Technical protection measures of network database site

Q: In the Web database site to retrieve information often need to verify the legality of the user, please analyze such a site what kinds of technical protection measures?

For:

As a network management, all know that the database is the core of the site secrets, hackers are often the purpose of the database, so the protection of the database is no delay.

The methods summarized by predecessors are as follows:

1. Play your imagination modify the database file name

Needless to say, this is the most lazy way, but if the attacker through a third-party access to the path of the database, the game is over. For example, the attacker would have only access to the list right, the result of unexpectedly see the database path, can be sounding the database to download back to study. In addition, the data files are usually large in size, and the hidden file names can not deceive people. So confidentiality is the lowest.

2. Database name suffix to ASA, ASP, etc.

This method should be in conjunction with some settings, or else it will appear at the beginning of this article

(1) Binary field add (this recruit I have not yet refined into-_-+).

(2) In this file, IIS will be parsed according to ASP syntax, and then will report 500 errors, nature can not download. But if it's simply a matter of adding <% to the text or Memo field in the database, it won't work, because access will handle the contents of it, and in the database he will be in the form of <, invalid! The correct approach is to save the <% into the OLE Object field so that our purpose is achieved. &nbs p;

To make a method:

First of all, use Notepad to create a new content for <% text file, a name to archive.

Next, open your database file with access, create a new table, name it, add an OLE object's field to the table, add a record, insert the previously created text file, and, if it is correct, you should be able to see a newer record named "Packet". Can

3. Database name before adding "#"

Just add the first name of the database file to the #, and then modify the database address in the database connection file (such as conn.asp). The principle is that the download can only identify & nbsp, #号前名的部分, for the back of the automatic removal, such as you want to download: http://www.pcdigest.com/date/# 123.mdb (if present). Whether it is IE or flashget and so on are the Http://www.test.com/dat e/index.htm (index.asp, default.jsp, etc. you set up in IIS homepage document)

In addition, in the database file name to retain a number of spaces also play a similar role, due to the HTTP protocol to address the specificity of resolution, the space will be encoded as "%", such as http://www.test.com/date/123 456.mdb, download the time http://www. Test.com/date/123%456.mdb. And our directory is not 123%456.mdb this file, so the download is invalid such modifications, even if you expose the database address, under normal circumstances, others are also unable to download!

4. Encrypt the database

First in the selection tool-> security-> encryption/decryption database, select the database (such as: Employer.mdb), and then determine, then the "Database encryption Save as" window, Save as: Employer1.mdb. Then the employer.mdb will be encoded and stored as employer1.mdb. Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view the contents of the database file.

Next we encrypt the database, first by opening the encoded e-mployer1.mdb, and when we open it, select "Exclusive" mode. Then select the "Tools-> security-> settings Database Password",& nbsp in the menu, and then enter your password. So even if someone gets the Employer1.mdb file, he can't see Emplo yer1.mdb without a password.

To modify the database Connection page after encryption, such as:

Conn.Open "Driver={microsoft access DRIVER&NB sp; (*.mdb)};uid=admin;pwd= database password; dbq= database path"

After this modification, the database can not be opened even if it is downloaded (provided that the password on your database connection page is not compromised).

However, it is noteworthy that, because the Access database encryption mechanism is relatively simple, even if the password is set, decryption is easy. The database system forms an encrypted string by "XOR" the password entered by the user with a fixed key and stores it in the area where the *.mdb file starts at the address "&h42". So a good programmer can easily make a dozens of-line applet to get the password of any Access database easily. Therefore, as long as the database is downloaded, its information security is still unknown.