The ultimate way to prevent ASP downloads

Download

Since the asp+access did not less to avoid the database download and hurt God, online, the odd sex skills are countless, this article is with you to discuss the left of the predecessors of the tips and refers to the pros and cons, and finally provide you with an optimal solution

　　First, opening

Since the asp+access did not less to avoid the database download and hurt God, online, the odd sex skills are countless, this article is with you to discuss the left of the predecessors of the tips and refers to the pros and cons, and finally provide you with an optimal solution

　　Second, analysis

In order to prevent acess database download, small see a lot of methods, mainly have the following kinds:

1. Database encryption

This nature needless to say, if others know the database path, still can download, open the database is also very simple, the Internet to crack Access database password software too much, before I have studied, The 97 version of Access's password starts with more than 10 consecutive characters starting at the beginning of the file (if the number is not mistaken), which is the result of a password and a string of known words Fu, Version 2000 access gets smarter. Some of its encrypted password is not continuous interval, but the encryption key is still the same, because it is symmetric encryption so it is easy to crack access (hehe, seems to digress)

2. Rename the database filename

This use of more, mainly use the HTML anchor point, the database file name added "#", if the path to the database directly to try to download, because the browser only resolved to the # before a large string of URLs, #后被认为是锚点标记, data path is protected. When I first saw this method, I really had to admire the N people who first found this method. Unfortunately, not long ago, on the Internet to see another article on this method of cracking, the principle is very simple, the character "#" after the URL parsing character should be "%35", which is what we often see in the address bar%20 kind of things, is actually a space, because of the URL encoding so resolved into a% 20 (20 is because the ASC code value for the space is 20)

3, the database extension name renamed

This is too common, the extension is generally changed. ASP, because the extension is. ASP files are to be given to ASP. DLL file interpretation execution, ASP. The DLL will only explain the code between <%%> (and <script Runat=server></script> the rest is left intact to the browser, so if you change the extension directly to ASP, The data will not be downloaded, but will be opened directly by the browser. So that someone else can copy the content back into the original MDB file.

　　Three Solutions

We should be more understanding of the dynamic Network forum, his database has a Notdown table, this table has only one field, and the type of the field is OLE type, used to store binary data, what is the role of this table? hehe ...

Change the database extension of the moving network to ASP, and then enter the database address of the corresponding path in the browser, what do you see? A bunch of wrong ASP script error information, of course, the database has no way down, why is this, that Notdown table exactly what is stored??

Let's take a good look at the 3rd method in section Two, and think carefully about the conclusion, precisely because the Notdown table has a script like this that causes ASP.DLL to execute it as a real ASP file, but this is precisely the syntax error that the dynamic network database deliberately arranges. Causes the error in the ASP.DLL explanation, thus the ASP error message displays, thus protects the real data.

　　Four Practice

What does the notdown of the table say?? Oh, is not a little anxious.

We know that the Notdown table by the binary field, all we read and write the database, but also to change the general, ADO special have read and write binary fields of the method they are AppendChunk and GetChunk with these two methods we can see what's in that watch.

<%
------Here omitted the connection data 200 words, obtains the data connection object conn
Set Rs=server.createobject ("Adodb.recordset"
Sql= "Select Notdown from Notdown"
Rs.Open sql,0,1
Data=rs (0). GetChunk (RS (0). ActualSize) read out all binary data
Rs.close
Set rs=nothing
----Close a database connection
Response. BinaryWrite (data) because data is binary, you want to call the response print binary method to output it
%>

Too addicted to it, want to know what the result is, hurry back to debug see AH

　　Five Improvements

Although the above method is to keep the database, but there is a wrong hint, always feel a little uncomfortable, we come to a pity dorado other if you try to enter the address of the database to download the database, will automatically jump to the Sohu site, the code is as follows

<%
------Here omitted the connection data 200 words, obtains the data connection object conn
Set Rs=server.createobject ("Adodb.recordset")
Sql= "Select Notdown from Notdown"
Str= "<%response.redirect" ("Http://www.sohu.com" "" "&CHR (Panax) &" > "

Since the field is binary, we have a problem with the STR string literal in the database. Each character in the VBS occupies two bytes, so we're going to remove the high level of empty bytes

For I=1 to LenB (str)
If MidB (str,1,i) <>0 Then
DATA=DATA+ASCB (MidB (str,1,i))
End If
Next

Rs.Open sql,0,3
Data=rs (0). AppendChunk (data) writes binary
Rs.update
Rs.close
Set rs=nothing

%>

OK, look at the running effect, can even add a section of JS script, pop-up a dialog box, scare those who download the database of kittens, still dare not try to try.