placing DB outside the web root ...where? and path in ASP?

[cooldv]

i learnt from *Ken Schaefer's* website that for security reasons, u
should put your DB outside the website root directory. this is his
webpage -
http://www.adopenstatic.com/resources/guide/gettingstarted/structure.asp

1. where do i place the database outside the root directory? my
directory access from my hosting company (windows 2000 server) is like
this:

ftp.mywebsite.com
- mywebsite.com (folder)

parent folder
documents (this is the root directory folder)
log files (folder)

2. what should be the new path in asp pages to make a DB connection,
e.g.
DSNtemp=dsntemp & "DBQ=" & server.mappath("database.mdb")

 

[Aaron Bertrand [MVP]]

1. where do i place the database outside the root directory?

You don't always have the luxury of doing this. I think in most cases, this
applies to people who have control over their servers. So, you might have
to ask your hosting company to set up a virtual FTP folder that points
off-web, so that you can upload the database there. But then it's still
exposed via FTP. And you would have to hard-code the reference to the MDB
file in your connection string, e.g. F:\protected\file.mdb (you can no
longer use server.mappath). This isn't so much of a problem, except folder
structures, and even the drive letter itself, aren't guaranteed to remain
intact if the ISP upgrades servers, moves to a new data center, etc.

One way to prevent people from downloading your MDB file, even if they
*could* guess the location and filename, is to give it an ASP extension. It
will still work as a database file (your connection string would point to an
..asp file instead of an .mdb file), and users wouldn't be able to download
it by accessing it directly, because the web server will try to run it like
an ASP script.

And yes, it will still be exposed via FTP, but if you name it something
inconspicuous, a user who managed to break in would have to figure out (a)
that your database is actually in an ASP file, and (b) which one it is.
There shouldn't be any way a casual sniffer would even know you're using
Access in the first place, unless you advertise that.

 

[Mats]

I've tested using an asp extension to the databasefile (database.asp and
not database.mdb). But if you connected to database.asp (typing in the
correct path and filename), it appeared in the browser as a textfile,
with parts of the content clearly possible to read.
The site is on a webhotel (running MS Server 2003), don't know if
they've missed something.
So we use the very odd foldername + equaly odd databasename

Mats

 

[cooldv]

i confirmed with my web hosting company. i can place my database
outside my webroot directory (on a windows 2000 server.)

1. where do i place it 2. what should be the path in asp to make a DB
connection?
e.g. DSNtemp=dsntemp & "DBQ=" & server.mappath("database.mdb")?

here is the structure of webfolders that are available to me:

ftp.mywebsite....com
- mywebsite....com (folder)

 

[Aaron Bertrand [MVP]]

i confirmed with my web hosting company. i can place my database

outside my webroot directory (on a windows 2000 server.)

1. where do i place it

They need to tell you that; we can't tell you where to put it, because we
don't know what "outside my webroot directory" means.

2. what should be the path in asp to make a DB connection?

That depends on the answer to 1. It will NOT involve server.mappath,
however, as I mentioned in my post yesterday.