|
I have an access DB runnning most of my site (PWS right now, hopefully sqlServer(IIS) soon).
I was looking into incorporating secure login (using cookies) but I'm not sure I want to go that route, so I decided against secure login for now (I only needed to let myself login in order to add items daily to a list on my site). The database doesn't exactly hold any secret data, but i will in the future incorporate secure login. Even just because it is cool.
Anyways...What are the steps I should perform to insure a secure database in the future...?
Someone suggested I need to change the DSN instead of useing a hardcoded path...???
Currently it looks like this:
Dim DB
Set DB = Server.CreateObject ("ADODB.Connection")
DB.Open ("Provider=Microsoft.Jet.OLEDB.3.51;Data Source=" + "C:\sitedata.mdb")
I'm then suppose to put the database in a secure directory and use a mapped DSN somehow...?
Whats this mean..?
Also...this DB is getting big...and will only get bigger with time...the reason I wanted secure login was to allow myself to update and modify data remotely via webpage.
Seeing how I scapped the secure login...I can't update the records this way anymore, so i'm wondering if there is another approach...or is it back to the old drawing boards...?
Do I have to use secure login...? Or are there utilities out there that can do this for me...?
Thanx a bunch!
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
Hockey wrote:
I'm then suppose to put the database in a secure directory and use a mapped DSN somehow...?
A DSN is just some registry keys that knowledgable programs (ADO for instance) can use to retreive the required settings to access the data source.
You should see a Data Sources applet somewhere in the control panel, on Win2K and XP it is under Administrative Tools. From there you can create a DSN so that you only need to specify the DSN name to connect to the database.
You are still left with the problem of securing the site though so that you can edit the database.
Hope that gives you some idea,
James
Simplicity Rules!
|
|
|
|
|
"Secure directory" means nothing more then placing your database in a folder OUT of the web server folder. Suppose that C:\Inetpub\wwwroot is your web server folder, then you should place your DB something like C:\Inetpub\database\. Thus the file itself won't be accessible from the web. So using c:\ as a place of database files, gives you the same result. But the problem is that hosting provider won't allow you to put files under C:\ root . And directory structure in most cases will be different from you home computer's.. You will need to change ALL Connection strings in ALL of your ASP files. Of course you can have an include file where Connection string is described, but till will need to change it before uploading to your site.
So here comes DSN. You are defining DSN on your machine, pointing to your database file, and DSN with a same name on your hosting. Now doesn't matter where you put your database. But all your connections will be like "DSN=MyDSN".
And again about security. I don't see any reason not to use Session variables. Can be hacked? Yes, but show me something that cannot be hacked? And what are you hiding there if you need it to be so secure?
Hacking Session is not so simple task, and you need to have really something interesting so one will even want to hack you
And even more.. Don't afraid to be hacked... 90% of hackers are simple office cleaners Many people just leaving their passwords in places such as ... under keyboard Someone finds it and "hacks" your computer. And company says they were hacked (how they can say that cleaner took a password and made damage? Better to tell that some experienced hacker did it )
Philip Patrick
Web-site: www.stpworks.com
"Two beer or not two beer?" Shakesbeer
Need Web-based database administrator? You already have it!
|
|
|
|
|
Philip Patrick wrote:
And even more.. Don't afraid to be hacked... 90% of hackers are simple office cleaners Many people just leaving their passwords in places such as ... under keyboard Someone finds it and "hacks" your computer
It's a company website I don't need "anyone" gaining control of admin rights and changing the site contents to something like.
F*ck off stupid customers...I've stolen your credit cards also...
I'm sure that would cause more than headaches for me.
I need to have the ability to update my database remotely from my computer, while sitting on the server...I don't have the time to do the work required in VC++ so I figured i'd use the website itself and simply have a secure login for me only.
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
I have a page where I need to show some data in a chart and in a table. The chart will be generated on the fly by another aspx page, something like "", the table will be generated with a simple datagrid.
Can I share the same dataset to generate the chart and populate the grid or must I use a different one for each page (querying the database twice)?
|
|
|
|
|
If you store the dataset somewhere (session state or to a file) then you can share them between the two; otherwise you'll be left to querying twice.
James
Simplicity Rules!
|
|
|
|
|
I'm trying to create a simple tagwall/forum.. works fine, but i cant write a message with a ' in it.. I cant write "Go'day" because of the ' ..
Code:
name = Trim(Request.Form("name"))
message = Trim(Request.Form("message"))
topic = Trim(Request.Form("topic"))
ConnDB.execute "INSERT INTO messageer (name,message,date,ip) VALUES ('" & name & "', '" & message & "', '" & date() & " " & hour(time) & ":" & Minute(time) &"', '" & request.servervariables("REMOTE_ADDR") & "')"
I get a syntax error... But without the ' it works fine
How can I fix this problem?
It seems like anyother character work other than the ' ...!
Thanks
|
|
|
|
|
' - is a string separator character in SQL, so you have to double it to use it in strings.
Use Replace(strMyString, "'", "''") on all of your strings before appending them to your SQL statements.
|
|
|
|
|
Now I can write Go'day thanks
|
|
|
|
|
Jasp wrote:
I get a syntax error... But without the ' it works fine
Feel good knowing that you've done more testing on your ASP page than some US Government Agencies
I've even e-mailed them and my senator to fix the problem (on SQL Server it can spell security disaster) but it is still not fixed.
James
Simplicity Rules!
|
|
|
|
|
James T. Johnson wrote:
on SQL Server it can spell security disaster
Hmm, I don't see why it is a security hole. If one forgets to double the quotas, this is his problem, not of SQL Server
Philip Patrick
Web-site: www.stpworks.com
"Two beer or not two beer?" Shakesbeer
Need Web-based database administrator? You already have it!
|
|
|
|
|
Oh No, I'm not blaming it on SQL Server; it would the same as me putting an admin only link on the front page of a website and trusting no one but me to click on it
James
Simplicity Rules!
|
|
|
|
|
Lol, hehe, wanna try?
BTW, I made a simple test. I put a link somewhere in one of my sites, saying "Don't click here, this link is for web master". Then made a counter of clicks on it. And what you think? 300+ people out of about 500 visitors of this page, clicked on it
Lol, that was funny, when I told them at the end what it was
Philip Patrick
Web-site: www.stpworks.com
"Two beer or not two beer?" Shakesbeer
Need Web-based database administrator? You already have it!
|
|
|
|
|
2 options.
1- using the " character .. chr(34).
strSQL = " INSERT INTO table( field)"
strSQL = "VALUES(" & chr(34) & "Go'day" & chr(34) & ")"
2- Replace the ' to '', SQL only save one '
strSQL = " INSERT INTO table( field)"
strSQL = "VALUES('" & Replace(strVar,"'","''") & "')"
FF
|
|
|
|
|
What are the alternatives to session logins...?
I need something a little more secure than session cookies but not quite SSL inclusion.
If someone is desperate enough to sniff my pass/ID what will be will be, but session cookies aren't quite good enough.
Any suggestions...?
Links to topics would be great too.
Thanx!
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
|
Something very similar.
Thanx i'll check the link out!
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
well it seems i got something happening by installing the iis thing on the same machine im working on ... all seems a bit flaky to me right now but i'll persevere for now
anyways now im getting this in my browser all the time:
error '8002801d'
Library not registered.
/iisHelp/common/500-100.asp, line 10
god only knows what isnt registered
does anybody know what drugs these people were on when they wrote this error message and how i might fix it?
situations to avoid #37: "good morning ... how many sugars do you take in your coffee ... and what was your name again?"
coming soon: situations to avoid #38: "...and the dog was there too?"
|
|
|
|
|
Why not to go to that file, find the line 10 and check which library it tries to load?
Can't do it by myself, I deleted all IIS files, lmao
Philip Patrick
Web-site: www.stpworks.com
"Two beer or not two beer?" Shakesbeer
Need Web-based database administrator? You already have it!
|
|
|
|
|
Hmm, well, I found it, I forgot that WINNT directory is also kinda a web site root. You can find the file in ..WINNT\iisHelp\Common\..
Looks like Response causes this error. Dunno though what happend to your IIS, never had such problem. Maybe you want to try to re-install it?
Philip Patrick
Web-site: www.stpworks.com
"Two beer or not two beer?" Shakesbeer
Need Web-based database administrator? You already have it!
|
|
|
|
|
ummm am i running iis5 if i installed win2k pro instead of server? someone said to me todays that win2k pro has some half assed personal web manager thing which isnt actually iis ... is that true and would that be causing the problems im having?
situations to avoid #37: "good morning ... how many sugars do you take in your coffee ... and what was your name again?"
coming soon: situations to avoid #38: "...and the dog was there too?"
|
|
|
|
|
Win2K pro comes with IIS 5, but you can also install the other one, its a choice in the windows components with IIS.
James
Simplicity Rules!
|
|
|
|
|
|
This may be a stupid and simple question, but I know next to nothing about ASP. So please take it easy on me.
I’ve just recently been place in charge of fixing a miss-behaving web application. I seems that the administration pages do not function properly anymore. The problem with the pages pops-up when the server-side VBScript code attempts to write to the registry.
The problem arises in the following code:
Dim WshShell<br />
Set WshShell = CreateObject ( "WScript.Shell" )<br />
WshShell.RegWrite "HKLM\Software\SomeApplication\AdminUserID", "SomeUserID"
The error page that the server returns reads:
Error Type:
WshShell.RegRead (0x80070005) <-- Access denied error, I believe.
Invalid root in registry key "HKLM\Software\SomeApplication\AdminUserID".
/apps/rtj/change_admin.asp, line 5
Why does this not work? ... AND why is it showing that I'm calling RegRead, when in fact I'm calling RegWrite?!?
thanks for your help,
-Ben
|
|
|
|
|
Is your application/web server set up to allow anonymous users to connect? If it is, then it's my guess that anonymous users don't have proper machine priviliges to write to the registry. Your code will be executing under the IUSR_YOUR_MACHINE_NAME account which doesn't, and shouldn't, have access to write to the registry.
|
|
|
|