Basic Laws for ASP programming for beginners and precautions for Common Errors

I. Common mistakes made by new users
I saw many posts in the Forum Code There is a common basic error and the field type is incorrect.
Program It is closely connected to the database. single quotation marks are used for text or time fields of the database.
For example, the following statement is modified:
Conn.exe cute "Update counts set counts = '" & counts & "'where num =" & num & "and atime ='" & now ()&"'"
The left side of the equal sign is the field name, the right side is the variable name passed in the value, and the counts field is a text type. Therefore, a single quotation mark must be added before and after the equal sign is written, and both the write and query operations are the same, in the following query statement, the num field is a number type, so there is no single quotation mark before and after it, and the atime field is a time type. Therefore, single quotation marks must be added before and after it.
The most important thing is the ID query. The ID field is unique and numeric. It is obvious that there are no single quotation marks before and after the ID number is queried.
Conn.exe cute "Update counts set counts = '" & counts & "'where id ='" & ID & "'"' incorrect syntax
Conn.exe cute "Update counts set counts = '" & counts & "'where id =" & id'

2. Access Database Connection
There are usually two ways to connect to a database. A newbie basically doesn't know which method to use, or under what circumstances, or how the two work.
① Directly connect to database files
Set conn = server. Createobject ("ADODB. Connection ")
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; DBQ =" & server. mappath ("database/yanhang. mdb ")

② Connect to database files through data sources
Set conn = server. Createobject ("ADODB. Connection ")
Conn. Open "provider = Microsoft. Jet. oledb.4.0; Data Source =" & server. mappath ("database/yanhang. mdb ")

Which of the two is better? Of course, it is the second one, because the first one is to directly read the database from the client browser, so the security is much worse. The second is to connect to the database through the data source, it is connected by a server data source tool and has nothing to do with the client, so the database will not be exposed to the client, and the security factor is much higher.

Application of the corresponding program of the Access Database: ① directly connect to the database file
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; DBQ =" & server. mappath ("database/yanhang. mdb ")
To add a statement for this database connection method:
Set rs = server. Createobject ("ADODB. recordset") '(correct syntax)
Rs. Open "select * From dndj", Conn, 1, 3
Rs. addnew
RS ("bh") = BH
RS ("BM") = BM
RS ("XM") = XM
RS ("xsq") = xsq
Rs. Update
Rs. Close
Set rs = nothing

Set rs = server. Createobject ("ADODB. recordset") '(incorrect syntax)
SQL = "insert into dndj (BH, BM, XM, xsq) values ('bh ', 'bm', 'xm ', 'xsq ')"
Rs. Open SQL, Conn, 1, 3

Application of the corresponding program of the Access Database: ② connect to the database file through the data source
Conn. Open "provider = Microsoft. Jet. oledb.4.0; Data Source =" & server. mappath ("database/yanhang. mdb ")
To add a statement for this database connection method:
Conn.exe cute "insert into dndj (BH, BM, XM, xsq) values ('" & BH & "', '" & BM &"', '"& XM &"', '"& xsq &"') "'(correct syntax)

Set rs = server. Createobject ("ADODB. recordset") '(incorrect syntax)
SQL = "insert into dndj (BH, BM, XM, xsq) values ('bh ', 'bm', 'xm ', 'xsq ')"
Rs. Open SQL, Conn, 1, 3

Iii. Application of Double quotation marks
Usually we write a super connection like this <a href = "ABC. asp? Id = <% = RS ("ID") %> "> super connection </a>
But what if I compile this super connection into asp?
Response. Write "<a href =" "ABC. asp? Id = "& RS (" ID ") &" "> super connection </a>" '(correct syntax)
Response. Write "<a href = 'abc. asp? Id = "& RS (" ID ") &" '> super connection </a> "' (correct syntax)
Response. Write "<a href = ABC. asp? Id = "& RS (" ID ") &"> super connection </a> "'(correct syntax)

Response. Write "<a href =" ABC. asp? Id = <% = RS ("ID") %> "> super connection </a>" '(incorrect syntax)
Response. Write "<a href =" ABC. asp? Id = "& RS (" ID ") &"> super connection </a> "'(incorrect syntax)

Form compilation into ASP <input type = "text" name = "ID" value = "<% RS (" ID ") %>"/>
Response. write "<input type =" "text" "name =" "ID" "value =" & RS ("ID ") & "/>" '(correct syntax) Note: There are three double quotes
Response. Write "<input type = 'text' name = 'id' value = '" & RS ("ID") & "'/>" '(correct syntax)
Response. Write "<input type = text name = ID value =" & RS ("ID") & "/>" '(correct syntax)

Response. Write "<input type =" text "name =" ID "value =" <% = RS ("ID") %> "/>" '(incorrect syntax)
Response. Write "<input type =" text "name =" ID "value =" "& RS (" ID ") &" "/>" '(incorrect syntax)

4. Several Methods to Prevent Access Database downloads
Many dynamic sites use databases in large quantities, and databases become the core files of a site. Once the database is illegally downloaded, it is very likely that malicious people will destroy the website. Or steal data.

The following methods are applicable to users who use virtual host space and those who have control of IIS!

I. Purchasing virtual host space is suitable for scenarios with no control over IIS.
1: Use your imagination to modify the database file name
This is the most basic. I don't think there are many people who are too reluctant to change the database file name? As for what to change, you should at least make sure that the file name is complex and cannot be guessed. Of course, you cannot open the directory browsing permission in the directory where your database is located!

2: Change the database name suffix to Asa, ASP, etc.
I heard this is very popular, but I have tested it many times and found it is not ideal. If you really want to prevent downloading, you need to add some binary fields and other settings. In a word, complex and complex (if you have a lot of databases, this method is not very good)

3: Add "#" before the Database Name
You only need to add # To the front Name of the database file, and then modify the database address in the database connection file (such as Conn. asp. The principle is to download the part can only recognize # before the first name, for the next automatic removal, such as you want to download: http://bbs.bccn.net/date/#123.mdb (if there is ). Both IE and flashget are http://bbs.bccn.net/date/index.htm.

In addition to the database file name to retain some space also plays a similar role, due to the special nature of the HTTP protocol for address resolution, space will be encoded as "% 20", such as http://bbs.bccn.net/date/123 456.mdb
Download http://bbs.bccn.net/date/12310420456.mdb. Our directory does not have 123% 20456 at all. MDB this file, so the download is invalid, even if you expose the database address, under normal circumstances other people can not download, it is best to use the two methods at the same time "#" + space, such as http://bbs.bccn.net/date/#123 456.mdb

4: Encrypted Database
After using access to open your database in an exclusive manner, go to tool-security-set the Database Password. After encryption, modify the database connection page, for example:
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; uid = admin; Pwd = Database Password; DBQ = database path"
After this modification, even if the database is downloaded, it cannot be opened by others (provided that the password on your database connection page is not leaked)
However, it is worth noting that the encryption mechanism of the Access database is relatively simple, and it is easy to decrypt even if a password is set. The database system creates an encryption string and stores the password entered by the user in *. the MDB file starts from the address "& h42. Therefore, a good programmer can easily create dozens of rows of small programs to easily obtain the password of any access database. Therefore, as long as the database is downloaded, its security remains unknown.

2: You have control over the host (of course, the virtual space settings can still be used here)
5. Store the database outside the web directory
If your web directory is E: \ webroot, you can put the database in the E: \ data folder and go to the database connection page in E: \ webroot.
Modify the database connection address to "../data/#123 456.mdb", so that the database can be called normally, but cannot be downloaded because it is not in the web directory! This method is also suitable for users who buy virtual space.

6. Use the ODBC data source.
In programming such as ASP, if conditions are met, try to use the ODBC Data Source. Do not write the database name in the program. Otherwise, the database name will follow ASPSource codeThe password is lost together with the password.
For example:
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; DBQ =" & server. mappath ("../123/ABC/asfadf. mdb ")
It can be seen that even if the database name gets weird, the hidden directory goes deeper, and the ASP source code is easily downloaded after the password is lost.
If you use the ODBC data source, there will be no such problem: conn. Open "ODBC-DSN name", but this is annoying, if the directory moves, you have to re-set the data source!

7. Add the extended MDB ing of database names such as MDB
This method is implemented by modifying the IIS settings. This method is suitable for friends who have control over IIS and is not suitable for users who buy virtual hosts (unless the Administrator has already set it ). I think this method is the best at present. The database of the entire site can be modified to prevent downloading. You do not need to modify the code to prevent download even if the target address is exposed.

Settings:
In IIS properties --- main directory --- configuration --- ing --- application extension, add the application parsing of the. MDB file. Note that the selected DLL (or EXE) here does not seem arbitrary. If you choose improperly, the MDB file can still be downloaded. You are advised not to select ASP. dll. You can perform multiple tests on your own.
In this way, download the database, for example, http://bbs.bccn.net/data/dvbbs6.mdb. (404 or 500 errors)

8: advantages of using. net
The wooden bird on the Internet wrote a "WBAl anti-leech tool" to prevent illegal file downloads ". I remember that some cool people in this forum once published a database anti-download plug-in, which was loaded into IIS by. dll.
However, it only prevents non-local downloads and does not provide a real anti-download function. However, this method is similar to 5th
You can modify the. NET file to disable local download!

Only 7th and 8 of these methods are uniformly modified. After a configuration is modified, the database of the entire site can be prevented from being downloaded. The other methods need to modify the Database Name and connection file respectively, it is troublesome, but this is also the only option for virtual host friends!

In fact, the 6th methods should be extended by 5th methods, which can implement special functions, but not supported. net host or for fear of setup troubles, you can still directly use 5th methods, and by default, 6th methods can still be copied to the forum or message book of the same host, then you can click Download (because the reference page is from the same host)

These methods have different lengths. Please use them on your own. These methods are not absolutely secure. website administrators also need to pay attention to the security of some systems and write ASP code. Otherwise, they may still be downloaded or modified!