-
2
- #1
Hello all --
Read this yesterday, and realized I had a security hole (which I promptly plugged).
Naming your include files with sensitive information in them with a .inc extension allows anyone to view it in plain text format if they stumble onto the correct url. To alleviate this problem, name these include files with the .asp extension.
So if you used to have this file called conn.inc:
<%
dim strCon
strCon = "DSN=myDSN;UID=userID;PWD=myPassword"
%>
then by all means, go through and rename those puppies to .asp and change all the include statements that point to them.
This is especially important for those of you who use DSN-less connection strings, since any and all information someone needs to gain access to your database directly is right there in your connection string.
Now get movin! ;-)
paul
Read this yesterday, and realized I had a security hole (which I promptly plugged).
Naming your include files with sensitive information in them with a .inc extension allows anyone to view it in plain text format if they stumble onto the correct url. To alleviate this problem, name these include files with the .asp extension.
So if you used to have this file called conn.inc:
<%
dim strCon
strCon = "DSN=myDSN;UID=userID;PWD=myPassword"
%>
then by all means, go through and rename those puppies to .asp and change all the include statements that point to them.
This is especially important for those of you who use DSN-less connection strings, since any and all information someone needs to gain access to your database directly is right there in your connection string.
Now get movin! ;-)
paul
