Database Naming and Location


When you use an Access database to store information that will be available via the web, you need to address a few security issues. Microsoft Access creates file-based databases, which means that all the data is stored in a single, portable file that can be copied to a floppy, burned to a CD, or downloaded from a website. Although this is great because it makes it easy to transport your database from one place to another, it is also a security concern because you don't want anyone downloading your database and having access to your customer information. A few things, however, will significantly decrease the chance of your database being stolen.

The first step you can take is to place the database in a directory with a unique name. Naming the directory something highly unique diminishes the chance that some clever hacker can to go to your site, guess the name of the directory, and be that much closer to downloading your database.

Create a new folder in your web root called rcdb99840b and save the retros_cycles_99300d2.mdb to that folder. If you are using IIS and chose the default settings when setting it up, the path to your database would be c:\InetPub\wwwroot\rcdb99840b\retros_cycles_99300d2.mdb, as shown in Figure 21.8.

Figure 21.8. Place the database in a folder with a unique name.


Note

Remember that the location of the root folder for your website is going to be different if you are using a web server other than IIS in Windows. If you are using a web server such as Apache, adjust the path to the database accordingly.


The second step you can take to protect your Access database is to simply name it something very unique. If you accept the default name of db1.mdb that Access tries to assign to your database, it's likely that someone with an understanding of Access will be able to guess that name. In addition, it wouldn't be safe enough to name the database for Retro's Cycles something like retros_cycles_database.mdb because this name is still one that is easy to guess. Instead, name it something that you will be able to recognize and append a string of totally random letters and numbers, so that it's highly unlikely that someone could just guess the name of the database. As you saw in the previous section, the database that was created for Retro's Cycles is named retros_cycles_99300d2.mdb. The next step you can take is to disable directory browsing in your web server application. As shown in Figure 21.9, IIS and other popular browsers allow you to determine whether browsing to the root of a site that does not contain a home page displays the contents of that directory. To disable directory browsing in IIS, follow these steps:

Figure 21.9. Directory browsing has been disabled in this site.


1.

Open the Computer Management console by right-clicking on My Computer and choosing Manage. In the Computer Management console (see Figure 21.10), click the plus sign next to Service and then click the plus sign next to Internet Information Services.

Figure 21.10. The Computer Management console.


Note

If you don't see IIS in the list of services, you probably don't have IIS installed. If you have Windows 2000 or XP Professional, refer back to Chapter 17, "Introducing ColdFusion MX 7," for additional information on installing IIS. If you have Windows Me or XP Home Edition, you're going to need to consider upgrading because neither of these operating systems support IIS. Mac users can use Apache as their web server.

Tip

If you are using Apache as your web server application, you can disable directory browsing by creating a text file in your root directory named .htaccess. In that file, add the following line of code and save it:

Options All  Indexes


With this .htaccess file in place, directory browsing is disabled for all folders within the site.

2.

Click the plus sign next to Web Sites. Right-click on the Default Web Site and choose Properties.

3.

In the Default Web Site Properties dialog box (see Figure 21.11), choose the Home Directory tab and uncheck the Directory Browsing check box.

Figure 21.11. Disable Directory browsing via the Web Site Properties.


4.

Click OK to apply the changes and close the dialog box.

One additional note should be mentioned when it comes to securing your database directory. If you are familiar with Microsoft Windows directory permissions, you may know that in the Windows operating system, the typical default permission level is to allow the Everyone group access to your folder. This means that any user accessing the machine has access to that directory. To reduce the possibility of inappropriate access, consider removing the Everyone group's access and further restricting access to the database directory to those accounts that need to access it. Before you rush in and remove all the permissions, however, be aware that certain accounts need to have read and write access to the database directory or your web applications may not function correctly. For complete details on the minimum permission levels that are required on your database directory, check out the Technote from Macromedia that can be found at the following URL:

http://www.macromedia.com/cfusion/knowledgebase/index.cfm?id=tn_18802



Special Edition Using Macromedia Studio 8
Special Edition Using Macromedia Studio 8
ISBN: 0789733854
EAN: 2147483647
Year: 2003
Pages: 337

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net