Disallow download of certain file type

[sumguyovrthar]

Hi. I can't place an mdb database above the http root, so anyone is
able to download it through their browser if they know where it is.
This database contains some sensitive information. I am used to Apache
server and open source languages, I think web.conf is sort of
equivalent to Apache's .htaccess, is there some way I can edit
web.conf to disallow access to mdb files?

I'm sorry if this is not the exact group I should be posting in, but I
don't know where else to post. I am developing the application in
ASP.net, so I figured this would be an appropriate place.

-Mike PII

 

[Mike P2]

Also, by the way, I am getting the following error message when I try
to alter the database:

System.Data.OleDb.OleDbException: Operation must use an updateable
query.

This is a permission error, right? I found a page on Microsoft support
about it here:
http://support.microsoft.com/kb/175168
but I'm wondering if there might be some other cause for the error.

-Mike PII

 

[Steve C. Orr [MCSD, MVP, CSM, ASP Insider]]

You'd typically use IIS to set what kinds of files can and cannot be
downloaded.

 

[Michael Nemtsev]

Hello sumguyovrthar,

Use HttpForbiddenHandler for this in web.config

just add

<add verb="*" path="<your path>" type="System.Web.HttpForbiddenHandler " />

---
WBR, Michael Nemtsev [.NET/C# MVP].
My blog: http://spaces.live.com/laflour
Team blog: http://devkids.blogspot.com/

"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo

s> Hi. I can't place an mdb database above the http root, so anyone is
s> able to download it through their browser if they know where it is.
s> This database contains some sensitive information. I am used to
s> Apache server and open source languages, I think web.conf is sort of
s> equivalent to Apache's .htaccess, is there some way I can edit
s> web.conf to disallow access to mdb files?
s>
s> I'm sorry if this is not the exact group I should be posting in, but
s> I don't know where else to post. I am developing the application in
s> ASP.net, so I figured this would be an appropriate place.
s>
s> -Mike PII
s>

 

[Juan T. Llibre]

If what you want to do is prevent a download of your .mdb file,
just create an App_Data directory and place the Access database in it.

Files stored in the App_Data folder are not returned in response to direct HTTP requests,
which makes the App_Data folder the recommended location for data stored with your
application, including .mdf (SQL Server Express Edition), .mdb (Microsoft Access), or XML files.

 

[Mike P2]

If what you want to do is prevent a download of your .mdb file,
just create an App_Data directory and place the Access database in it.

Files stored in the App_Data folder are not returned in response to direct HTTP requests,
which makes the App_Data folder the recommended location for data stored with your
application, including .mdf (SQL Server Express Edition), .mdb (Microsoft Access), or XML files.

Juan T. Llibre, asp.net MVP
asp.net faq :http://asp.net.do/faq/
foros de asp.net, en español :http://asp.net.do/foros/

Thanks, that's just what I needed. Fixed both problems (apparently
App_Data has more compatible permissions by default too).

-Mike PII