Manually solving security risks of open-source applications

To install a website program, first modify the default database file name or path. This is the first note for website security. How can I change the database file name and path to ensure the normal operation of the website program? 1. Attackers can analyze the "conn. asp" file to find the default database file name and path. In fact, in many website programs, "conn. asp" is often a convention commonly known as the website database connection file. Most website programs usually need to modify the default database file name and path. Open "conn. asp files usually see code similar to Db = "data/dvbbs7.mdb". This is the code used to define the database path and file name. Modify the database file name and path, as shown in the following figure: Db = "data2/dada2020.asp ". The database path should be modified as few as possible, and the database file name should also be modified to avoid being guessed by attackers. In addition, the suffix of the database file name can be changed to. asp, so the security will be much higher. When accessing the. asp database file in a browser, the database file will be parsed as an asp Webpage file, so garbled content is directly displayed and cannot be downloaded. In addition, you can add a "#" in the database file name to prevent the database from being downloaded. This is because "#" in the URL link is treated as a truncation character, IE will automatically ignore the content after #, so you cannot download or access the real file name. For example, you can change the file name path in the previous code to "data2/dada #2020. asp". When you access the file in IE, you will be prompted that the webpage cannot be found. 2. After modifying the database path in the database connection file "conn. asp", you also need to rename the original database file and move it to the specified path. Open the website program directory, change the "data" folder under it to the specified path "data2", and change the default database file name "dvbbs7.mdb" to "data2/dada #2020. asp. However, it should be noted that the above modification is not enough. The two methods described above can only prevent direct database download attacks. Attackers may also bypass these restrictions by using other methods to attack the database.