include| Safety | Safety |include| Safety | What are the pros and cons of security include?
Do you know that include can contain the file itself? Yes. You can even include several times. The only limit is: You can't let a contain B, and B contains a. Such a loop inclusion is not allowed.
Another question is, can those files contain other files? In fact, by setting up IIS, you can allow any file type to use SSI. By default,. Shtm,.shtml,.asp,.stm is available by using include.
Let's see how to make certain file types use include. In Internet manager, bring up the Properties dialog box for the site, select the File Type button under MIME type, and execute new type, assuming the new type is:. Dark. Below you need to associate the. Dark file type with the SSInc.dll. The meaning of the association is that each time a client accesses the. Dark file type, the server-side include directives are executed.
In the site's Properties dialog box, select Home directory, select Application mappings, and then add a mapping:. Dark and SSInc.dll
Note that files that use include must allow execute script or execute permission. And if you don't need to use the inclusion in some type of file, simply delete the appropriate application mappings.
With regard to the benefits of using include, we have already spoken in the "What is include" article. If you agree with the following points, the benefits of include are obvious:
First: The greater the amount of code, the more bugs! The large amount of code means that the development cycle is long, which means increased input.
Second: The more times a piece of code is reused, the fewer bugs! The old code that you're still using is always bug free.
Using include precisely allows us to write as few code as possible and reuse code as much as we could. So, include is worthwhile.
About the naming of include files
Microsoft recommends that we bring an. inc suffix to each include file to differentiate between normal ASP and HTML files. However, many experts recommend that you do not give the include file a. Inc because this can pose a security issue. When a hacker knows or guesses the name of your include file, it can download from your site to your source program! Sometimes, this is a serious problem, especially if the include file contains the username and password of the database, or the connection string of the database!
So, it's best if you give the included file a seemingly normal name, like. Asp. When the hacker takes this file, it will not see the source program. If you really want to distinguish between normal files and include files, you can put the inclusion file in a different path.
What security issues are in include?
There are many articles on the web that discuss include security. This article analyzes why the include causes security problems and how to prevent them.
You may be similar to the following code stored in a file called Db.inc:
<%
Dim objconn
Set objconn = Server.CreateObject ("ADODB. Conection ")
objconn.connectionstring = "Driver={microsoft Access (*.mdb)};" & _
"Dbq=" & Server.MapPath ("/mydatabase.mdb")
objConn.Open
%>
You can try to drag the file from the browser: http://localhost/db.inc
You'll be surprised: The source program is already displayed on the browser. If it does not appear, you can also view the browser's source code to see! Perhaps you will say: I this include file name is very special, others are not to guess. Oh, really? If you have a page with errors, such as the following error message appears:
Microsoft VBScript Runtime error ' 800a004 '
Invalid Class String
/db.inc, Line 3
Or such a mistake:
Microsoft VBScript Runtime error ' 800a004c ' path was not found.
/db.inc, line 94
Your include file name will be exposed to no doubt! (You can set it up in Internet Manager without displaying detailed error messages to the browser).
Solution:
1, include the suffix of the file to take:. asp
2, all include files into the same directory, and prohibit this directory "read" permission.
