First, the rookie often make mistakes
In the forum to see a lot of posts in the Code have a common basic error, field type error.
The program and the database are tightly connected, and the database field text or time type uses single quotes
For example, the following amendment statement:
Conn.execute "Update Counts set counts= '" &counts& "where num=" &num& "and Atime=" "&now () &" "
The Equals sign is the field name on the left. The right side of the equals sign is the variable name, the Counts field is literal, so the write must be preceded by a single quotation mark, whether written or queried, and in the following search statement, the NUM field is numeric, so there is no single quotation mark before and after, Atime The field is a time type, so you also need to add a single quotation mark around it.
The most important is the ID query, the ID field is unique and the number type, it is obvious that the query ID number is not before and after the single quotation mark
Conn.execute "Update Counts set counts= '" "&counts&" ' Where id= ' "&id&" ' "' wrong notation
Conn.execute "Update Counts set counts= '" "&counts&" ' where id= ' &id ' correct wording
Second, ACCESS database connection
There are usually two ways to connect to a database, and the novice has little idea of which way to use, or under what circumstances, or what the two principles are.
① direct connection to a database file
Set conn = Server.CreateObject ("ADODB. Connection ")
Conn. Open "Driver={microsoft Access DRIVER (*.mdb)}; Dbq= "&server.mappath (" Database/yanhang.mdb ")
② connection to database files through a data source
Set conn = Server.CreateObject ("ADODB. Connection ")
Conn. Open "Provider=Microsoft.Jet.OLEDB.4.0; Data source= "&server.mappath (" Database/yanhang.mdb ")
So which of the two is good? Of course, the second, because the first is actually the client browser directly read the database, so the security aspect is much different, the second through the data source connection, is the Server data Source Tool connection, and the client does not matter, so the database will not be exposed to the client, a high safety factor.
Application of ACCESS Database counterpart: ① direct connection to database files
Conn. Open "Driver={microsoft Access DRIVER (*.mdb)}; Dbq= "&server.mappath (" Database/yanhang.mdb ")
This way of database connection, add statements:
Set Rs=server.createobject ("Adodb.recordset") ' (correct notation)
Rs.Open "SELECT * from Dndj", conn,1,3
Rs.addnew
RS ("bh") = BH
RS ("bm") = BM
RS ("xm") = XM
RS ("xsq") = xsq
Rs.update
Rs.close
Set rs=nothing
Set Rs=server.createobject ("Adodb.recordset") ' (wrong notation)
Sql= "INSERT into DNDJ (BH,BM,XM,XSQ) VALUES (' bh ', ' BM ', ' xm ', ' xsq ')"
Rs.Open sql,conn,1,3
Application of ACCESS Database counterpart: ② Connect database files through a data source
Conn. Open "Provider=Microsoft.Jet.OLEDB.4.0; Data source= "&server.mappath (" Database/yanhang.mdb ")
This way of database connection, add statements:
Conn.execute "INSERT into DNDJ (BH,BM,XM,XSQ) VALUES (' &bh&" ', ' "&bm&" ', ' "&xm&" ', ' "") &xsq & "')" (correct writing)
Set Rs=server.createobject ("Adodb.recordset") ' (wrong notation)
Sql= "INSERT into DNDJ (BH,BM,XM,XSQ) VALUES (' bh ', ' BM ', ' xm ', ' xsq ')"
Rs.Open sql,conn,1,3
Three, double quotation mark's application
Usually we write super connections so <a href= "abc.asp?id=<%=rs (" id ")%>" > Super Connect </a>
But if you compile this super connection into the ASP,
Response.Write "<a href=" "Abc.asp?id=" &rs ("id") & "" > Super Connection </a> "" (correct)
Response.Write "<a href= ' abc.asp?id=" &rs ("id") & "' > Super Connect </a>" (correct writing)
Response.Write "<a href=abc.asp?id=" &rs ("id") & "> Super Connection </a>" (correct writing)
Response.Write "<a href=" abc.asp?id=<%=rs ("id")%> "> Super Connect </a>" (incorrect notation)
Response.Write "<a href=" abc.asp?id= &rs ("id") & "> Super Connection </a>" (Wrong writing)
Form compiled into ASP <input type= "text" name= "id" value= "<%rs (" id ")%>"/> "
Response.Write "<input type=" "Text" name= "id" "Value=" "&rs (" id ") &" "/>" (correct) Note: Here are three double quotes
Response.Write "<input type= ' text ' name= ' id ' value= '" &rs ("id") & "'/>" (correct writing)
Response.Write "<input type=text name=id value=" &rs ("id") & "/>" (correct notation)
Response.Write "<input type=" text "name=" id "value=" <%=rs ("id")%> "/>" (incorrect notation)
Response.Write "<input type=" text "name=" id "value=" "&rs" ("id") & "/>" (Error writing)
Four ways to prevent Access databases from being downloaded
Many dynamic sites have a large number of applications of the database, the database is naturally a site's core files. Once the database is illegally downloaded, it is highly likely that a malicious person will damage the site. or steal information.
The methods provided below apply to users who use virtual host space and to users with IIS control!
One: The purchase of virtual host space, suitable for no IIS control
1: Play Your imagination modify the database file name
This is the most basic. I don't think there are many people who don't bother to change their database file names right now. As for what to change into, you look at it, at least to ensure that the file name is complex, not speculative. Of course this time your database is located in the directory is not open Directory browsing permissions!
2: Database name suffix to ASA, ASP, etc.
This heard is very popular, but I tested many times, found not ideal, if you really want to play to prevent the role of downloading, to do some binary fields to add settings, a word, complex and complicated (if your database has a lot of words, this method is not very good)
3: Database name before adding "#"
Just add the first name of the database file to the #, and then modify the database address in the database connection file (such as conn.asp). The principle is to download the time can only identify #号前名的部分, for the back of the automatic removal, such as you want to download: http://bbs.bccn.net/date/#123. mdb (if present). Whether it's IE or flashget, it's all http://bbs.bccn.net/date/index.htm.
In addition, some spaces in the database file name also play a similar role, because the HTTP protocol for address resolution of the particularity, the space will be encoded as "%20", such as http://bbs.bccn.net/date/123 456.mdb
Http://bbs.bccn.net/date/123%20456.mdb when downloading. Our directory does not 123%20456.mdb this file, so the download is not valid, even if you expose the database address, under normal circumstances others are unable to download, the best two ways to use the "#" + space, such as http://bbs.bccn.net/date/#123 456.mdb
4: Encrypt the database
After you open your database in exclusive mode with access, after the tool-security-set database password, encrypt the database connection page, such as:
Conn.Open "Driver={microsoft Access Driver (*.mdb)};uid=admin;pwd= database password; dbq= database path"
After this modification, the database can not be opened even if it is downloaded (provided that the password on your database connection page is not compromised).
However, it is noteworthy that, because the Access database encryption mechanism is relatively simple, even if the password is set, decryption is easy. The database system forms an encrypted string by "XOR" the password entered by the user with a fixed key and stores it in the area where the *.mdb file starts at the address "&h42". So a good programmer can easily make a dozens of-line applet to get the password of any Access database easily. Therefore, as long as the database is downloaded, its security is still unknown.
Second: Host control (of course, the setting of the virtual space can still be used here)
5: The database is placed outside the web directory
If your web directory is e:\webroot, you can put the database in the E:\data folder, in the E:\webroot database Connection page
Modify the database connection address as: ". /data/#123 456.mdb "form so that the database can be called normally, but cannot be downloaded because it is not in the Web directory! This method is generally suitable for users who buy virtual space.
6: Use ODBC data source.
In the ASP and other program design, if there are conditions, should try to use ODBC data source, do not write the database name in the program, otherwise, the database name with the ASP source code with the Official secrets of the Official Secrets
For example:
Conn.Open "Driver={microsoft Access driver (*.mdb)};d bq=" &server.mappath ("... /123/abc/asfadf.mdb ")
Visible, even if the database name is strange, hidden directory again deep, the ASP source code compromised, also very easy to download down.
If you use an ODBC data source, there will not be such a problem: Conn.Open "odbc-dsn name", but this is more annoying, the directory to move and then reset the data source!
7: Extended mappings for database names such as MDB
This method is implemented by modifying the IIS settings, and is suitable for friends with IIS control and is not suitable for buying virtual host users (unless the administrator has already set them up). I think this method is the best at present. As long as you modify one place, the entire site's database can be prevented from being downloaded. There is no need to modify the code, even exposing the destination address can prevent downloads.
Set up:
In the IIS properties---the home directory---Configure---mappings---application extensions to add the application resolution of the. mdb file. Note that the selection of the DLL (or EXE, etc.) does not seem to be arbitrary, the choice of improper, this MDB file can still be downloaded, note that it is best not to choose Asp.dll. You can test it yourself.
After this modification, download the database such as: Http://bbs.bccn.net/data/dvbbs6.mdb. Appears (404 or 500 Errors)
8: Use. NET's advantages
The wooden bird on the net has written a "Wbal anti-theft chain tool" to prevent illegal downloading of files. Remember this forum has also been a cow also published a database of download-proof plug-ins, is a. dll loaded into IIS.
But that only implemented to prevent non-local downloads, did not play a real download database functionality. But this method is similar to the 5th kind.
Can be modified by. NET files, to achieve local also can not download!
These methods, only the 7th and 8 are unified change, once modified configuration, the entire site of the database can be prevented from downloading, the other several to modify the database name and connection files, more trouble, but for the virtual host of friends can only be so!
In fact, the 6th method should be the extension of the 5th method, which can realize special functions, But not for support. NET host or afraid to set up trouble, or directly with the 5th method, and by default, the 6th method, can still be connected to the same host through the copy of the forum or message published, and then you can click to download (because such a reference page is from the same host)
Each of these methods has its own length, please use it selectively. These methods are not absolute security, but also require webmasters to pay attention to some of the security of the system, as well as write the ASP code itself security, otherwise there may still be someone to download or modify the database!
