About Asp+access Security issues

access|asp+| Safety | issues

As we all know, Asp+access's biggest security risk is that Access databases can be downloaded by others, and many of the ASP spaces now provided are only for Access databases, so the security of Asp+access is highlighted.

Storage pitfalls in 1.Access databases
In a asp+access application system, the database can be downloaded to local if it obtains or guesses the storage path and database name of the Access database.

2.Access database decryption Hidden trouble

Because the encryption mechanism of an Access database is simple, decryption is easy even if the database has a password. The database system forms an encrypted string by *.mdb the password entered by the user with a fixed key, and stores it in the area from the address "&h42" in the file. The password for an Access database can be easily obtained by using this key with a second XOR or operation with the encrypted string in the *.mdb file, because the XOR or operation is characterized by a "two-time or on-restore of the original value". Based on this principle, it is easy to develop a decryption
Program.

This shows that no matter whether the database password is set, as long as the database is downloaded, its information has no security to speak of.

3. The security hidden danger in the program design
The ASP code uses form to realize the function that interacts with the user, and the corresponding content is reflected in the browser's address bar, if does not adopt the appropriate security measures, as long as takes down these content, can bypass the authentication to enter a page directly. For example, typing "... page.asp?x=1" in the browser, you can go directly to the page that satisfies the "x=1" condition without the form page. Therefore, when designing validation or registration pages, special measures must be taken to prevent such problems from occurring.

==========
Solution
==========

Improve the security of your database

Because the Access database encryption mechanism is too simple, how to effectively prevent Access databases from being downloaded is the most important way to improve the security of asp+access solutions.

1. Unconventional nomenclature

An easy way to prevent a database from being found is to have a complex, unconventional name for an Access database file and store it in a multi-tiered directory. For example, for a database file on an online bookstore, do not simply name "Book.mdb" or "store.mdb", but rather an unconventional one, such as: Faq19jhsvzbal.mdb, and then put it in a./akkjj16t/kjhgb661/acd/ A deep directory like avccx55. In this way, some illegal access to the file name of an Access database can be effectively blocked by guessing.

2. Using an ODBC data source
In ASP program design, should use ODBC data source as far as possible, do not write the database name directly in the program, otherwise, the database name will be compromised with the source code of the ASP. For example:
DBPath = Server.MapPath ("./akkjj16t/
Kjhgb661/acd/avccx55/faq19jhsvzbal.mdb ")
Conn. Open driver={microsoft Access Driver (*.mdb)};d bq= "& DBPath

Visible, even if the name of the database is again strange, hidden directory again deep, the ASP source code compromised, the database is also easy to download down. If you are using an ODBC data source, there is no such problem:
Conn.Open "ODBC-DSN name"

Encrypt an ASP page

To effectively prevent the leakage of ASP source code, you can encrypt ASP pages. There are generally two ways to encrypt an ASP page. One is to encapsulate programming logic into DLLs using component technology;

Another is to use Microsoft's script Encoder to encrypt ASP pages. However, the main problem with component technology is that each piece of code needs to be modular, the operation is more cumbersome, the workload is large, and the use of Script Encoder to encrypt ASP pages, simple operation, good results.

The Script encoder method has many advantages:

⑴.html still has a good editable nature. The Script encoder only encrypts the ASP code embedded in the HTML page, and the rest remains the same, which makes it possible to modify and refine the HTML section using commonly used Web page editing tools, such as FrontPage or Dreamweaver. Only the ASP encryption section cannot be modified, or it will cause the file to fail.

⑵. Simple to operate. Just master a few command-line arguments. Script Encoder Run
The program is Screnc.exe, and its use is as follows:
Screnc [/S] [f] [/XL] [/L deflanguage] [/e defextension] inputfile outputfile
The parameter meanings are as follows:
S: Shielding screen output;
F: Specifies whether the output file overwrites the input file with the same name;
XL: Whether to add a @language directive at the top of the. asp file;
L:DEFLANGUAG Specifies the default scripting language;
e:defextension specifies the extension of the file to be encrypted.
⑶. You can bulk encrypt files. Use the script Encoder to encrypt all ASP files in the current directory and to uniformly output the encrypted files to the appropriate directory. For example:
Screnc *.asp C:\Temp
⑷. Script encoder is free software. The encryption software can be downloaded from the Microsoft website:
Http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe. After downloading, run the installation.

Registering with the Session object for authentication

To prevent unregistered users from bypassing the registration interface directly into the application system, you can use the session object for registration verification. The biggest advantage of the session object is that you can keep a user's information for subsequent pages to read.

3. Change the database name extension

You can also change the database extension to. asp, while locating the database with a similar database.asp filename so that the database is not easily downloaded and the data can be read out normally.

4. Add the wrong ASP code to the database

If you think it's all right to finish the 3rd item, it's wrong. Although the extension of the database has become. asp, but when the other side guessed your database path can still be downloaded, but a little slower, the other side can wait for the page completely open later "Save as" on it. To resolve this issue, you can load the ASP code that adds errors to the database. You can create a hidden table with only one column in it and insert one line:

This way, when the other side opens the database page, only the error message of the ASP script will appear, and your database will not be downloaded.

5. A case of solving the hidden Trouble in program design

Most people think that the site will not be able to enter as long as the login password is added. Instead, look at the following validation statement:

Sql= "Select Uname,pwd from Uinfo where"
sql=sql& "Uname= '" &request.form ("uname") & ""
sql=sql& "and pwd= '" &request.form ("pwd") & "'"
Rs.Open sql,conn,1,1
If rs.eof or Rs.bof then
Response.Write "Sorry, wrong username/password!" "
Else
Response.Write "Login Successful! "
End If

There may already be readers who can see that this code is very dangerous, as long as the other party know the user name can be logged in, you can enter in the Password box "' or ' 1 ' = ' 1" on it, the principle is very simple, is the use of SQL query statements, we note that the use of this method to submit the following SQL statement into: ( If the user is named Administrator)

Select Uname,pwd from Uinfo where uname= ' Administrator ' and pwd= ' or ' 1 ' = ' 1 '

If the username administrator exists, then the record can be selected and, of course, log on normally.

Solution:

Sql= "Select Uname,pwd from Uinfo where"
sql=sql& "Uname= '" &request.form ("uname") & ""
Rs.Open sql,conn,1,1
If rs.eof or Rs.bof then
Response.Write "Sorry, this site does not have this user!" "
Else
If Rs.fields ("pwd") =trim (Request.Form ("pwd")) Then
Response.Write "Login Successful! "
Else
Response.Write "Wrong username/password!" "
End If
End If

Conclusion: The above is only I in the actual programming accumulated some experience, if there is insufficient also hope to correct!