all they would need to do was exploit the database so it could be remotely downloaded, then you would be able to open it up and look at the user name/passwords. Go back to the site and enter them in. I would recommend using php / SQL if you want it to be done securely.

Kind Regards
- Karmen

I think by exploiting the database is not by having what kind of database, rather how you work on your SQL structure, eg. one-way-hash all password for security. But in the first place, they need to get into the server to download the database. So if they do, then even MySQL can be downloaded.

Or is there another easier way to exploit Access database compare to MySQL? Just curious.

Cheers

well theres varies ways a website can be compromised.

One of the most popular methods is an RFI which is a Remote File Inclusion. Basically this lets you remotely add a file called a "Shell" to a website. This shell is basically like a FTP client on site itself. Once the Shell has been included you can upload a permanent shell like www.site.com/directory/shell.php? Now to access the shell you simply go to that url. Once your shell has been uploaded you basically have root access to the server and you can control it as if you were using an FTP. This would allow you to download the database.

Another method would be LFI which is a local file inclusion which is like www.site.com/maps/index.php?page=.../.../.../etc/passwrd

now what that will do would dump the username/password file onto that page so you can read the username/passwords. Although with this method it dumps the MD5 hash which is the encrypted password but these can be cracked very easily.

So in theory both methods work if your wanted to get admin access on a website.

I also agree in not using MS Access I have seen some pages with ASP that work with this database and they work very slow. Access is not intended to work in web, it is only useful If you want to create a simple and single user system and you want it to be working in very few time and in a local environment. It is easy to use because it has a graphic environment and wizards to create the user interface. However there are many tool for working with other database systems (like PhpMyAdmin) so I prefer not to work with access in any case, unless is the only option (because of licenses or host configuration).

I also agree to use MySQL, Microsoft Sql Server or Oracle that are more scalable and powerful databases. MySQL is free and is going better in each release, so is a very good option for many websites.

Hi, i think that you have good knowledge of Access and hope that you may help me with a problem i have with an Access 97 database.

I have an Access 97 database that seems to be crashed because i can't work with it, the only posible thing that i can do with it is to open it and view all the tables, queries, etc. that it have, but for example, if i try to open any of its tables or queries either in design or data mode Access shows up an error window with the following message: Couldn't read definitions; no read definitions permissions for table or query 'table_name'.

Also, i'm not be able to export any thing of this database, or convert it to another version of Access like Access 2000 or 2003, when i try to do it Access shows up another error window but in this case saying something related with the user permissions, exactly i don't remember right now the complete message but is more or less like the previous one.

Another thing that i notice is that when i enter to the security options located on the tools menu i view that this database don't have any owner, it shows up that the owner of the database is unknow.

In the topic Access 97 to Access 2003 that i post two weeks ago the user faulty.lee give me a solution to this but unfortunately it doesn't work too.

I hope that my explanation is enough and you understand it completely, if not, please ask me whatever you want or need.

Best regards,

I just had to respond to this as it seems your class failed you miserably. As an Access developer I have made applications in Access for several companies that are used for mission critical tasks and data. Access can be used as a Client server system with multiple concurrent users as well. With same VBA Access also makes a nice RAD tool.

Though I have used Access as a back end for ASP pages as well it is better suited for desktop applications use.

How to secure information in a form using a login password?
Access

I'm trying to make a database of our company's documents where people can view all the information of certain documents but they are not allowed to add, edit or delete information on the database. They can only navigate and view records.

I wanted to open the database using two usernames such as Controller and Viewer, with their assigned passwords. The Controller can open the database and have all the permissions to add, edit or delete. While the Viewer is limited to what I have described above.

Hope you can help me with this. A simple database sample would be very much appreciated.

Can this be done without using the User and Groups Security tools?

-question by Tony Santos

This CAN be done without using users and groups, but, there is no reason not to. The security tools in Access are tried and proven to work leaving no reason to re-invent the wheel. If you have troubles using the tools provided in the application the help files are well written and support.microsoft.com is a wonderful resource. Of course if you have specific questions we can help you here as well.

Taking a small risk at offense: if the tools Access provides for securing a database are a bit beyond a designers understanding then creating effective security on his own is well beyond it.