PDA

View Full Version : They can Hack My Database



sc0ut
04-01-2003, 05:56 AM
Hereís the problem

How do I make my access database more secure??

Iím about to hook my ASP website up for the internet. After lots of testing my friend tried to hack my site, the only thing he managed to do was access my Access database. By guessing my database name in the URL he was given an option to [Open] or [Save] my database, thus giving him the content of my data base like member information and passwords. Using Win 2000 Server is there any way to prevent this. Remember my database is constantly written to by new members.
Any help or links would be appreciated.
Chears

cyberchuck
04-01-2003, 07:59 AM
Hey

1 - Change your database name to something that no-one will guess. eg: instead of calling it database.mdb call it _database.mdb or 1852dht.mdb
2 - You can set up the database to be password protected. Although (from memory) when you "open" it via Internet Explorer the password part is bypassed, if someone downloads it, they will require the password to open it. Give it a try to find out.
3 - (pretty cheap - but it works) - make your tables hidden. My friend pulled that trick on me once and it took me a while to figure out what he'd done


CyberChuck

sc0ut
04-01-2003, 08:26 AM
I don't want to do the 1st way because it still isn't fully secure because in asp when an error is genorated they tend to see the name of the database

i'll try the other two ways thogh
Thanks for the input
GTG

parry
04-01-2003, 08:54 AM
Hi see this article http://www.advisor.com/doc/11530 plus http://support.microsoft.com/default.aspx?scid=/support/access/content/secfaq.asp

parry
04-01-2003, 09:00 AM
I hate the way long urls get the link stuffed up. Try...

Access FAQ (http://support.microsoft.com/default.aspx?scid=/support/access/content/secfaq.asp)

-=JM=-
04-01-2003, 05:39 PM
Name it something weird, in an obscure folder as well if possible. Try and stay away from /db or similar.

Also turn off directory viewing for that folder.

-=JM=-
04-01-2003, 05:40 PM
i gather there are passwords and the like stored in database. Try to have them encrpted somehow.