Okay, About every month someone asks "How do I protect my Access database? Experienced developer's always suggest placing the database outside of the web root. Most developers suggest that you get a real Relational Database Management System :). Well there is a bug in the system that can be taken advantage of if you can't do either of the above First of all I did this using a DSNless connection to Access2000, win2kserver, IIS5. It has also been tested on IIS4 and works flawlessly DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=\\nas2.orcsweb.com\aspfree.com$\authors\carl_mcdade\db1.asp
|
Notice anything strange about the above connection string? The file extension is *.asp rather than the usual *.mdb. The next step is to use the database encryption tool in Access. Why do this? Well just changing the extension name to *.asp will jumble the contents of the db. But a lot of it is still ledgible. If you are trying to protect passwords then one or more will be visible.This is because the web browser opens and tries to read the faked ASP file. Encrypting the file will stop any other program with the exception of Access and ASP code from reading the file. The database unencrypted. After encryption you will get an ASP tags not found error. Step_By_Step: - Encrypt the database
- Rename the file from *.mdb to *.asp
- Use a DSNless connection to connect to the database file.
Some Facts
- One might try "save target as" the file then remove the encryption. In all cases both Netscape and Internet Explorer refused to do this.
- The db cannot be downloaded because since the ASP file does not really exist. The visitor gets the standard IIS5 error page and no url. In the case of IIS4 one may get a code error message:
Active Server Pages error 'ASP 0116' Missing close of script delimiter /mcdade/db1.asp, line 4 The Script block lacks the close of script tag (%>). - The dsnless connection to the db file still works regardless of the file extension used in the connection string. This is a bug in the system but it is a useful one.
- Using encryption on a MS Access database slows down the database by 15%, according to Microsoft
- Using script tags within the database records seems to have no effect on the protection system. Because encryption does not allow the file to be read by any program other than MS Access
Neat trick huh?.
|
|
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More Microsoft Access Articles More By Carl_McDade developerWorks - FREE Tools! | The IBM DB2 Deep Compression ROI tool is designed for DBA’s and IT management personnel to perform a clinical analysis of the cost savings gained from the Storage Optimization feature of DB2 9 for Linux, UNIX and Windows. The feature, also known as Deep Compression, compresses data that lies within a database by up to 80% at times. FREE! Go There Now!
| | | | You'll get answers to many questions and more from David Barnes, Lead Evangelist for IBM Emerging Internet Technologies. David will discuss aspects of Web 2.0 that bring value to corporations, academia, and government. He'll also discuss IBM's vision around Web 2.0, including the importance of remixability and consumability. The discussion will culminate with examples of various IBM Software Group solutions you can use to get ahead of the Web 2.0 adoption curve. FREE! Go There Now!
| | | | Attend this launch webcast with Scott Hebner, Vice President of IBM Rational Marketing and Strategy, for an overview of Rational’s new software offerings and resources to help modernize and accelerate software innovation on i on Power Systems – while ensuring past application investments are protected and continue to grow. Learn how these solutions are helping customers extend their core i5/OS solutions toward modern architectures such as SOA and web technologies to deliver business improvements that stand the test of time. FREE! Go There Now!
| | | | You probably have thousands of lines of COBOL code loaded with business intelligence and being used to run your business, along with an army of developers maintaining these applications. Learn how to prepare your applications and developers so you can keep that competitive edge and move to a service-oriented architecture with the IBM Rational Enterprise Modernization solutions. Replay is available for 9 months. FREE! Go There Now!
| | | | CakePHP is a stable production-ready, rapid-development aid for building Web sites in PHP. This "Cook up Web sites fast with CakePHP" series shows you how to build an online product catalog using CakePHP. FREE! Go There Now!
| | | | WebSphere Process Server delivers a unique integration framework that simplifies existing IT resources. Often, as IT assets grow to support business demand, so too does their complexity and manageability. In this webcast, we’ll discuss how WebSphere Process Server helps deliver an SOA infrastructure that provides a common model to orchestrate, mediate, connect, map, and execute the underlying IT functions. Discover how WebSphere Process Server simplifies integration of business processes by leveraging existing IT assets as reusable services without the complexities of traditional integration methodologies. FREE! Go There Now!
| | | | Download the IBM WebSphere Portal V6.1 beta code and learn more about the rich features and enhancements in IBM WebSphere Portal V6.1. WebSphere Portal provides a composite application or business mashup framework and the advanced tooling needed to build flexible, SOA-based solutions, and scalability to meet the needs of any size organization. FREE! Go There Now!
| | | | Learn how to do more with your reusable assets with the free Rational Asset Manager eKit. The eKit includes demos on how Rational Asset Manager tracks and audits your assets in order to utilize them for reuse. Plus you’ll find white papers and a Webcast that discuss the challenges of a Service Oriented Architecture and how Rational Asset Manager can provide quick and effective solutions. FREE! Go There Now!
| | | | As organizations have grown increasingly dependent on online software, the risk of malicious attacks has also become far more serious. Fortunately, well-governed organizations can protect their Web applications by injecting vulnerability assessments and ethical hacks into their software development and delivery processes. This paper describes 12 of the most common hacker attacks and provides basic rules that you can follow to help create more hack-resistant Web applications. FREE! Go There Now!
| | | | Try the latest version of IBM Rational Manual Tester V7.0.1 by downloading a free trial from IBM developerWorks. This manual test authoring and execution tool promotes test step reuse to reduce the impact of software change on testers and business analysts and addresses the needs of teams performing at least a portion of their testing manually. FREE! Go There Now!
| | | | All FREE IBM® developerWorks Tools! | |