I've just set up a reseller account with HMS. So far, so good..

However I was surprised to be told that i had to create all folders within the root folder. My only concern is with my databse folder, which i have always been advised and have always had outside my root. This could potentially leave my ASP apps such as forum open to hackers.

Has anyone else experienced this problem? The dude at support says that's the way it is but db folders outside the root have been standard for many hosts. In fact, one of the developers of an app is used says:

"I've not heard of a windows web host for 10 years now that doesn't have a database directory outside of the root of the website. Either your web host is stuck in a time warp or they don't have proper experince at windows web hosting."

Neither of the above is true with HMS but what can be done to resolve this?

Nya,

You are right.You absolutely should never have a database folder inside the root. In fact, every account I create, they create a "www" folder for me, and that is my root. I then store files above www for backup and archive purposes. Essentially, you tell support to create a directory called say "www" and make that your webroot in IIS. Then you are free to create directories above it. Once you create your database folder, tell them to point your DSN to that folder (which is now above your web root).

P.S. Chances are, if you are having this problem you are using MS Access for your database. Microsoft Access can not handle a heavy load, and security is not that good. You should consider getting an MSSQL account or a MySQL for your database.

By default we don't have Windows setup that allows for any folders outside of the root, however as Jason pointed out we can set it up as a custom configuration.

Strictly speaking it's not necessary to do this though - by removing the READ permissions for your DB folder in IIS you give it the same security as having it outside the root since it's not readable from the web (only via your DSN).

Thanks, i think i'll just have to ask for a wwwroot folder as this is how i'm used to working. as to the other suggestion. Developer said:

"The application uses a faster DSN-less connection. This uses the IUSR account to connect to and read from the database. If you disable read access for the IUSR account (which is what you web hosts says) then Forums can not open the database.

Your web hosts solution would not work and they should give you a folder above the root for placing files such as database within."

Thanks for the tips. I will consider dealing only with SQL in the future... just got used to access i guess.

Yeah, it would make sense that a dsn-less connection would muck things up there. I won't say anything further to prevent getting into a semantics argument with your developer on security vs functionality vs sanity, et al.



Glad to assist though!