STILL wondering...

[turfbult]

Hello,

I'm STILL wondering/worrying about how secure my data on my db is!!

I have a page called products.asp which connects to a SQL Server db.
This is how I connect to my db....

<%@ enablesessionstate = false%>
<% option explicit%>
<%

response.buffer=true
dim rs,cn
dim objcmd

cn.open "dsn=products;uid=myproducts;pwd=yourproducts"

%>

My problem is that my uid/pwd is there for anyone(??) to see!! I know
that by right-clicking and view source you cannot see the asp code, but
surely there is some way for someone to see this!!

My questions are..
1.) Is this way I'm doing it ok/safe??
2.) How easy/difficult is it for someone to access my db with this
info and changing/deleting/editing all my records??
3.) What can I do to ensure the safety of my data??
3.) Any other suggestions please

Thanks,
T

It's not secure at all. Anyone with half a mind can use an inet control to bind to your IIS server and retrieve the source code for the page.

The only way to make it secure is to connect to the database in a COM component, this is compiled and therefore secure. Having said that someone could still write a script that could bind to the server and invoke the COM component and then mess around with the db.

I would definitely use a COM DLL, it is the best you can do and there is a performance boost because it is already compiled.

[turfbult]

Thanks,

It does not seem good!!! Do you maybe have any sample code for me. Or do you know where I can look at a tutorial on this.

I know a bit of VB. Do I just have to write a COM component in VB which connects to my db and then call it thru my ASP page. How do I call it??

Thanks for your help,
T

Hi...may be u can do this ...


just a suggestion...

you can actually encrypt u password.
In ur access database, the pasword u store is encrypted.

Of course, u also don't know the password actaully unless u de encrypt it.


Regards,
Mac

[alexmac]

Madworm 2 questions

How do they bind the inet control to iis (just the general idea)

I am confused do you mean that using this method anyone can get the source code of any ASP page?
Surely not!

You are scaring me!

Alex

Sorry guys, I've just read my post what I said about ASP was wrong, I'd just gotten home from a funeral and wasn't with it at all. I was a very sad and confused Worm My mistake and I offer my apology for leading you up the garden path

All your asp stuff is compiled, it IS safe from predators, all you can get is the HTML with an inet control. The following line of code will return the HTML source from the page assuming you have a form with a text box called text1 and an inet control called inet1

Code:

Text1.Text = Inet1.OpenURL("http://www.microsoft.com")

Next time I'm in the office I'll post a quick sample DLL on this thread so you see the COM component doing the databse work.

[turfbult]

Thanks MadWorm, and sorry to hear about your loss!!

I'd appreciate some code.

Cheers,
T

Why don´t you simply create a user on your sqlserver that only has certain rights (select, maybe update if necessary).

That way even if somebody would be able to download your asp code, they wouldn´t be able to mess with your database!

Sorry about the delay, haven't been quite on the ball the last few days. Start VB, select Activex DLL as the new project

The project was called wc and the classfile this code was in was called getrs so it was instantiated and then called on the ASP by response.write wc.getrs, it returns as a string an html table containing the recordset data.

Code:

Public Function getrs() As String
On Error GoTo errorhandler

Dim rs As New Recordset
Dim conn As New Connection
Dim mystring As String

'initialise stuff
mystring = ""

'make connection to db
Set conn = CreateObject("adodb.connection")
ConnectionString = "ODBC;UID=username;PWD=password;SVR=SERVERNAME;CLS=CLASS;XPT=2;DBA=W;DRIVER=Oracle ODBC Driver for RDB"
conn.Open ConnectionString

'grab records
rs.Open "SELECT * From CAA_APPLICATIONS order by caa_applications.system_code", conn, adOpenStatic

'the business bit
Do While Not rs.EOF
    'mystring = mystring & "<TR>" & "<TD>" & rs![system_code] & "</TD>" & "</TR>"
    mystring = mystring & "<TR>" & "<TD>" & rs![system_code] & "</TD>" & "<td>" & rs![cisb_supported] & "</TD>" & "<td>" & rs![application_manager] & "</TD>" & "<td>" & rs![am_phone] & "</td>" & "<td>" & rs![account_manager] & "</td>" & "<td>" & rs![acm_phone] & "</td>" & "</TR>"
    rs.MoveNext      
Loop

'give string back to caller
getrs = mystring

'tidy up
Set rs = Nothing
conn.Close
Set conn = Nothing

End Function

[Clunietp]

Turf, who are you afraid will see your DB connection string? If you are worried about your clients, STOP WORRYING. They would have to be able to browse the file system of your web server looking for the DSN, somehow determine that the DSN belongs to you and then open up a connection to your SQL Server database.

Assuming your web server's security has been set up properly (all ports closed except web server, disable Netbios on external NIC, etc.) you don't need to do anything else to protect your server