Using database management to improve website security

Source: Internet
Author: User
Tags access database security website server

Databases, the foundation of website operations, and the elements of website survival depend heavily on the support of website databases for both individual and enterprise users. However, many specially crafted attackers also "value" website databases.

For personal websites, Access databases have become the first choice for webmasters. However, the Access database itself has many security risks. Once an attacker finds the storage path and file name of the database file, the suffix is ". mdb "Access database files will be downloaded, and many important information on the website will be displayed at a glance, which is terrible. Of course, we have adopted various measures to enhance the security of Access database files, but is it really effective?

Vulnerability Protection Measures

One of the most widely used methods to protect Access database files is to change the suffix of Access database files from ". change mdb to. asp, and then modify the database connection file (such as conn. asp), so that even if others know the file name and storage location of the database file, they cannot download it.

This is the most popular method on the Internet to enhance Access database security, and there is also a powerful "theoretical basis ".

Because ". mdb files are not processed by the IIS server, but are directly output to the Web browser. asp files are processed by the IIS server. The Web browser displays the processing result, not the content of the ASP file.

However, we ignore a very important issue, which is what the IIS server processes in the ASP document. Here, I would like to remind you that only the content between the "" mark in the ASP file will be processed by the IIS server, while other content will be directly output to your Web browser. Does your database file contain these special identifiers? Even if yes, Access may perform special processing on the "" identifier in the document to make it invalid. Therefore, database files suffixed with ". asp" are also insecure and may be downloaded maliciously.

The author began to believe in the effectiveness of this method in the face of confusing theories and the conformances of everyone. However, the story is better than words. An unintentional experiment has thoroughly exposed this rumor.

The author first renamed a database file named "cpcw. mdb" "cpcw. asp" and then uploaded it to the website server. Run flashGet to enter the "Add new download task" dialog box, and enter "cpcw. asp file storage path, and then enter "cpcw. mdb ". After the download, I found that the "cpcw. mdb" can be opened smoothly, and the information stored in it is also displayed at a glance. This fully demonstrates the existence of security risks by simply changing the suffix ". mdb" of the database file name to ". asp.

There is no "security", only more "security"

Everything is not absolute, so enhancing the security of Access database files is only relative. After all, Access can only be used for solutions for small databases. It has many inherent shortcomings, especially in terms of security.

The methods we use have enhanced the security of Access database files, and cannot achieve absolute security. After all, the inherent problems cannot be solved. Below I will introduce some methods for you. Although it cannot completely prevent others from downloading Access database files, as long as you make good use of them, Access database files will be safer.

Method 1: complex database file names

To download an Access database file, you must first know the storage path and file name of the database file. If you modify the original simple database file name to make it more complex, then those "unfriendly" will spend more time guessing the database file name, which virtually enhances the security of the Access database.

Many ASP programs are named "data. mdb" For ease of use, which greatly facilitates experienced attackers. If we make the database file name more complex, it is difficult for others to guess. For example, we can change "data. mdb" to "1rtj0ma27xi. mdb" and then modify the relevant information in the database connection file. In this way, the Access database is relatively secure. This method is suitable for users who rent Web space.

Disadvantages: Once you view the content in the database connection file (such as conn. asp), complex file names won't help.

Method 2: Use ODBC Data sources

Many Web programs store the path and file name of Access database files in the database connection file. Once the contents of these connection files are leaked, traces are exposed no matter how complex the database file name is.

In this case, you can use the ODBC data source method. Even if the content of the connection file is leaked, others can only know the name of the ODBC Data Source used by the website program, but the storage path and file name of the database file cannot be found.

Manually modify the content in the database connection file (such as conn. asp) and create an ODBC data source. The following uses the author's Forum program as an example.

       
        DBPath = Server.MapPath("./data/1rtj0ma27xi.mdb")       conn.Open "driver={Microsoft Access Driver (*.mdb)};dbq=" & DBPath
       

Change to conn. open "rtjmaxi". "rtjmaxi" indicates the ODBC Data Source Name.

Create an ODBC data source named "rtjmaxi" on the IIS server, specify the location of the "1rtj0ma27xi. mdb" database file, and click "OK" to complete the configuration.

Disadvantages: This method is not suitable for users who rent Web space. To use the ODBC data source method, you must have the permission to manage and maintain the IIS server.

Method 3: Change the storage location

Generally, Access database files are stored in the corresponding Web directory. Many hackers use this pattern to find and download database files.

Therefore, you can store database files in a folder other than the Web directory by changing the storage location of database files, making it difficult for hackers to guess the storage location.

Then modify the information of the database file in the database connection file (such as conn. asp), so that the Access database file is much safer. Even If attackers find the path to store database files by connecting to files, the database files are stored outside the Web directory, and attackers cannot download database files through HTTP.

For example, the Web directory of the IIS website is located under "D: wwwroot" and the "DATA" folder under the Web directory contains "1rtj0ma27xi. mdb, now I will transfer the database file to the "D: CPCW" folder outside the Web directory. Then modify the database connection file and set

       
        DBPath=Server.MapPath("./data/1rtj0ma27xi.mdb")
       

Change

       
        DBPath=Server.MapPath("../cpcw/1rtj0ma27xi.mdb")
       

In this way, Access database files are much more secure. Although the database files are not stored in the Web directory, it does not affect ASP program access to the database.

Disadvantages: This method is not suitable for users who rent Web space, because the Access database file is moved out of the Web directory and usually requires a lot of permissions.

The above methods have enhanced the security of Access database files to varying degrees, but you cannot regard them as "the panacea". After all, the network environment is complex, the destructive means of hackers are also constantly increasing. You can select multiple methods to work with each other based on your needs to achieve the desired effect, and Access database files will be safer.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.