My office unfortunately uses MS Access for our web database. I’ve been lobbying for something more robust, but so far there’s been no changes.
Today I got an email from the security people. They’ve recommended that I use a “more robust” database (I swear I am not making this up), but MS Access is still the only option. So I’ve been trying to think of ways to make the thing more secure.
I thought about password protecting the database, but if I do that, my cfquery fails, even if I add the password= attribute. Does anyone know how to make this work? If it does work, will I have a file lock problem (it’s Access, afterall)?
Are there any other ways to make this unfortunate combo any more secure?
Even if you could assign a password, that does next to nothing to secure the database.
I’m not sure what else I can do.
IMO, nothing. You either have to upgrade to a real database or accept all the inherent limitations and security risks that come with using a desktop application on a server.
Nope, can’t do that. It’s a public website that has to be accessible to everyone. The only thing in the database is who to contact for additional information about a given page. None of the pages modify the database in any way.
I’ve been trying to do something like add a user to the database and assign tha use read-only access, then using that username in the cfquery, but that doesn’t seem to work (I can still perform inserts and updates with that username).
I’m not sure what else I can do.
Can you secure the web application? Maintain a table of userids / passwords and create a login page which looks up the user then sets a cookie or session variable.
Each page then checks the session/cookie variables to see if logged in, else redirects them to the login page.
You could even then use the variable to manage user security levels. I.e. Managers might have access to more reports/queries than staff users.
You’re preaching to the choir. I’ve been trying to get them to at least move to MS SQL Express. Feels like I’m beating a dead horse though.
I can’t really help you there. It’s been years since I was forced to use Access for a web application. But you might ask security for a list of requirements that meet the “more robust” database test. Because almost certainly Access isn’t even going to make a “C” grade on that list. That might help convince the powers that be … that ms access should not be … your db of choice.
(I mean … come on. It’s Access, the tinker toy of databases. Do they expect you to morph it into a cross between the terminator and an enterprise database with a wave of your magic wand?