com\aspfree.com$\authors\carl_mcdade\db1.asp
|
Notice anything strange about the above connection string? The file extension is *.asp rather than the usual *.mdb. The next step is to use the database encryption tool in Access. Why do this? Well just changing the extension name to *.asp will jumble the contents of the db. But a lot of it is still ledgible. If you are trying to protect passwords then one or more will be visible.This is because the web browser opens and tries to read the faked ASP file. Encrypting the file will stop any other program with the exception of Access and ASP code from reading the file. The database unencrypted. After encryption you will get an ASP tags not found error. Step_By_Step: - Encrypt the database
- Rename the file from *.mdb to *.asp
- Use a DSNless connection to connect to the database file.
Some Facts
- One might try "save target as" the file then remove the encryption. In all cases both Netscape and Internet Explorer refused to do this.
- The db cannot be downloaded because since the ASP file does not really exist. The visitor gets the standard IIS5 error page and no url. In the case of IIS4 one may get a code error message:
Active Server Pages error 'ASP 0116'
Missing close of script delimiter /mcdade/db1.asp, line 4
The Script block lacks the close of script tag (%>). - The dsnless connection to the db file still works regardless of the file extension used in the connection string. This is a bug in the system but it is a useful one.
- Using encryption on a MS Access database slows down the database by 15%, according to Microsoft
- Using script tags within the database records seems to have no effect on the protection system. Because encryption does not allow the file to be read by any program other than MS Access
Neat trick huh?.
|
|
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More Microsoft Access Articles
More By Carl_McDade  developerWorks - FREE Tools!
|
Hear how IBM Rational Project and Portfolio Management integrated solutions help teams put the right tools and processes in place to maximize the effectiveness and efficiency of project teams and ensure that the business vision is being executed correctly. Learn how to automate and integrate requirements prioritization, top-down project planning, communications and controls, and methodology deployment to keep your scope, costs, and schedules under control. Tackle with an end-to-end approach the management of scope and scope changes, usage of methodology to control and empower project teams, and optimization of resources to align activity costs with the overall project plan.
FREE! Go There Now!
| | | |
Building a software-as-a-service solution requires addressing a few key technical challenges. In this webcast, we'll focus on the role of IBM Tivoli Directory Server and WebSphere Portlet Factory in creating a Software as a Service solution. We will demonstrate how to use Tivoli Directory Server to prevent the user population of one tenant from accessing the virtual portal and portlet components of another tenant. We will also use the dynamic profile capability of WebSphere Portlet Factory to create multiple highly customized applications from one code base.
FREE! Go There Now!
| | | |
Learn to enable users to both rate existing animations and to combine existing animations into new snippets. This is the third in a series of three tutorials that chronicle the building of a site that enables collaborative discussion and animation building using Domino and OpenLaszlo.
FREE! Go There Now!
| | | |
Download a free trial version of IBM Rational Developer for System z, software that can help you deliver core development capabilities; the power of Java Platform, Enterprise Edition (Java EE); and rapid application development support to diverse enterprise application development teams. With comprehensive development tools to help create, deploy and maintain traditional enterprise and composite applications, Rational Developer for System z enables developers with different technical backgrounds to easily participate in important technology projects.
FREE! Go There Now!
| | | |
Learn how Rational Build Forge can extend a simple compile and package build process by adding customization and deployment capability. Go from a manual method to automating: checking for code changes; getting the latest source; compiling and packaging; customizing; copying to and restarting a deployment server; and sending e-mail notification that a new version is available.
FREE! Go There Now!
| | | |
XML has become a common way of storing business data as flat files and many data server vendors including IBM have provided ways to store this data within relational database systems. Increasingly collections of XML files are accessed like databases using an xQuery and other XML standard mechanisms. Businesses find the need to combine the traditional tabular structured data with XML formatted data. In this webcast, you’ll learn about IBM’s WebSphere Federation Server technology, which provides users with the ability to integrate these two data formats.
FREE! Go There Now!
| | | |
Ken Krugler, co-founder of code search company Krugle, and Laura Merling, vice president of Marketing and Business Development for Krugle, join to talk about the ins and outs of code search and what it means as a new feature for developerWorks users.
FREE! Go There Now!
| | | |
Rational Modeling Extension for Microsoft .NET enhances usability for code generation supporting a more intelligent refactoring. The latest enhancements enable organizations with Java and .NET systems and software development maintain architectural integrity across heterogeneous platforms.
FREE! Go There Now!
| | | |
Join this Rational Talks to You teleconference on December 4 at 1:00 pm ET to discuss how Rational Method Composer can help meet your compliance objectives. Get your questions answered!
FREE! Go There Now!
| | | |
Informix Dynamic Server (IDS) Express Edition offers outstanding online transaction processing (OLTP) database performance, while helping to simplify and automate many of the tasks associated with deploying databases for small business applications. IDS 11 further extends the ease of management and applications integration with the Admin API and Scheduler, high availability with Continuous Log Restore for backup server recovery in case of a primary server failure, and column level encryption to protect personal and company private data.
FREE! Go There Now!
| | | |
All FREE IBM® developerWorks Tools!
|
|
