placing DB outside the web root ...where? and path in ASP?

Discussion in 'ASP General' started by cooldv, Sep 21, 2003.

  1. cooldv

    cooldv Guest

    i learnt from *Ken Schaefer's* website that for security reasons, u
    should put your DB outside the website root directory. this is his
    webpage -
    http://www.adopenstatic.com/resources/guide/gettingstarted/structure.asp

    1. where do i place the database outside the root directory? my
    directory access from my hosting company (windows 2000 server) is like
    this:

    ftp.mywebsite.com
    - mywebsite.com (folder)
    >parent folder
    >documents (this is the root directory folder)
    >log files (folder)


    2. what should be the new path in asp pages to make a DB connection,
    e.g.
    DSNtemp=dsntemp & "DBQ=" & server.mappath("database.mdb")
    cooldv, Sep 21, 2003
    #1
    1. Advertising

  2. > 1. where do i place the database outside the root directory?

    You don't always have the luxury of doing this. I think in most cases, this
    applies to people who have control over their servers. So, you might have
    to ask your hosting company to set up a virtual FTP folder that points
    off-web, so that you can upload the database there. But then it's still
    exposed via FTP. And you would have to hard-code the reference to the MDB
    file in your connection string, e.g. F:\protected\file.mdb (you can no
    longer use server.mappath). This isn't so much of a problem, except folder
    structures, and even the drive letter itself, aren't guaranteed to remain
    intact if the ISP upgrades servers, moves to a new data center, etc.

    One way to prevent people from downloading your MDB file, even if they
    *could* guess the location and filename, is to give it an ASP extension. It
    will still work as a database file (your connection string would point to an
    ..asp file instead of an .mdb file), and users wouldn't be able to download
    it by accessing it directly, because the web server will try to run it like
    an ASP script.

    And yes, it will still be exposed via FTP, but if you name it something
    inconspicuous, a user who managed to break in would have to figure out (a)
    that your database is actually in an ASP file, and (b) which one it is.
    There shouldn't be any way a casual sniffer would even know you're using
    Access in the first place, unless you advertise that.
    Aaron Bertrand [MVP], Sep 21, 2003
    #2
    1. Advertising

  3. cooldv

    Mats Guest

    I've tested using an asp extension to the databasefile (database.asp and
    not database.mdb). But if you connected to database.asp (typing in the
    correct path and filename), it appeared in the browser as a textfile,
    with parts of the content clearly possible to read.
    The site is on a webhotel (running MS Server 2003), don't know if
    they've missed something.
    So we use the very odd foldername + equaly odd databasename

    Mats

    *** Sent via Developersdex http://www.developersdex.com ***
    Don't just participate in USENET...get rewarded for it!
    Mats, Sep 21, 2003
    #3
  4. cooldv

    cooldv Guest

    i confirmed with my web hosting company. i can place my database
    outside my webroot directory (on a windows 2000 server.)

    1. where do i place it 2. what should be the path in asp to make a DB
    connection?
    e.g. DSNtemp=dsntemp & "DBQ=" & server.mappath("database.mdb")?

    here is the structure of webfolders that are available to me:

    ftp.mywebsite....com
    - mywebsite....com (folder)
    >parent folder
    >documents (this is the root directory folder)
    >log files (folder)
    cooldv, Sep 22, 2003
    #4
  5. > i confirmed with my web hosting company. i can place my database
    > outside my webroot directory (on a windows 2000 server.)
    >
    > 1. where do i place it


    They need to tell you that; we can't tell you where to put it, because we
    don't know what "outside my webroot directory" means.

    > 2. what should be the path in asp to make a DB connection?


    That depends on the answer to 1. It will NOT involve server.mappath,
    however, as I mentioned in my post yesterday.
    Aaron Bertrand [MVP], Sep 22, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    1,214
  2. Jon Maz
    Replies:
    12
    Views:
    4,734
    Vadim Chekan
    Jul 1, 2004
  3. Replies:
    2
    Views:
    538
    teclioness
    Nov 14, 2005
  4. cooldv
    Replies:
    2
    Views:
    165
    Jeff Cochran
    Sep 25, 2003
  5. Krzysztof Poc

    outside type, outside function

    Krzysztof Poc, Feb 3, 2012, in forum: C++
    Replies:
    1
    Views:
    285
    Victor Bazarov
    Feb 7, 2012
Loading...

Share This Page