access| Data | database | Download database at the core of the site, all SQL intrusion is directed to the database. Once the site's database is downloaded, even if your database is MD5 encrypted, it can be violently cracked.
Come out. The user's information is lost, is to oneself is also a kind of harm to the user.
How to prevent the database from being downloaded.
Here is an article I picked from the Internet.
-------------------------------------------------------------------------------------------
Several ways to prevent the database from being downloaded
Many dynamic sites use a large number of databases, and the database is naturally a core document of a site. Once the database is downloaded, it is highly likely that the site will be damaged by malicious people. Or
People to steal information. It's really sad. Is there any way to prevent the database from being downloaded?
The methods provided below apply to users who use virtual host space and to users with IIS control!
One: The purchase of virtual host space, suitable for no IIS control
1: Play Your imagination modify the database file name
This is the most basic. I don't think there are many people who don't bother to change their database file names right now. As for what to change into, you do it yourself, at least to ensure that the file name is complex, not guessing
。 Of course this time your database is located in the directory is not open Directory browsing permissions!
2: Database name suffix to ASA, ASP, etc.
This heard is very popular, but I tested many times, found that is not ideal, if you really want to play to prevent the role of download, to do some 2 into the field to add settings,---a word, complex
and complex (if you have a lot of database, this method is not very good)
3: Database name before adding "#"
Just add the first name of the database file to the #, and then modify the database address in the database connection file (such as conn.asp). The principle is that the download can only identify #号前名的部分, for
The back of the automatic removal, such as you want to download: http://www.pcdigest.com/date/#123. mdb (if present). Whether it's IE or flashget, it's all down.
Http://www.pcdigest.com/date/index.htm (index.asp, default.jsp etc you set up in IIS homepage document)
In addition, in the database file name to retain a number of spaces also play a similar role, because the HTTP protocol to address the specificity of resolution, the space will be encoded as "%", such as
http://www.pcdigest.com/date/123 456.mdb, download the time Http://www.pcdigest.com/date/123%456.mdb. And our catalogue has no 123%456.mdb.
This file, so the download is also invalid after such modifications, even if you expose the database address, under normal circumstances, others are also unable to download!
4: Encrypt the database
After you open your database in exclusive mode with access, after the tool-security-set database password, encrypt the database connection page, such as:
Conn.Open "Driver={microsoft Access Driver (*.mdb)};uid=admin;pwd= database password; dbq= database path"
After this modification, the database can not be opened even if it is downloaded (provided that the password on your database connection page is not compromised).
However, it is noteworthy that, because the Access database encryption mechanism is relatively simple, even if the password is set, decryption is easy. The database system by using the password entered by the user with a fixed
The key is "XOR" to form an encrypted string and is stored in the area where the *.mdb file starts at the address "&h42". So a good programmer can easily make a dozens of-line
The applet makes it easy to get the password for any Access database. Therefore, as long as the database is downloaded, its information security is still unknown.
Second: Host control (of course, the setting of the virtual space can still be used here)
5: The database is placed outside the web directory
If your web directory is e:\webroot, you can put the database in the E:\data folder, in the E:\webroot database Connection page
Modify the database connection address as: ". /data/database name "so that the database can be called normally,
But it can't be downloaded because it's not in the Web directory! This method is generally
Users who are not suitable for buying virtual space.
6: Use ODBC data source.
In the ASP and other program design, if have the condition, should use ODBC data source as far as possible, do not write the database name in the program,
Otherwise, the database name will be compromised with the official secrets of the ASP source code,
For example: DBPath = Server.MapPath ("..."). /123/abc/asfadf.mdb ")
Conn.Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath
Visible, even if the database name is strange, hidden directory again deep, the ASP source code compromised, also very easy to download down.
If you are using an ODBC data source, there is no such problem
: Conn.Open "ODBC-DSN name", but this is more annoying, the directory to move and then reset the data source
A more convenient way to see the 7th, 8 law!
7: Extended mappings for database names such as MDB
This method is implemented by modifying the IIS settings, which is suitable for friends with IIS control and is not suitable for buying virtual host users (unless the administrator has already set up)
。 This method I think is currently
The best. As long as you modify one place, the entire site's database can be prevented from being downloaded. No need to modify the code, even exposing the destination address can prevent downloads,
As shown in Figure 1, 2 set:
The relevant pictures of this topic are as follows:
We add the application resolution of the. mdb file in the IIS properties---home directory---configuration---mapping---application extensions.
Note that the selected DLL (or EXE, etc.) here does not seem to be arbitrary
, the choice of improper, this MDB file can still be downloaded, note that it is best not to choose Asp.dll and so on.
You can test it yourself.
After this modification, download the database such as: Http://192.168.1.5/HaoBbs/data/dvbbs6.mdb.
Appears (404 or 500 Errors)
8: Use. NET's advantages
The wooden bird on the net has written a "Wbal anti-theft chain tool" to prevent illegal downloading of files.
Specific Landing http://www.9seek.com/WBAL/
But that only implemented to prevent non-local downloads, did not play a real download database functionality.
But this method is similar to the 5 law.
Can be modified by. NET files, to achieve local also can not download!
Of these methods, only the 7th and 8 are unified, and once the configuration is modified, the entire site's database can be prevented from downloading,
The other few are going to modify the database name and the connector separately
Pieces, more trouble, but for the virtual host of friends can only do!
In fact, the 6th method should be the extension of the 5th method, you can implement special features, but for not supporting the. NET host or fear of setting up trouble,
or directly with the 5th method, and by default, the 6th method can still be copied to the same host by the forum or message book published,
Then you can click on the download
(because such a reference page is from the same host)
Each of these methods has its own length, please use it selectively. These methods are not absolute security, but also require webmasters to pay attention to the security of some systems, as well as write
asp/asp.net/jsp code itself security, otherwise it is still possible to be downloaded or modify the database!
-------------------------------------------------------------------------------------------
Personally think that except for the 7th method may be useful, the rest is bullshit. However, the 7th method is not valid for users who purchase virtual host space. How can you effectively prevent the database from being downloaded?
The first method: the database naming method.
It may be useless to write a database name more complex, because the database path may be exposed. Once someone has exposed the database path with some illegal characters in the address bar. You're dead, too. Database suffix to asa,asp or in front of the # also is not feasible, I tried, can be downloaded by the Internet Express. So I have summed up my experience, the general method is this.
Modify the Database Connection page conn.asp, where you open the connection, write on Error Resume Next. This sentence is to prevent the database from Bauku. The database name is then changed to Global.asa, but not in the root directory of the site. So your database will not be illegally downloaded.
The second method: ASP error method.
Open your database, create a new table in the database, the field name <%nodownload%> data type text type, and then add <%dsfsfsfsdf%> to the data, which is just as long as it is not an ASP statement that can be parsed. The server will be the ASP suffix file as an ASP file resolution, but once the illegal ASP statement inside, is to be unable to parse ASP statements, download will show the first few lines of ASP statements error, you can not be downloaded.
The third method: Copy method.
Change the database to 1.asp first, create a new text 1.txt in the inside write
<%response.redirect "Err.htm"%> is redirected to the err.htm page. To do a err.htm page, the code is as follows:
Then execute the following command under DOS: Copy 1.asp/b+1.txt/a 2.asp
It means file merge copy, 1.asp in binary mode, 1.txt copy in ASCII mode, synthesize new database 2.asp Now you can only download to err.htm files if you are Bauku by someone else in the browser or flashget to download your database.
A little humble opinion.
A little humble opinion.
