How do I protect by Access database (.mdb) for not being downloaded from my website?
There are several ways to protect your database:
1) You could locate your database outside of the web server, ie: C:\MyData\mydatabase.mdb and then reference that directory in connFile.asp by replacing the Server.MapPath lines with:
strConnect = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\MyData\mydatabase.mdb;"
Also, be sure to set a userid and password in Access to protect the database itself. The connection string would then read:
strConnect = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\MyData\mydatabase.mdb;UID=MyUserID;PWD=MyPassword;"
2) For the ultimate in security you should use a DSN, that DSN should point to a database server with the proper security settings (userid and password, file permissions, etc.), if the data is for commerce or contains sensitive info, you should use SQL7.
The ASP page that contains the connection string cannot be viewed since the server strips the ASP code before it sends it to the browser.
3) An alternative is to configure HTTP READ-Protected Folders. For a great article on this method visit:
A final note, remember that users generally will not know the name or the location of the database. Simply changing the name and/or the location will usually prevent any download attempts by users that will "guess" the name.