Shannon Shang-I think therefore I am

We came here, you and I, to this place and this profession, to be great, to do great things, and give form to great dreams - and we have

Use absolute path instead of relative path to increase the security of access database in asp website

When i develop my website with asp,i find the following problem:

My database's path  in the root\database,and my conn.asp(define the connectionstring)in the root\includes

Because the files that need access the database locate in the root,so the connectionstring like this:

“Provider=Microsoft.Jet.OLEDB.4.0;Data Source=./database/database.mdb;"

When you browse the files located the root diectory,it work well,but if someone type this in the address textbox in the internet browser:

http://myserver/includes/conn.asp

it will raise a error:

can't find file “x:\somedirectory\myserver\includes\database\database.mdb“

....

some hacker will find that my database name is database.mdb and it's located x:\somedirectory\myserver\database

so after he(she) download my database to his(her) local harddisk,my private data will exposure.

Reference to some articles ,we can insert “on error resume next “ to skip this error,but i find it's a better way to resolve this problem.

We can build a path string with “Request.ServerVariables("APPL_PHYSICAL_PATH")“ instead of  “Server.MapPath“

After processing like this ,we can include this conn.asp in any page regardless of  it's location.



 

Posted: May 11 2004, 02:52 PM by ch21st | with 6 comment(s)

Comments

ch21st said:

If possible, please your connection script and database ABOVE the www (public) folder; not deeper than it.

If that's not an option, then ask your hosting company to change the permissions of the connection script folder, as well as the database folder, so that it can ONLY be read by the server / your scripts; not the web browser.

That should do it!
# September 2, 2004 5:38 AM

ch21st said:

Oops - spelling error! Here's my reply again:

If possible, place your connection script folder and database folder ABOVE the www (public) folder; not deeper than it.

If that's not possible, then ask your hosting company to change the permissions of the connection script folder, as well as the database folder, so that they can ONLY be read by the server (your scripts); not the web browser.

That should do it!
# September 2, 2004 5:39 AM

TrackBack said:

^_^,Pretty Good!
# April 15, 2005 1:39 PM

TrackBack said:

Use absolute path instead of relative path to increase the security of access database in asp websiteooeess
# June 15, 2005 9:41 PM

TrackBack said:

Use absolute path instead of relative path to increase the security of access database in asp websiteooeess
# July 17, 2005 1:39 AM

TrackBack said:

Use absolute path instead of relative path to increase the security of access database in asp websiteooeess
# July 31, 2005 10:20 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)