For personal sites, by the conditions of the establishment of the restrictions, Access database has become the majority of personal webmaster preferred. However, the Access database itself has a lot of security implications, and once an attacker finds the storage path and file name of the database file, the Access database file with the suffix ". mdb" is downloaded, and many of the important information in the Web site is very scary. Of course, you have taken various measures to enhance the security of Access database files, but really effective?
Protective measures with vulnerabilities
One of the most widely circulated Access database file protections is to change the suffix name of an Access database file from ". mdb" to ". asp", and then modify the database address content in the database connection file (such as conn.asp). This makes it impossible to download even if someone knows the file name and storage location of the database file.
This is one of the most popular ways to enhance Access database security, and there is a strong "theoretical foundation".
Because the ". mdb" file is not processed by the IIS server, the content is exported directly to the Web browser, and the ". asp" file is processed by the IIS server, and the Web browser displays the processing results, not the contents of the ASP file.
But you're ignoring a very important question, which is what the IIS server does with the ASP document. Here I would remind you that only the contents of the "" identifier in the ASP file are processed by the IIS server, while the other content is exported directly to the user's Web browser. Do you have these special identifiers in your database file? Even if you do, access may have special handling for the "" marker in your document to invalidate it. Therefore, a database file with the suffix ". asp" is also unsafe and will be downloaded maliciously.
In the face of the persuasive theory, as well as the people's Echo, the author also began to believe that the effectiveness of this method. But the facts speak louder than words, an unintentional experiment, let the author completely debunk this rumor.
The author first named "Cpcw.mdb" Database file renamed "Cpcw.asp", and then uploaded to the website server. Run FlashGet, enter the Add New Download Task dialog box, enter the storage path for the "cpcw.asp" file in the URL field, and then enter "Cpcw.mdb" in the Rename column. After downloading, the author found that the "Cpcw.mdb" can be opened very smoothly, and the information it stores is also at a glance. This is a good explanation for simply changing the suffix ". mdb" of the database file name to ". asp" or a security risk.
No most "safe", only more "secure"
Nothing is absolute, so enhancing the security of an Access database file is only relative. After all, access can only be used for small database solutions, which are inherently congenitally deficient, especially in terms of security.
We have adopted a variety of methods, but also only relatively enhanced access to the database file security, and can not achieve absolute security, after all, congenitally deficient problems can not be solved. The following is an introduction to some methods, although you can't completely prevent people from downloading Access database files, but as long as you use them, Access database files will be more secure.
Method One: The database file name should be complex
To download an Access database file, you must first know the storage path and file name of the database file. If you modify a very simple database file name more complex, so those "malicious" people will spend more time to guess the database file name, virtually enhance the Access database security.
Many ASP programs for the convenience of users, its database files are usually named "Data.mdb", which greatly facilitates the experienced attackers. If we modify the database file name more complex, others will not be easy to guess, such as "Data.mdb" modified to "1rtj0ma27xi.mdb", and then modify the database connection files in the appropriate information. This way, the Access database is relatively safe. This method is suitable for users who rent web space.