How secure is MS Access???

Well from what i have been told, MS Access is about as secure as a locked door with the key in it. Is this true? If it is, how can I go about changing it to be more secure?

Depends on what you're talking about being secure from. The most basic thing people do wrong is put it in a publicly accessible location on their website.

What exactly where you told?

You could setup a DSN connection, have your ISP setup a private folder (out of view from the web site) and store your .mdb there. This will stop people from stealing the complete db via a download.

But I would consider other options to Access like SQL/mySQL. Access is slow, it was not designed to be used on the web, it can only handle 10 concurrent connections...

As your site gets bigger (unless it is already popular) I would go for SQL. It will save you work in the future when you eventually have to upgrade.

HTH
u2o

I have to say 'WHOAAA' hold up there...

Access is fine for most things on the web.... You would have to be having traffic to the levels of these forums to warrant switching to SQL.

It's true Access doesn't like more than around 10-15 connections at the same time, but to have 10-15 visitors all requesting a database access page at the same time means you would probabally have a very busy site.

SQL is expensive, and should be kept back until you start seeing a performance shift downward. If you have written you ASP pages in a way that can handle both Access and SQL, then upgrading at a later stage will be releatively painless.

I have around 10 sites running on access, and have to say that each of them are pretty quick. I keep a close eye on them.

Some of the fairly busy, medium Size Job Boards out there are running on Access, to which I'm sure at least 2 members I know of will testify.

__________________
Rob - SEO Specialist
Owner & Founder of Webforumz.com

I am currently unavailable for private work

<blockquote id="quote"><font size="1" face="geneva, verdana, arial" id="quote">quote:<hr height="1" noshade id="quote">Originally posted by kulegamr

Well from what i have been told, MS Access is about as secure as a locked door with the key in it. Is this true? If it is, how can I go about changing it to be more secure?
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">

Access can be secure. You have to make sure you take proper steps

As has been mentioned, number 1 is to have the db off the webspace... most hosts have a private folder or database folder for this purpose. You can FTP to it, but not HTTP so no one can download the db even if they guess where it is. This folder will usually have IUSR write permissions too, if not you'll only be able to pull data from it, and not input data.

Usual other security points as with building any databased site.
1) make sure backend (if you have a place where you update the database online) is secure, good unguessable password, and recheck this password on everypage... ie don't let people avoid the password by going straight to a page within the backend thereby avoiding the login page. We tend to plant a cookie with username/password when you login then check on each page
2) SQL injection attacks. Google for this for more info. Main thing is if you pass parameters from one page to another via querystring or even form field, check what data you get on the next page to make sure no one hacked it, eg if you used pagename.asp?id=23, then check that the ID on the next page receives IS a number and not some clever code.
3) Defaults. Really a problem with packages. Eg we sell shopping cart software that ships with a default user/pass. Some people won't bother to change these, making it easy for an attacker to get in. Therefore we check for default installs and give big warnings to anyone using our software, forcing them to change from default settings.

Access isn't inherently insecure, but like any system, you gotta make sure you use it properly. Its very easy to build an insecure web system in any database - learn how such systems are attacked and bear this in mind with every page you code.

<blockquote id="quote"><font size="1" face="geneva, verdana, arial" id="quote">quote:<hr height="1" noshade id="quote">Originally posted by CactusJack
Access can be secure. You have to make sure you take proper steps
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
Another thing I thought of... make sure server isn't giving too much info in error messages. 2 ways to do this
1) trap as many errors as possible. If someone f***s about with a querystring to cause a SQL error, trap that and deal with it with a handled error. Don't let the system show the SQL code that failed on the screen, this gives valuable info about the structure of the database to an attacker, as well as letting them know in many cases what db is being used (access, sql server etc).
2) servers can be configured to show minimal errors, though don't know off the top of my head where this is configured. Such informative errors are good when you are testing locally but bad on a live site.

3) another thing, make sure if you authorize users that you don't let one authorized user to stuff to other peoples accounts. Easy thing to miss. Eg on this site, I am authorized to post, but not authorized to edit your posts. Often bugs revolve around poor security between logged in users, as opposed to those who aren't logged in.

Access is not insecure but some common mistakes can make Access sites insecure. The most common problem is that people put their db in a location where it can be downloaded with HTTP. They also use a DSNless connection that includes the path so that an error message might give this path away.

Many hosts set up a 'data' or 'database' folder when you FTP in, alongside the 'www' or 'html' folder where the root of your site is. This is where MDBs should be located. This way, they cannot be downloaded via HTTP because they are outside the web. You can use a DSN or DSNless connection - the path is useless even if known to an attacker because they cannot download the file.

Another common problem that renders any database vulnerable is SQL injection attacks. This applies to MS SQL, MySQL as well as Access, but with Access you don't have the option of using SPROCS to avoid this so you need more defensive coding.

Access is fine for most webs. Access 2000 files perform much better than 97 due to individual record locking. We recommend SQL above 80,000 page views, but had a client run an Access db on a dedicated server with over half a million page views per month. I would certainly recommend Access for web use.

well, I have a DB folder outside of the WWW folder. I tried to put the file in thier and then run a finder.asp file to search and find my database. It searched and found nothing. So I just renamed it and left it alone. Only reason I really care about how secure it is is for the future of my designs. This site I am currently working on isn't that big of a deal if someone downloads the database, but I would like to know how to link to it when its in my DB folder. Can someone tell me how?

you would either create a DSN (data source name) which references your database (see your host's faq for instructions) or make sure you have the correct path to the database in your connection string.

Maybe if you post your connection string and directory structure, i can show you what it needs to change to.

Its the Snitz Forum that I am trying to hide the database in. I have tried using a non virtual path to get to the database. It is d:\webspace\ADMIN\HaegloDesigns.com\db\snitz_forum _2000.mdb Of course thats not the real database name but I have it written correctly. When I use this it finds the database file, but says I am using the wrong Connection String... So I tried all of them and none of them seemed to work correctly.

Code: Select all

strConnString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath("snitz_forum_2000.mdb") '## MS Access 2000 using virtual path
'strConnString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath("/USERNAME/db/snitz_forums_2000.mdb") '## MS Access 2000 on Brinkster
'strConnString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source="'\d:\webspace\ADMIN\HaegloDesigns.com\db\snitz_forum_2000.mdb'" '## MS Access 2000

<blockquote id="quote"><font size="1" face="geneva, verdana, arial" id="quote">quote:<hr height="1" noshade id="quote">
but says I am using the wrong Connection String
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">

Can you show me this error message?

You need this:-
strConnString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=d:\webspace\ADMIN\HaegloDesigns.com\db\snit z_forum_2000.mdb"

__________________
Rob - SEO Specialist
Owner & Founder of Webforumz.com

I am currently unavailable for private work

Thanks Rob. That worked. I appreciate the help guys!