About Access database security

Source: Internet
Author: User
Tags access database security iis ole access database root directory
access| Security | data | database | Database security again, I see an article in Access database security today, and every time I see this article I want to say a few words, there are several popular sayings:
First, the cipher type
A random and complex name for the database, avoiding being guessed to be downloaded, was popular in the past because everyone was confident about their code. But as the error prompts the database address to cause the database to be illegally downloaded, this way also less and more people use.
Second, "#" type
Add a # In the database name, when requested from the URL # is a separate character of the request address and request parameter, if the database name is known, the direct request, such as: Http://www.xx.com/access#.mdb, The Web server will think that the request is access rather than Access#.mdb, so you will be prompted not to find the file, but unfortunately, the URL for these special characters will have a special representation, #的特殊表示就是% 23, such as http://www.xx.com/ Access%23.mdb, then Access#.mdb will be downloaded. And if you use the download tool such as flashget can also download directly.
Three, ASP type
This practice is more professional but also very safe and is now more popular practice, but now a lot of people just do half, just change the data name to ASP, so that directly with the FlashGet such as download tools can download the database, this way the correct approach is two steps:
Step One: Create a field in the database with the name random, the type is an OLE object, and the content is set to a Single-byte "<%", i.e. (ASP code ChrB (ASC ("<") & ChrB ("%") run results)
Step Two: Rename the database to ASP
This will prompt a "missing shutdown script separator" If the database is requested directly from the URL. Thus refusing to download, because this way more trouble I found a small piece of code online to complete the OLE object insertion, as long as the database name set up, and then placed in the database and a directory to run it.
Code full number:
<%
Db= "D.mdb" is changed to your database address
Set Conn=server.createobject ("Adodb.connection")
Connstr= "Provider=Microsoft.Jet.OLEDB.4.0;Data source=" &server.mappath (db)
Conn.Open ConnStr
Conn.execute ("CREATE Table Notdownload (Notdown oleobject)")
Set Rs=server.createobject ("Adodb.recordset")
Sql= "SELECT * from Notdownload"
Rs.Open sql,conn,1,3
Rs.addnew
RS ("Notdown"). AppendChunk (ChrB (ASC ("<")) & ChrB (ASC ("%"))
Rs.update
Rs.close
Set rs=nothing
Conn.close
Set conn=nothing
%>
After this code is run, a nodownload table is generated in the database, and the field in the table is Notdown. If a data table with the same name already exists in the database, change the nodownload within the code to the name of the datasheet you want.
Four, the ASA type
The true meaning of this approach is the use of IIS to the ASA file Protection, so that the database file can not be directly requested from the URL download, but this way is misunderstood as long as the file suffix to ASA can be changed. To know that IIS is only global.asa this file name has a request to protect, so this way can only set the database name to Global.asa, but also note that it is best not to put it in the host or virtual directory of the root directory, otherwise it will be IIS of course normal GLOBAL.A The SA file is trying to run.

Feel the third fourth is relatively safe, unless IIS has to view ASP or ASA Source of the vulnerability, otherwise it is unable to download the database.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.