See an article on Access database security again today, every time I see this article want to say two, popular saying there are several: first, the password to the database a random complex name to avoid being guessed to be downloaded, this way in the past very popular, because everyone is very confident of their own code. But as the error prompts the database address to cause the database to be illegally downloaded, this way also less and more people use. This approach, has been rarely used, in addition to the security of the less knowledgeable programmers, although few, but still will encounter, such as a few days ago to see the properties of the site. Second, "#" in the database name plus #, when requested from the URL # is a request for the address and request parameters of a separator character, if you know the database name, direct request, such as: Http://www.xx.com/access#.mdb, The Web server will think that the request is access rather than Access#.mdb, so you will be prompted not to find the file, but unfortunately, the URL for these special characters will have a special representation, #的特殊表示就是% 23, such as http://www.xx.com/ Access%23.mdb, then Access#.mdb will be downloaded. And if you use the download tool such as flashget can also download directly. This approach feels a bit like a self-deception, because downloading tools can be very handy to download, with little practical significance, in addition to dealing with people just in contact. Third, the ASP this practice is more professional but also very safe is now more popular practice, but now a lot of people just make half, just change the data name to ASP, so that directly with flashget such as download tools can download the database, The right approach to this approach has two steps: Step one: Create a field in the database with the name random, the type is an OLE object, and the content is set to a Single-byte "<%", i.e. (ASP code ChrB (ASC ("<") & ChrB ("%") run results) Step Two: Rename the database to ASP such a direct request to this database from the URL will prompt the "Missing shutdown script separator", thereby rejecting the download, because this way more trouble I found a small code on the Internet to complete the insertion of OLE object, as long as the database name set, And then put it in the database and a directory to run it. Code full text: <%db= "D.mdb" is changed to your database address set Conn=server.createobject ("Adodb.connection") connstr= "provider=" Microsoft.jet.oledb.4.0;data source= "&server.mappath (db conn.open Connstrconn.execute ("CREATE Table Notdownload (Notdown oleobject)") ' Prompt table and field Creation Response.Write ' Table, field creation successful! "Set Rs=server.createobject (" Adodb.recordset ") sql=" select * from Notdownload "Rs.Open Sql,conn,1,3rs.addnewrs (" Notdown "). AppendChunk (ChrB (ASC (" < ") & ChrB (ASC ("% ")) Rs.updaters.close ' Add Success Response.Write ' content add complete! "Set Rs=nothingconn.closeset conn=nothing%> after this code runs, a nodownload table is generated within the database, and the field in the table is Notdown. If a data table with the same name already exists in the database, change the nodownload within the code to the name of the datasheet you want. This approach is more common, as the authors say, most people just rename the MDB suffix to ASP, in fact, if you know the path, the same can be downloaded with FlashGet. The author provides the ASP source code, you can directly create tables and fields, and add content. You can save it as an. asp file and execute it once in the browser. Of course, you can edit the database directly: 1, open Access database 2, use design to create a table, add field Notdown, type use OLE Object 3, Save as Nodownload, do not create a primary key. 4, open Notepad, edit the file Nodownload.txt, the content is "<%". 5, open Nodownload table, right-click--> Insert Object, choose to insert from file, locate to Nodownload.txt, confirm. Above all need to create a table in the database, you can leave this table regardless, can also be directly deleted, the same can play the function of the reverse download, namely: after implementation and then delete. In this regard, we can try. The essence of this way is the use of IIS to the ASA file Protection, so that the database file can not be directly requested from the URL download, but this way is misunderstood as long as the file suffix to ASA can be changed. To know that IIS is only requesting protection for the Global.asa file name, this way you can only set the database name to Global.asa, and note that it is best to set the Global.asaDo not place it in the root directory of the host or virtual directory, or it will be tried by IIS normal global.asa files. This method is also relatively good, but if the site has been used Global.asa, sometimes easy to confuse, we see according to the situation. Feel the third fourth is relatively safe, unless IIS has to view ASP or ASA Source of the vulnerability, otherwise it is unable to download the database. The responsible editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 votes) is tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) The original text: Access database security reverse download back to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.