The ultimate method to prevent ASP downloads

I. Opening

Since ASP + access is rarely used to prevent database downloads, the odd sex skills on the Internet are countless. This article is to discuss the secrets left by many predecessors and discuss their advantages and disadvantages, finally, we provide you with an optimal solution.

Ii. Analysis

To prevent Acess database downloads, I have seen many methods, mainly including the following:

1. database encryption -------- needless to say, if others know the database path, they can still download it. Opening the database is actually very simple. There are too many password software to crack the ACCESS database on the Internet, I have also studied that the 97-edition access password starts from the first 73rd characters of the file (if this number is wrong) and is more than 10 consecutive characters, this is the result of the difference between the password and a known string of characters. The access in version 2000 becomes smarter. Some encrypted passwords are not consecutive, but the encryption keys are the same, because it is symmetric encryption, it is easy to crack access (haha, it seems like you are running)

2. database file name rename -------- this is often used. It mainly uses the HTML anchor to add "#" to the database file name. if you try to download data directly from the database path, the data path is protected because the browser only parses a large string of URLs in front of # and is considered as an anchor mark after. When I first saw this method, I really had to admire the N people who first found this method. Unfortunately, it wasn't long before I saw another article on the Internet to crack this method. The principle was very simple. The character "#" after being parsed by the URL should be "% 35 ", this is what we often see in the address bar % 20, which is actually a space. Due to URL encoding, % 20 is parsed (20 is because the ASC code value of the space is 20)

3. Rename the database extension -------- this is too common. The extension is generally changed to. asp because the extension is. ASP files must be handed over to ASP. DLL file interpretation execution, Asp. The dll will only explain the code between <%> (and <SCRIPT runat = Server> </SCRIPT>), and the rest will be left intact to the browser for processing, therefore, after the extension is changed to ASP, the data will not be downloaded, but will be opened directly by the browser. in this way, the copied content can still be restored to the original MDB file.

Solution 3

You should have a better understanding of the dynamic network forum. There is a notdown table in his database. This table has only one field, and the field type is OLE type, which is used to store binary data, what is the role of this table? Haha...

Change the database extension of the Internet to ASP, and enter the database address in the corresponding path in the browser. What do you see? A bunch of wrong ASP Script Error information, of course, the database cannot be down. Why? What is the notdown table actually stored ??
Let's take a good look at the 3rd methods in Section 2. It is difficult to understand the conclusion that the notdown table has a script like this, which causes ASP. DLL uses it as a real ASP file for execution, but this is precisely the syntax error deliberately arranged by the dynamic network database, resulting in ASP. DLL interpretation errors, so ASP error information is displayed, thus protecting the real data.

4. Practice

What is written in the bottom of the notdown table ?? Haha, is it a little anxious.
We know that the notdown table is a binary field. When we read and write data to the database, we need to change it to a regular one, the methods for reading and writing binary fields in ADO are AppendChunk and getchunk. With these two methods, we can see what exactly is in the table.

<%
------ 200 words of connection data are omitted here to get the data connection object Conn
Set rs = server. Createobject ("ADODB. recordset"
SQL = "select notdown from notdown"
Rs. Open SQL, 0, 1
Data = RS (0). getchunk (RS (0). actualsize) read all binary data
Rs. Close
Set rs = nothing
---- Close the database connection
Response. binarywrite (data) because data is binary, you need to call response to print the binary method to output it.
%>

I'm so addicted. Do you want to know what the result is? Go back and debug it.

5. Improvement

Although the above method is to keep the database, there is a wrong prompt, always feel a little uncomfortable, let's change something else
If you try to enter the address of the database to download the database, it will automatically jump to the Sohu website, the Code is as follows:

<%
------ 200 words of connection data are omitted here to get the data connection object Conn
Set rs = server. Createobject ("ADODB. recordset ")
SQL = "select notdown from notdown"
STR = "<% response. Redirect (" "http://www.sohu.com" "& CHR (37) &">"
Because the field is binary data, it will be a problem if we directly import the STR string into the database.
In vbs, each character occupies two bytes, so we need to remove the high NULL bytes.

For I = 1 to lenb (STR)
If midb (STR, 1, I) <> 0 then
Data = Data + ASCB (midb (STR, 1, I ))
End if
Next

Rs. Open SQL, 0, 3
Data = RS (0). AppendChunk (data) Write binary data
Rs. Update
Rs. Close
Set rs = nothing

%>
　　
OK. Check the running effect. You can even add a JS script to bring up a dialog box to scare the developers who download the database.