On asp+access Security Problem Analysis _ Application Skills

As we all know, Asp+access's biggest security risk is that Access databases can be
Downloads, and many of the ASP spaces now available are only supported in Access databases, so
Asp+access's security problem is very prominent.

Storage pitfalls in 1.Access databases
In a asp+access application system, if you get or guess the storage path for an Access database
Path and database name, the database can be downloaded to local.

2.Access database decryption Hidden trouble
Because the encryption mechanism for an Access database is very simple, even if the database is set up with a password,
Decryption is also easy. The database system uses the password entered by the user with a fixed key
Xor to form an encrypted string and store it in a *.mdb file from the address "&h42"
The beginning of the region. Because the difference or operation is characterized by "after two different or to restore the original value", because
This, with this key and the *.mdb file in the encryption string for the second time or operation, you can light
Loosen the password for the Access database. Based on this principle, it is easy to develop a decryption
Program.

This shows that no matter whether the database password is set, as long as the database is downloaded, its information has no security to speak of.

3. The security hidden danger in the program design
The ASP code uses form to implement the function of interacting with the user, and the corresponding content will
In the browser's address bar, if you do not use the appropriate security measures, just write down these
, you can bypass validation and go directly to a page. For example, in the browser typing "...
Page.asp?x=1 ", you can go directly to the page that satisfies the" x=1 "condition without the form page
Surface. Therefore, special measures must be taken to avoid such problems when designing validation or registration pages
The occurrence.

==========
Solution
==========

Improve the security of your database
Because the Access database encryption mechanism is too simple, how to effectively prevent access
The database is downloaded, and it becomes the most important to improve the security of the asp+access solution.

1. Unconventional nomenclature
An easy way to prevent a database from being found is to have a very complex Access database file
Rules the name and store it in a multi-layered directory. For example, for a database file on an online bookstore,
Do not simply name "Book.mdb" or "store.mdb", but rather an unconventional
Name, for example: Faq19jhsvzbal.mdb, and then put it in
such as./akkjj16t/kjhgb661/acd/avccx55 in the deep directory. In this way, for
Some ways to get Access database file names by guessing illegal access to a valid
Blocking effect.

2. Using an ODBC data source
In ASP program design, should use ODBC data source as far as possible, do not write the database name directly in
In the program, otherwise, the database name with the source code of the ASP compromised with the official secrets. For example:
DBPath = Server.MapPath ("./akkjj16t/
Kjhgb661/acd/avccx55/faq19jhsvzbal.mdb ")
Conn. Open driver={microsoft Access Driver (*.mdb)};d bq= "& DBPath
Visible, even if the name of the database is again strange, hidden directory again deep, the ASP source code compromised
, the database is also easy to download. If you are using an ODBC data source, there is no such
of the problem:
Conn.Open "ODBC-DSN name"
Encrypt an ASP page
To effectively prevent the leakage of ASP source code, you can encrypt ASP pages. There are generally two kinds of side
method to encrypt an ASP page. One is to encapsulate programming logic into DLLs using component technology;
Another is to use Microsoft's script Encoder to encrypt ASP pages. However, using group
The main problem of the technology is that each piece of code needs to be modular, the operation more cumbersome, the workload is
, while using script Encoder to encrypt ASP pages, the operation is simple and results are very good.
The Script encoder method has many advantages:

⑴.html still has a good editable nature. Script encoder only encrypted in HTML page
Embedded ASP code, other parts remain unchanged, which allows us to still use the
FrontPage or Dreamweaver and other common Web page editing tools to modify the HTML section, finished
Good, just cannot modify the ASP encryption part, otherwise will cause file invalidation.
⑵. Simple to operate. Just master a few command-line arguments. Script Encoder Run
The program is Screnc.exe, and its use is as follows:
Screnc [/S] [f] [/XL] [/L deflanguage] [/e defextension] inputfile outputfile
The parameter meanings are as follows:
S: Shielding screen output;
F: Specifies whether the output file overwrites the input file with the same name;
XL: Whether to add a @language directive at the top of the. asp file;
L:DEFLANGUAG Specifies the default scripting language;
e:defextension specifies the extension of the file to be encrypted.
⑶. You can bulk encrypt files. You can use the Script encoder to
ASP files, and the encrypted files are uniformly exported to the corresponding directory. Cases
Such as:
Screnc *.asp C:\Temp
⑷. Script encoder is free software. The encryption software can be downloaded from the Microsoft website:
Http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe. After downloading, run the installation.

Registering with the Session object for authentication
To prevent unregistered users from bypassing the registration interface directly into the application system, you can use the session object for registration verification. The biggest advantage of the session object is that you can keep a user's information for subsequent pages to read.

3. Change the database name extension
You can also change the database extension to. asp, and of course when you locate the database
Use a file name like database.asp so that the database is not easily downloaded, and the data
It is also possible to read out writes normally.

4. Add the wrong ASP code to the database
If you think it's okay to finish the 3rd item, that's wrong, though the database extension
became. asp, but when the other side guessed your database path can still be downloaded, only
But a little slower, the other side can wait for the page completely open later "Save as" on it. To solve
This issue can be used to load the ASP code that adds errors to the database. You can start by creating a hidden
Table, with only one column in the table, and insert such a row:

This way, when the other side opens the database page, only the error message of the ASP script appears, not
will download your database.

5. A case of solving the hidden Trouble in program design
Most people think that the site will not be able to enter as long as the login password is added. And please look at the
Validation statements for faces:

Sql= "Select Uname,pwd from Uinfo where"
sql=sql& "Uname= '" &request.form ("uname") & ""
sql=sql& "and pwd= '" &request.form ("pwd") & "'"
Rs.Open sql,conn,1,1
If rs.eof or Rs.bof then
Response.Write "Sorry, wrong username/password!" "
Else
Response.Write "Login Successful! "
End If

There may already be readers who can see that this code is very dangerous as long as the other person knows the username
Can login, you can enter in the Password box "' or ' 1 ' = ' 1" on it, its principle is very
Simple, is the use of SQL query statements, we note that the use of this method to submit a later SQL statement
becomes: (if the user is named Administrator)
Select Uname,pwd from Uinfo where uname= ' Administrator ' and pwd= ' or ' 1 ' = ' 1 '
If the username administrator exists, then the record can be selected.
After all, of course, you can log on normally.

Solution:

Sql= "Select Uname,pwd from Uinfo where"
sql=sql& "Uname= '" &request.form ("uname") & ""
Rs.Open sql,conn,1,1
If rs.eof or Rs.bof then
Response.Write "Sorry, this site does not have this user!" "
Else
If Rs.fields ("pwd") =trim (Request.Form ("pwd")) Then
Response.Write "Login Successful! "
Else
Response.Write "Wrong username/password!" "
End If
End If