[AccessD] Access Security - Web Based ASP

Erwin Craps - IT Helps Erwin.Craps at ithelps.be
Fri Jan 9 15:45:22 CST 2004 

I have a small little trick I used for same reasons.
I'm using a seperate MDB file which has linked tables to the backend
database.
Only the tables I really need are in the WEB database.
If it ain't there you can get in....

But I supose that you the data of the people are all in the same table.

You need a password system to login via the web, these user/password are
stored in a table in your db. When a correct match you store the ID of
the person into the session.

If you build SQL string than you always use the persons ID stored in the
session. So don't use any parameters with the URL string for person
identification.

You should be reasonably safe with that, but not 100%, you never are
100% safe....

Erwin





-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Mitsules,
Mark S. (Newport News)
Sent: Friday, January 09, 2004 10:33 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] Access Security - Web Based ASP

Thanks.  I will research Integrated Windows Authentication as an option.


Mark


-----Original Message-----
From: DWUTKA at marlow.com [mailto:DWUTKA at marlow.com]
Sent: Friday, January 09, 2004 4:06 PM
To: accessd at databaseadvisors.com
Subject: RE: [AccessD] Access Security - Web Based ASP


With ASP, you can get the users logged in account, either with
Integrated
Windows Authentication, or plain text password.  No need to have
security on
the db itself, if you don't put it into a directory 'visible' from the
web.

Drew

-----Original Message-----
From: Mitsules, Mark S. (Newport News) [mailto:Mark.Mitsules at ngc.com]
Sent: Friday, January 09, 2004 2:40 PM
To: '[AccessD]'
Subject: [AccessD] Access Security - Web Based ASP


I have an existing .mdb "protected" only by an API call to
GetUserName...very limited access.  It contains time charging data for
the
entire department ("company confidential...need to know" type stuff).

In the simplest of terms, what is the minimum necessary to achieve the
following scenario?  I would like a user to be able to access ONLY THEIR
time charging data through a web page interface.  Are there
alternatives?


Mark
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

More information about the AccessD mailing list