Good suggestions. Will do as much as possible given the hosting service. Much thanks, David.

>There are a couple of things you can do.
>#1. Give your #INCLUDEd files an ASP extension, not INC extension. That way if someone somehow gets browse rights to your directory, ASP will compile the file and no output will be generated so they can't see the contents of the file.
>#2. For SQL server, you should use Integrated Windows security and do not specify a username and password in the connection string so even if they could see the connection string, they could not see any username and password.
>#3. Whey you issue ADO commands in your ASP pages, wrap it in and error handler.
>i.e.
>on error resume next
>oConnection.Execute ...
>on error goto 0
>' check the contents of the oConnection errors collection to see if there were errors
>' See ADO connection object for more info
>That way the user does not see the default ASP error text which might give away information about how you are handling your SQL queries.
>
>This is not a complete list, but it should get you started.
>
>- Dave
>
>
>>I've had a web site written in ASP, and want to make sure security is OK.
>>
>>Of course, anonymous visitors need to be able to insert records into our tables, and to to a SQL insert you gotta have connection info.
>>
>>So I'm presuming it's OK to keep that info in ASP and INClude files in any old directory on the web site - assuming that all that info is server side and therefore cannot be easily hacked.
>>
>>True?
>>
>>TIA
>>Michael