The disaster brought by Bak file

Chapter Two the disaster
of bak file




/**


Author: Ci Qin Qiang


email:cqq1978@gmail.com


Last modified: 2004-10-03


**/





one day, chatting with a friend on the internet, friends are doing web development, and previously discussed technical aspects of the problem,





just haven't seen it on the internet for a long time, as if the world had evaporated.





"Steven, what are you doing lately?" , "asked the friend first.





"Nothing, at home Niedergang, hehe", I replied.





"Oh, that's right, we've just completed a government department's information system, which is now in the trial run phase,





you look, give some advice, ^-^, "replied the friend.





"You this fellow, I have been laid off, you also do not comfort, hehe"





"You're afraid you can't find a job, ^-^"





"Oh, that good, but don't forget to treat ah ..."





......




After a
of ridicule, the friend sent over the website.








So, I open this site a look, very refreshing a website, looks simple but not yet practical, simple but without losing





pleasing to the eye, pretty good. Look again, this is a dynamic Web site written in ASP, the assumption that the database should be SQL Server




It's
.





"Good ah, this is not good?" "I went back to a friend."





"also OK, in two days will be accepted, ^-^"





"Oh, how many people in your project are writing programs?" ”





"3 people, did three months", heard that they still poured a lot of energy.





"Oh, then you use what development tools, how to version control it?" "I am more concerned with the process of the project.





"Hey, not afraid of your jokes, we do not have any version control, everyone is responsible for several columns, then





a spell is OK. We will use EditPlus to develop ASP. ”








such a large system, even the basic version control is not, it is incredible, do not know how they





received the project from this Government department?








I secretly thought, suddenly remembered EditPlus, this is a very small, practical text editor, I have been





use it. However, for EditPlus, it will generate a backup of the current file in the current directory, by default,





For example, when you write a member.asp program, EditPlus automatically generates a backup file when you save it,





Member.asp.bak. So if you don't completely delete the backup files when you write the program and publish it,




The hidden danger of
is enormous.








They wouldn't have the problem, I thought.





as I thought, I was on the edge of a file that is being accessed news.asp a file followed by a. Bak, which is my visit to





file into the http://URL/news.asp.bak, enter a look, sure enough, this file source code





is shown, and some of the code is as follows:








<% @LANGUAGE = "VBSCRIPT" codepage= "936"%>


<!--#include file= "include/conn.asp"-->


<!--#include file= "include/function.asp"-->


<%


here is their ASP source code


%>





A look, you know conn.asp is connected to the database files, then look at what they use the database, access to





http://Web site/include/conn.asp.bak, the results are as follows:





call Connectsql ()


Sub connectsql ()


Dim strsqlserver,strusername,strpassword,strdatabase


Dim strconn


strsqlserver = "210.51.*.*"


strUserName = "sa"


strpassword = "! K) ^ $XN) *723l&% $fg 6%^k "


strdatabase = "Zhenjin"





strconn = "Driver={sql Server}"; Server= "+ Strsqlserver +"; Uid= "+ strUserName


strconn = strconn + ";p wd=" + strpassword + ";D atabase=" + strdatabase





Set objconn = Server.CreateObject ("ADODB. CONNECTION ")


objConn.Open strconn





End Sub





through this file, you can see that they really use the SQL Server database, and the connection user is SA, this is





SQL Server's highest-privileged user, which is equivalent to administrator privileges on the system.








See here, I can not bear to look down again, hurried to explain the problem with friends.








"You write the program, EditPlus generated bak file How not to delete it?" Oh, "I asked."





"Oh? There is no such a low-level problem, I have to do is deleted ah? , "answered the astonished friend.





"What did the others write?" Your system is done, you will not even test yourself? ”





"Oh, that may be someone else's attention, we just did a simple function test, the time is too tight"





..........





Yes, the time is too tight, give me the feeling is now the project does not have a time is not tight. Now a lot of network companies make





Project even did not have a very good QA test, it took out to customers, customers find problems, and then put forward, they change.





actually, in the long run, this is not worth the candle.