Understanding the Limitations of an Access Database
In Chapter 1, "Choosing the Right Tools for Your Dynamic Application," we briefly touched on the pros and cons of using Access as your database of choice. Just in case you skimmed over that part, I think it is important to reiterate some of Access' limitations and provide some additional information regarding security.
Access 2000 and Access 2002 (XP) are limited in size to 2GB, whereas Access 97 is limited to 1GB. This file size restriction includes not only your data, but your table, query, report and form objects as well. Keep in mind that every time you create a new object in your database, like a new table or query, the amount of data it takes to store the structure of that object counts toward your total overall file size.
Microsoft lists 255 as the maximum number of concurrent users to an Access database. This means that only 255 users can actively interact with the database at the same time. This might be theoretically true in Microsoft's labs under the ideal circumstances, but the reality of working with an Access database is that performance falls off sharply when more than 25 or 30 concurrent requests are made. This means that although Access remains suitable for small Web applications, those that experience growth where they are experiencing more than 25 concurrent connections should consider upgrading to a more robust database.
Security can be an issue with applications that are available via the Web if you name your database something that can be easily guessed and it is placed in a path that can be easily guessed. For instance, if KrystalClear built a database-driven Web site, named the database krystalcleardatabase.mdb, and placed it in the database folder on its Web server, the data would be at risk. Because the name and path are easily guessed (http://www.krystalclearcommunications.com/database/Krystalcleardatabase.mdb), someone could simply build a link to that URL in his own Web page, right-click the link, choose Save Target As, and download the contents of the database for viewing on his desktop.
Although this scenario may seem unbelievable to you, there are plenty of hackers who enjoy seeing if they can find access points to information that powers Web sites. For this reason, be sure to name your database something no one would guess and place it in a folder that has a name no one would guess.
Additional Steps to Lock Down Your Access Database
A few additional things you can do to further secure your Access database include setting a username and password within your database. Then, to open the database and view the contents, a valid username and password must be provided. To allow your dynamic application to access the database, you can pass the username/password combination in either your ODBC connection or custom connection string.
Macromedia also documents a security method that entails storing your database in a folder above the root directory and renaming your database. This method, documented at http://www.macromedia.com/devnet/mx/dreamweaver/extreme/dw_extreme001_02.html, however, relies on a bug in Windows NT and 2000 which could be closed by Microsoft in future security updates.