Personal website security starts from the reasonable management of database

Source: Internet
Author: User
Tags access database security iis odbc website server access database
Security | personal website | data | database

Database, the foundation of the website operation, the elements of the website survival, both individual users and enterprise users are very dependent on the support of the website database, however, many of the attackers who have ulterior motives also "value" the website database.

For personal sites, by the conditions of the establishment of the restrictions, Access database has become the majority of personal webmaster preferred. However, the Access database itself has a lot of security implications, and once an attacker finds the storage path and file name of the database file, the Access database file with the suffix ". mdb" is downloaded , and many of the important information in the Web site is very scary. Of course, you have taken various measures to enhance the security of Access database files, but really effective?

Protective measures with vulnerabilities

One of the most widely circulated Access database file protections is to change the suffix name of an Access database file from ". mdb" to ". asp", and then modify the database address content in the database connection file (such as conn.asp). This makes it impossible to download even if someone knows the file name and storage location of the database file.

1. The principle of seemingly safe

This is one of the most popular ways to enhance Access database security, and there is a strong "theoretical foundation".

Because the ". mdb" file is not processed by the IIS server, the content is exported directly to the Web browser, and the ". asp" file is processed by the IIS server, and the Web browser displays the processing results, not the contents of the ASP file.

But you're ignoring a very important question, which is what the IIS server does with the ASP document. Here I would remind you that only the contents of the "<%" and "%>" markers in the ASP file are processed by the IIS server, while the other content is directly exported to the user's Web browser. Do you have these special identifiers in your database file? Even if you do, access may have special handling for the "<%" and "%>" markers in your document, making them invalid. Therefore, a database file with the suffix ". asp" is also unsafe and will be downloaded maliciously.

2. A loophole in a "safety cloak"

In the face of the persuasive theory, as well as the people's Echo, the author also began to believe that the effectiveness of this method. But the facts speak louder than words, an unintentional experiment, let the author completely debunk this rumor.

The author first named "Cpcw.mdb" Database file renamed "Cpcw.asp", and then uploaded to the website server.

Run FlashGet (Figure 1), enter the Add New Download Task dialog box, enter the storage path for the "cpcw.asp" file in the URL field, and then enter "Cpcw.mdb" in the Rename column. After downloading, the author found that the "Cpcw.mdb" can be opened very smoothly, and the information it stores is also at a glance. This is a good explanation for simply changing the suffix ". mdb" of the database file name to ". asp" or a security risk.

no most "safe", only more "secure"

Nothing is absolute, so enhancing the security of an Access database file is only relative. After all, access can only be used for small database solutions, which are inherently congenitally deficient, especially in terms of security.

We have adopted a variety of methods, but also only relatively enhanced access to the database file security, and can not achieve absolute security, after all, congenitally deficient problems can not be solved. The following is an introduction to some methods, although you can't completely prevent people from downloading Access database files, but as long as you use them, Access database files will be more secure.

Method One: The database file name should be complex

To download an Access database file, you must first know the storage path and file name of the database file. If you modify a very simple database file name more complex, so those "malicious" people will spend more time to guess the database file name, virtually enhance the Access database security.

Many ASP programs for the convenience of users, its database files are usually named "Data.mdb", which greatly facilitates the experienced attackers. If we modify the database file name more complex, others will not be easy to guess, such as "Data.mdb" modified to "1rtj0ma27xi.mdb", and then modify the database connection files in the appropriate information. This way, the Access database is relatively safe. This method is suitable for users who rent web space.

The disadvantage: Once you view the contents of a database connection file (such as conn.asp), the complex file name does not help.

Method Two: Use ODBC data source

Many Web site Web programs store the Access database file's storage path and file name in the database connection file. Once the contents of these connection files are leaked out, no matter how complex the database file name is, the trail will be exposed.

You can use the ODBC data source method, even if the contents of the connection file leak, others can only know the Web site program used ODBC data source name, and the database file storage path and file name can not be found.

Manually modify the contents of a database connection file, such as conn.asp, and create an ODBC data source. Following the author's forum program as an example, first of all, the conn.asp document

DBPath = Server.MapPath ("./data/1rtj0ma27xi.mdb")

Conn. Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath

Modified to: Conn.Open "Rtjmaxi", where "rtjmaxi" refers to the ODBC data source name.

Next, create a new ODBC data source named "Rtjmaxi" in the IIS server (Figure 2), specify the location of the "1rtj0ma27xi.mdb" database file, and then click "OK" to complete the configuration.

Disadvantages: This method is not suitable for users who rent web space, and to use the ODBC data source method, you must have permission to administer and maintain the IIS server.

Method Three: Change storage location

In general, Access database files are stored in the appropriate Web directory, and many hackers use this rule to find and download database files.

Therefore, you can change the location of the database file storage, the database file in a folder outside the Web directory, so that hackers difficult to guess where to store.

Then modify the database file information in the database connection file (such as conn.asp) so that the Access database file is much more secure. Even if an attacker finds a storage path to a database file through a connection file, the attacker cannot download the database file via HTTP because the database file resides outside the Web directory.

For example, the Web directory of the IIS Web site is located under "D:\wwwroot", where "1rtj0ma27xi.mdb" is stored in the "DATA" folder under the Web directory, and now the author moves the database file to the D:\CPCW folder outside the Web directory. Then modify the database connection file and modify "Dbpath=server.mappath (./data/1rtj0ma27xi.mdb") to Dbpath=server.mappath (". /cpcw/1rtj0ma27xi.mdb ")" so that the Access database files are much more secure. Although the database file is not stored in the Web directory, it does not affect the ASP program's access to the database.

Disadvantages: This method is not suitable for users who rent web space, because it generally requires a lot of permissions to move an Access database file to a web directory.

The above methods, to varying degrees, enhance access to the database file security, but we can not treat them as "elixir", after all, the network environment is complex, the hacker's means of destruction is also increasing, we can according to their own needs, choose a variety of ways to use together, the effect is ideal, Access database files are more secure.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.