Welcome to WebmasterWorld Guest from 126.96.36.199
Server.MapPath("<foldername>/database.mdb") would be a public folder,
Server.MapPath, a SSI function that takes 1 argument, a virtual path, and returns the corresponding physical path, where is the problem in that it all server side.
You need to put the DB file above the webroot and access it directly. You can use mappath to find out the physical structure of your server and then create a correct path for the database from that, but you can't do it directly unless the DB is below the webroot.
The security issue is that you are allowing your customers to upload files outside of thier account area.
Maybe your own server or co-located is a different issue as there is only one account, but with shared hosting AFAIK this is the norm.