Personal website security starts from rational Database Management

Databases, the foundation of website operations, and the elements of website survival depend heavily on the support of website databases for both individual and enterprise users. However, many specially crafted attackers also "value" website databases. For personal websites, Access databases have become the websites of various individuals due to the constraints of website construction.

Databases, the foundation of website operations, and the elements of website survival depend heavily on the support of website databases for both individual and enterprise users. However, many specially crafted attackers also "value" website databases. For personal websites, Access databases have become the websites of various individuals due to the constraints of website construction.

Database, WebsiteOperation basis, WebsiteElements of survival, whether it is IndividualsBoth users and enterprise users are highly dependent. Website DatabaseHowever, many malicious attackers are equally "valued" Website Database.

For Individuals WebsiteAccess DatabaseBecome a majority Individuals WebsiteWebmasters preferred. However, Access DatabaseThere are many SecurityHidden Danger. Once an attacker finds DatabaseFile Storage path and file name, with the suffix ". mdb" Access DatabaseThe file will be downloaded, WebsiteA lot of important information will be displayed at a glance, which is terrible. Of course, you have adopted various measures to enhance Access DatabaseFile SecurityBut is it true?

Vulnerability Protection Measures

The most widely used Access DatabaseFile protection measures are DatabaseThe file suffix is changed from ". mdb" to ". asp", and then modified. DatabaseIn a connection file (such as conn. asp ), DatabaseAddress content, so that even if others know DatabaseThe file name and storage location cannot be downloaded.

1. Looks likeSecurityPrinciple

This is the most popular type of enhanced Access on the Internet. Database SecurityAnd a powerful "theoretical basis ".

Because ". mdb files are not processed by the IIS server, but are directly output to the Web browser. asp files are processed by the IIS server. The Web browser displays the processing result, not the content of the ASP file.

However, we ignore a very important issue, which is what the IIS server processes in the ASP document. Here, I would like to remind you that only the content between the "" mark in the ASP file will be processed by the IIS server, while other content will be directly output to your Web browser. Your DatabaseDoes the file contain these special identifiers? Even if yes, Access may perform special processing on the "" identifier in the document to make it invalid. Therefore, the suffix is ". asp" DatabaseFile is not SecurityWill be maliciously downloaded.

2.SecurityCoat Vulnerabilities

The author also StartBelieve the validity of this method. However, the story is better than words. An unintentional experiment has thoroughly exposed this rumor.

The author first named "cpcw. mdb" DatabaseThe file is renamed "cpcw. asp" and then uploaded WebsiteServer.

Run FlashGet () and enter the "add download task" dialog box. In the "url" column, enter "cpcw. asp file storage path, and then enter "cpcw. mdb ". After the download, I found that the "cpcw. mdb" can be opened smoothly, and the information stored in it is also displayed at a glance. This fully demonstrates how to simply DatabaseThe file name suffix ". mdb" is changed to ". asp", which still exists. SecurityHidden Danger.

No Security", Only" Security"

Everything is not absolute, so enhance Access DatabaseFile SecurityIt's just relative. After all, Access can only be used for small DatabaseSolutions, it has many inherent shortcomings, especially in Security.

The methods we use also enhance Access DatabaseFile SecurityAnd cannot implement absolute SecurityAfter all, the inherent problems cannot be solved. Below I will introduce some methods for you, although it cannot completely prevent others from downloading Access DatabaseFile, but as long as you make good use of them, Access DatabaseFile will be more Security.

Method 1:DatabaseComplex file names

Download Access DatabaseFile, you must first know DatabaseFile Storage path and file name. If you use DatabaseFile Name modification is more complex, so that those "unfriendly" will spend more time to guess DatabaseFile Name, which virtually enhances Access DatabaseOf Security.

Many ASP programs are easy to use. DatabaseFiles are usually named "data. mdb", which greatly facilitates experienced attackers. If we DatabaseThe file name is more complex and cannot be guessed by others. For example, change "data. mdb" to "1rtj0ma27xi. mdb", and then modify DatabaseThe corresponding information in the connection file. In this way, Access DatabaseRelative SecuritySome. This method is suitable for users who rent Web space.

Disadvantages: Once you see DatabaseConnecting to the content of a file (such as conn. asp) does not help complicated file names.

Method 2: Use the ODBC Data Source

Many WebsiteWeb application DatabaseThe file storage path and file name are stored in DatabaseConnection file. Once the contents in these connection files are leaked DatabaseThe trace is exposed when the file name is complex.

In this case, you can use the ODBC data source method. Even if the content of the connection file is leaked, others can only know WebsiteThe name of the ODBC Data Source used by the program DatabaseThe file storage path and file name cannot be found.

Manual Modification DatabaseConnection file (such as conn. asp) and ODBC Data Source Creation. The following uses the author's Forum program as an example.

DBPath = Server. MapPath ("./data/1rtj0ma27xi. mdb ")

Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; dbq =" & DBPath

Change to conn. open "rtjmaxi". "rtjmaxi" indicates the ODBC Data Source Name.

Create an ODBC Data Source () named "rtjmaxi" on the IIS server and specify "1rtj0ma27xi. mdb" DatabaseFile location, and then click "OK" to complete the configuration.

Disadvantages: This method is not suitable for users who rent Web space. To use the ODBC data source method, you must have ManagementAnd maintain the permissions of the IIS server.

Method 3: Change the storage location

In general, Access DatabaseFiles are stored in the corresponding Web directory. Many hackers use this pattern to find and download files. DatabaseFile.

Therefore, changes can be used. DatabaseFile storage location method DatabaseFiles are stored in a folder other than the Web directory, making it difficult for hackers to guess the storage location.

Then modify DatabaseIn a connection file (such as conn. asp ), DatabaseFile Information, so that Access DatabaseFile SecurityMore. Even if the attacker finds DatabaseFile Storage path, because DatabaseAttackers cannot download files outside the Web directory through HTTP. DatabaseFile.

For example, IIS WebsiteThe Web directory is located in "D: \ wwwroot", and "1rtj0ma27xi. mdb" is stored in the "DATA" folder under the Web directory. DatabaseTransfer the file to the "D: \ CPCW" folder other than the Web directory. Then modify DatabaseConnect to the file and set "DBPath = Server. mapPath (". /data/1rtj0ma27xi. mdb ")" to "DBPath = Server. mapPath (".. /cpcw/1rtj0ma27xi. mdb ")", Access DatabaseFile SecurityMore. Although DatabaseThe file is not stored in the Web directory, but does not affect ASP program access. Database.

Disadvantage: This method is not suitable for users who rent Web space because DatabaseWhen a file is moved out of the Web directory, it usually requires a lot of permissions.

The above method enhances Access to different degrees. DatabaseFile SecurityBut you cannot regard them as the "magic bullet". After all, the network environment is complex and the destructive means of hackers are constantly increasing. You can follow your own needs, select multiple methods to work with, the effect is ideal, Access DatabaseFile Security.