Skip to main content
BreakawayPaul
BreakawayPaul
Inspiring
May 19, 2010
Question

Making a more secure ColdFusion/MS Access website

  • May 19, 2010
  • 3 replies
  • 2036 views

My office unfortunately uses MS Access for our web database.  I've been lobbying for something more robust, but so far there's been no changes.

Today I got an email from the security people.  They've recommended that I use a "more robust" database (I swear I am not making this up), but MS Access is still the only option.  So I've been trying to think of ways to make the thing more secure.

I thought about password protecting the database, but if I do that, my cfquery fails, even if I add the password= attribute.  Does anyone know how to make this work?  If it does work, will I have a file lock problem (it's Access, afterall)?

Are there any other ways to make this unfortunate combo any more secure?

    This topic has been closed for replies.

    3 replies

    C
    ColdSteel2
    Participating Frequently
    May 27, 2010

    The one think you can do is make sure the ms access file is someplace iis cannot/does not reach. If the mdb file is someplace that only coldfusion can get to you might be all right.

    don't bother password protecting the database, there are plenty of programs freely available on the Internet that will crack the ms access password in seconds.

    ilssac
    ilssac
    Inspiring
    May 19, 2010

    I'm not sure why you are locked into MS Access.  If it is just preceived cost, you may be able to sell the SQL Server Express offering from Microsoft.  It is a free version of the SQL Database management system actually designed for network use where as Access is really designed to be used on a individual workstation.  http://en.wikipedia.org/wiki/SQL_Server_Express

    BreakawayPaul
    BreakawayPaulAuthor
    Inspiring
    May 19, 2010

    Yeah I've been pushing for a change to SQL Express for over a year, but I haven't made any headway at all, and I have no idea why.

    Dan: Basically right now we copy an mdb file onto the web server into a directory that cannot be accessed via HTTP.  Then we add it as a datasource to the CF Administrator.  All the pages have a regular <cfquery> tag that queries the database(s).

    I've been trying to figure out how to at least add a password to the database that I can add to the <cfquery> tag, but it either completely locks out the web page, or has no effect whatsoever.

    Other than that, I can't think of a way to make Access any more "secure".

    tclaremont
    tclaremont
    Inspiring
    May 19, 2010

    Tell them they cant have it both ways. Either they want to use Access, or they want something more secure. Pick one.

    D
    Dan_Bracuk
    Inspiring
    May 19, 2010

    More secure than what you are currently doing?  Hard to answer that when you didn't tell us what you are currently doing.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices