Secure MS Access database on the web

  Raccoon 18:04 27 Mar 2007
Locked

I have created an Access database for membership of my Church and want it to be available for update by various people. I want to do this via the web using ASP.

I can do the pages connections etc, but my proplem is making the database secore from prying eyes - I want to ensure that the data (perosonal data including email addreses) doesn't fall into the wrong hands.

I have planned to :

1. set database security and prompt users for passwords
2. store the database in a folder with an obsure name (i.e. not /database/
3. call the database an obscure name with an extention that is not .mdb

Should I be doing more?

Any advice gratefully received.

  Forum Editor 00:01 28 Mar 2007

One area of my work entails advising corporate clients on SQL database vulnerabilities - I don't use MS Access, and it's not really used on commercial websites.

It might be useful to create a subweb, and put your database, plus ASP pages into it. You can easily control access to the subweb via a .htaccess password system.

There are lots of tips I could give you for securing online data, but not all will apply to an access database. Try to use some basic security measures however, and you'll be reasonably secure. I say 'reasonably' because a determined and knowledgeable person will get to your data anyway. That said, I imagine the risk attached to a church membership database is going to be pretty small.

Here are some pointers:

1. Make passwords at least 6 characters long.

2. Don't tell people why a login failed. Many websites have helpful pages saying things like "your username was incorrect, please try again", thus giving a clue to a hacker that at least the password was OK. Don't do that, just provide a basic error message: "Login failed - please try again"

3. Don't ever include 'admin' 'administrator' 'root' 'owner' or 'webmaster' in your password list.

4. Have your login script check the http_referrer to see where the request came from. It should come from your HTML form on the same server. If it doesn't your script should reject the login. This won't stop expert hackers because they'll fake the http_referrer, but it's still worth doing.

  Raccoon 21:38 28 Mar 2007

Thanks for the advice - I'll try the .htaccess tip

click here

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

OnePlus 5 review

Alice Saey's mesmerising animation for Dutch singer Mark Lotterman

iPad Pro 10.5in (2017) review

Comment booster votre iPhone ?