 |
 |
|
|||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
| Coding Forum Problems with your code? Let's hear about it. |
 |
 |
|
|
LinkBack | Thread Tools | Display Modes |
09-14-2004, 02:21 AM
|
#1 (permalink) |
|
Inactive
|
ASP, msSQL and myODBC security
As a releative newbie, I've picked up most of what I need to know about php and more recently asp via google. My latest venture is likely to be popular enough to possibly generate attention from hackers. I'm worried about my mysql connections. How hard would it be for a hacker to see my source code and be able to take over my databases? Are DSN or DSNless connections safer?
Obviously I don't allow directory indexing, and my admin area uses htprotect, but my content area is open to all. Can't you set up a browser to not process the asp and instead display the code, thus gaining access to the connection details, which you could then exploit with a program like dbTools? I'm guessing the user associated with the connection for content pages should be read only? What about the phpbb discussion forum? The user for that connection has write access to the phpp database. I currently use a script that displays recent topics from the forum on my main page. Sorry for all the questions, but my googling has come up blank on this... |
|
 
|
| Sponsored Links |
   |
|
09-14-2004, 03:44 AM
|
#2 (permalink) |
|
CEO, V7 Inc
 
|
Welcome to v7n.
 I know nothing about coding but I'm sure somebody who does will be along shortly.
__________________
Buy Permanent Contextual Links - V7N Web Directory Questions? Call V7 toll free @ 1.888.876.8762 |
|
|
|
|
09-14-2004, 11:01 AM
|
#4 (permalink) |
|
v7n Mentor
 
|
All good questions. Let's see if I can answer most of them.
DSN is always best because your code will not display the passwords and better performance. I would recommend you setup a special password for your website that does NOT have full admin rights. If you are not writing to the database then make it read only. In other words DON'T USE the SA password. Create a unique username for the site like web0001 and a complex password. I would make sure that this new username only has access to the tables it needs to have access to and not any of the system tables or account tables. You can always create a unique password for system related tasks. When using ASP NEVER include any connection strings with a .inc file. If you do the any browser will see all the code by typing yourwebsite.com/filename.inc because the server does not know that an .inc file should be rendered as an ASP file. It will treat it like a typical text file. This is probably the biggest mistake most programmers make. Always make sure your connection strings are using an ASP page or better yet create a .dll file that has this information and then call the object. But that's a technique more experienced programmers do. I would also recommend that you change your password on a regular basis "monthly". Some hackers may store your password and access it a few months later. By then your password would have changed. Did I forget anything? Let me know. imaginemn |
|
|
|
|
09-14-2004, 01:26 PM
|
#5 (permalink) | |
|
Inactive
|
Thanks imaginemn,
some great answers, and a lot of work for me! All my connections are currently DSNless and there's better than 50 scripts to update. Also the user I'm using is a DBA - that needs to change (except in the admin area which needs write access and is is htprotected). Quote:
Squibs |
|
|
|
|
|
09-14-2004, 01:41 PM
|
#6 (permalink) |
|
v7n Mentor
|
NP.
Typically what you do is create 1 database script file that you can include on all your pages as a server side include file something like mydb.asp or mydb.inc, something unique and not common like db.asp or db.inc. Most programmers use db because it's easy to remember but it's also easy to try to hack. What I meant is DO NOT use the .inc file extension when using ASP. I cannot express this enough. By only having 1 db file with the connection string. This will allow you to easily update the whole site without having to change 50 pages. As far as your DBA account you should really create a unique user that has read/write access so it can add/remove/alter data but not be able to create tables/remove tables or access any admin resources via browser. The last thing you need is to someone get your password log in create a new user and when you change your password the other account is still active if you don't know about it. imaginemn |
|
|
|
|
|
«
Previous Thread
|
Next Thread
»
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| MSSQL or MySQL? | loon | Web Hosting Forum | 4 | 11-07-2006 10:47 AM |
| Mssql, access and php | DragonEye | Web Design Lobby | 2 | 11-27-2003 06:50 PM |
| Sponsor Links | ||||||
|
Site Navigation: v7n Home .::. Graphics .::. Scripts .::. Web Designers .::. SEO Consultants .::. Web Hosting
Partners:V7N Web Directory .::. V7N Technology Blog .::. Host Ratings@V7N .::. V7N Affiliate Program .::. Advertise
Partners:V7N Web Directory .::. V7N Technology Blog .::. Host Ratings@V7N .::. V7N Affiliate Program .::. Advertise
All times are GMT -7. The time now is 06:49 PM.
© Copyright 2008 V7 Inc
