Writing Secure Dreamweaver MX Applications - Examining ISAM Databases
(Page 2 of 5 )
Indexed Sequential Access Method (ISAM) databases include the popular file-based databases like Microsoft Access, FileMaker, and FoxPro. They are typically self-contained and can be accessed through a driver; they don't need a server application to run them.
They are often created locally and then uploaded to a web server when a connection is made through a Data Source Name (DSN), a hard-coded connection path (DSNless connection), or a server-specific method like Server.MapPath in ASP. ISAM databases are inexpensive and easy to use. They are also easy to compromise if you don't follow a few simple steps to protect them.
First, take care where you store the database file. If at all possible, store the database file in a folder that is above the root of your website on the server. For instance, if the physical path to your website on the web server is c:\websites\mywebsite, then the root folder mywebsite and all the folders underneath it are accessible from a browser.
This means that if you store your database file in the folder c:\websites\mywebsite\database, someone who knew or guessed the name of your file could download it from your site by simply browsing to www.mywebsite.com/database/filename.mdb. Because the server would have no associated program with which to run an MDB file, it would allow the user to download the file.
Second, you can avoid the possibility of a user downloading your database by performing a simple operation that takes advantage of a bug in Windows NT and Windows 2000 Server. Encrypt the database in Access and rename its extension from .mdb to .asp. Then, use the .asp filename in a DSN-less connection. Because the database is encrypted and named with the .asp extension, the ASP server will try to process it as ASP—and will fail and throw an ASP tag error if a user tries to download the file.
Finally, assign your database a username and password. Microsoft Access, for instance, comes with the default username, Admin. Until a password is assigned for the Admin user, none is required. So whenever the database file is accessed, the program assumes that it is to log in the Admin user with a blank password. If someone is able to find and download your database file, there will be nothing stopping that person from opening it and examining your data.
Securing database servers
Database servers are full-featured data store applications like Microsoft SQL Server and Oracle. (I won’t get into middle-ground applications like MySQL but some of the same concepts apply.) There are three things you need to take into consideration when securing applications that run on databases that are accessible to the Internet: physical security, virtual security, and internal security.
Next: Ensuring Physical Security >>
More Web Services Articles
More By Macromedia Team
