Several methods to prevent ACCESS database downloads

I tried it with animator yesterday and renamed the data. mdb file to the data. asp file and put it in the wwwroot directory. Then input data in IE. after asp path, IE is displayed blank. Right-click to view the source file, jump out of notepad, and save the content. mdb file, opened with ACCESS, found that the password is required, that is, at least the file header is damaged.

Use Flashget to download the data. asp file and save it as a data. mdb file. You can find that ACCESS is used to open the file intact! It seems that some programmers thought it was wrong to change the mdb suffix to asp to prevent downloading! Downloading background databases is a terrible disaster for an asp + access website. I found articles from various parties today and summarized the following nine methods to prevent the database from being downloaded (please add them ).

1. Use your imagination to modify the database file name

Needless to say, this is the most lazy method, but if an attacker obtains the database path through a third-party channel, it will be done. For example, if an attacker could only obtain the list permission and accidentally saw the database path, he could download the database and study it. In addition, the data file size is usually relatively large, and hidden file names cannot be concealed. Therefore, the confidentiality is the lowest.

2. Change the database name suffix to ASA, ASP, etc.

This method must be used with some settings, otherwise the situation at the beginning of this article will appear.

(1) Add binary fields.

(2) When this file is added, IIS will parse it according to ASP syntax, and then it will report Error 500, so it cannot be downloaded. However, it is useless to simply add <% in the text or remarks field of the database, because ACCESS will process the content, it will exist in the database in the form of <%, invalid! The correct method is to store <% Into the OLE object field, so that our goal can be achieved.

Operation Method:

First, use notepad to create a text file whose content is <%.

Next, use Access to open your database file, create a new table, create a name, add an OLE object field to the table, add a record, and insert the text file created earlier, if the operation is correct, you can see a new record named "data packet. You can.

3. Add "#" before the Database Name "#"

You only need to add # To the front Name of the database file, and then modify the database address in the database connection file (such as conn. asp. The principle is to download the part can only recognize # before the first name, for the next automatic removal, such as you want to download: http://www.pcdigest.com/date/#123.mdb (if there is ). Both IE and FLASHGET are http://www.test.com/date/index.htm (index. asp, default. jsp, etc. You are on the IIS settings of the home page documentation ).

In addition, retaining some spaces in the database file name also plays a similar role. Due to the special nature of the HTTP protocol for address resolution, the space will be encoded as "%", such as Encoding. Our directory does not have the 123% 456. mdb file at all, so the download is also invalid. After such a modification, even if you expose the database address, it is generally impossible for others to download it!

4. Encrypted Database

First, choose tools> Security> encryption/Decryption database, and select the database (for example, employer. mdb), and then click OK. Then, the window "Save the database encrypted and saved as: employer1.mdb" appears. Then employer. mdb will be encoded and stored as employer1.mdb .. note that the above actions are not to set a password for the database, but to encode the database files to prevent others from using other tools to view the contents of the database files.

Next, we encrypt the database. First, we open the encoded employer1.mdb, and select the "exclusive" mode when opening it. Choose tools> Security> set database password from the menu, and enter the password. In this way, even if someone else gets the employee 1.mdb file, he cannot see the employee 1.mdb without a password.

After encryption, modify the database connection page, for example:

Conn. open "driver = {microsoft access driver & nb sp;
(*. Mdb)}; uid = admin; pwd = Database Password; dbq = database path"
 

After this modification, even if the database is downloaded, it cannot be opened (provided that the password on your database connection page is not leaked ).

However, it is worth noting that the encryption mechanism of the Access database is relatively simple, and it is easy to decrypt even if a password is set. The database system creates an encryption string by comparing the password entered by the user with a fixed key and stores it in *. the mdb file starts from the address "& H42. Therefore, a good programmer can easily create dozens of rows of small programs to easily obtain the password of any Access database. Therefore, as long as the database is downloaded, its information security remains unknown.

5. Store the database outside the WEB directory or store the database connection file in another virtual directory.

If your WEB directory is e: webroot, you can put the database in the e: data folder and modify the database connection address :".. /data/Database Name ", so that the database can be called normally, but cannot be downloaded, because it is not in the WEB directory! This method is generally not suitable for users who buy virtual space.

6. Use ODBC Data sources

In programming such as ASP, if conditions are met, try to use the ODBC Data Source. Do not write the database name in the program. Otherwise, the database name will be lost along with the password of the ASP source code. For example:

DBPath = Server. MapPath ("../123/abc/asfadf. mdb ")
Conn. open "driver = {Microsoft Access Driver & nb sp; (*. mdb)}; dbq =" & DBPath
 

It can be seen that even if the database name gets weird, the hidden directory goes deeper, and the ASP source code is easily downloaded after the password is lost. If you use an ODBC data source, you will not have this problem: conn. open "ODBC-DSN name", but this is more annoying, if the directory is moved, you have to re-set the data source, more convenient way please see the 7, 8 method!

7. Add the extended MDB ing of database names such as MDB

This method is implemented by modifying the IIS settings. This method is suitable for friends who have control over IIS and is not suitable for users who buy virtual hosts (unless the Administrator has already set it ). I think this method is the best at present. The database of the entire site can be modified to prevent downloading. You do not need to modify the code to prevent download even if the target address is exposed.

In IIS properties --- main directory --- configuration --- ing --- application extension, add the application parsing of the. mdb file. Note that the selected DLL (or EXE) here does not seem arbitrary. If you choose improperly, the MDB file can still be downloaded. You are advised not to select asp. dll. You can perform multiple tests on your own. Download the modified database, for example, http://www.test.com/data/dvbbs6.mdb, and the Error 404 or 500 will occur ).

8. advantages of using. net

The wooden bird on the Internet has written a "WBAL anti-leech tool" to prevent illegal file downloads ".

However, it only prevents non-local downloads and does not provide a real anti-download function. However, this method is almost the same as Method 5. You can modify the. NET file to achieve local download!

Only 7th and 8 of these methods are uniformly modified. After a configuration is modified, the database of the entire site can be prevented from being downloaded. The other methods need to modify the Database Name and connection file respectively, it is troublesome, but this is also the only option for virtual host friends!

In fact, 6th methods should be extended by 5th methods, which can implement special functions, but are not supported. net host or for fear of setup troubles, we still use the 5th method directly. By default, the 6th methods can still be copied and connected to the same host's forum or message book for publishing, then you can click Download. (Because the reference page is from the same host)

9. use NTFS partition File Permission settings (bypercyboy)

We already know that ASP. NET uses ADO. NET to Access the database and can Access the Access database through the OleDb connection-one of our very common low-end databases. This article discusses several error prompts that may be seen in ASP. NET, from which you can see database files created by Access2000 and AccessXP. Different error prompts will appear when access errors occur. Hope to help you. Another key point is to use this article to give you a new understanding of the NTFS permission settings for Access database files in ASP. NET.

(1) experiment process

For the sake of convenience, let's take an experiment: The application is/test, and the data inventory is stored in D: wwwrootestdatadb1.mdb, which we already know in ASP. NET accesses the database as an asp net virtual user. We need to grant this account specific NTFS permissions to Make ASP.. NET program runs normally.

To get the strictest NTFS permission settings, we will give the program the lowest NTFS permission at the beginning of the experiment:

A) D: grant the following permissions to aspnet in the wwwrootestdata Folder:

Reject allowed
Full Control & n bsp; □□
Modify & nbs p; □□
Read and run √ □;
List folder directories; √ □
Read & nbs p; √ □
Write & nbs p; □□
 

B) D: The wwwrootestdatadb1.mdb file itself grants the user ASPNET the following permissions:

√ Allow propagation of inherited permissions from parent to this object

1.1 For An aspx program that only contains the "SELECT" command, the above permission settings are not available during running, that is, the above permissions have met the operation of such programs.

1.2 For aspx programs that contain commands such as "UPDATE" "INSERT" "UPDATE.

(A) If db1.mdb is a database created by Access2000, the following error occurs:

Server error in the "/test" application.

The Microsoft Jet Database Engine cannot open the file D: wwwrootestdata. It has been opened exclusively by another user or has no permission to view data.

Note: An unhandled exception occurs during the execution of the current Web request. Check the stack trace information for details about the error and the source of the error in the code.

Exception details: System. Data. OleDb. OleDbException: the Microsoft Jet Database Engine cannot open the file D: wwwrootestdata. It has been opened exclusively by another user or has no permission to view data.

(B) If db1.mdb is a database created by AccessXP, the following error occurs:

Server error in the "/test" application.

The operation must use an updatable query.

Note: An unhandled exception occurs during the execution of the current Web request.