Ways to prevent MDB databases from being downloaded

Article first language: Originally changed MDB for ASP can prevent download is nonsense. Use the FlashGet test to download the data.asp file and save it as a Data.mdb file, which is found to be intact with access.

1. Play your imagination modify the database file name
However, if an attacker obtains a database path through a third-party approach, the database can be downloaded. So confidentiality is the lowest.

2. Database name suffix to ASA, ASP, etc.
This method should be in conjunction with some settings, or else it will appear at the beginning of this article
(1) Binary fields are added.
(2) In this file to add <% or%>,iis will be parsed by ASP syntax, and then will report 500 errors, nature can not download. However, it is not useful to simply add <% to the text or Memo field in the database, because access will process the contents of it, and in the database he will exist in the form of <. The correct approach is to save the <% into the OLE Object field so that our purpose is achieved.
To make a method:
First of all, use Notepad to create a new content for <% text file, a name to archive.
Next, open your database file with access, create a new table, name it, add an OLE object's field to the table, add a record, insert the previously created text file, and, if it is correct, you should be able to see a newer record named "Packet". Can

3. Database name before adding "#"
Just add the first name of the database file to the #, and then modify the database address in the database connection file (such as conn.asp). The principle is to download the time can only identify #号前名的部分, for the back of the automatic removal, such as you want to download: http://www.pcdigest.com/date/#123. mdb (if present). Whether it is IE or flashget and so on are http://www.test.com/date/index.htm (index.asp, default.jsp, etc. you set up in the IIS homepage document)
In addition, in the database file name to retain a number of spaces also play a similar role, because the HTTP protocol to address the specificity of resolution, the space will be encoded as "%", such as http://www.test.com/date/123 456.mdb, download the time http:// Www.test.com/date/123%456.mdb. And our catalog does not 123%456.mdb this file at all, so the download is also invalid after such modifications, even if you expose the database address, under normal circumstances, others are unable to download.

4. Encrypt the database
First in the selection tool-> security-> encryption/decryption database, select the database (such as: Employer.mdb), and then determine, then the "Database encryption Save as" window, Save as: Employer1.mdb. Then the employer.mdb will be encoded and stored as employer1.mdb. Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view the contents of the database file.
Next we encrypt the database, first by opening the encoded Employer1.mdb, and when we open it, select "Exclusive" mode. Then select the "Tools-> security-> Set Database Password" in the menu, and then enter your password. So even if someone gets the Employer1.mdb file, he can't see Employer1.mdb without a password.
To modify the database Connection page after encryption, such as:
Conn.Open "Driver={microsoft Access Driver (*.mdb)};uid=admin;pwd= database password; dbq= database path"
After this modification, the database can not be opened even if it is downloaded (provided that the password on your database connection page is not compromised).
However, it is noteworthy that, because the Access database encryption mechanism is relatively simple, even if the password is set, decryption is easy. The database system forms an encrypted string by "XOR" the password entered by the user with a fixed key and stores it in the area where the *.mdb file starts at the address "&h42". So a good programmer can easily make a dozens of-line applet to get the password of any Access database easily. Therefore, as long as the database is downloaded, its information security is still unknown.

5. The database is placed outside the Web directory or the database connection file is placed under another virtual directory
If your web directory is e:/webroot, you can put the database into the E:/data folder, in the E:/webroot database Connection page to modify the database connection address is: ". /data/database name ", so that the database can be called normally, but cannot be downloaded because it is not in the Web directory. This method is generally not suitable for users who buy virtual space.

6. Use an ODBC data source.
In the ASP and other program design, if there is a condition, should try to use ODBC data source, do not write the database name in the program, otherwise, the database name with the ASP source code with the Official secrets of the Official secrets, such as: DBPath = Server.MapPath (". /123/abc/asfadf.mdb ")
Conn.Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath
Visible, even if the database name is strange, hidden directory again deep, the ASP source code compromised, also very easy to download down. If you use an ODBC data source, there will not be such a problem: Conn.Open "odbc-dsn name", but this is more annoying, the directory moved to reset the data source, more convenient way to see the 7th, 8 law.

7. Add a database name, such as an MDB extension map
This method is implemented by modifying the IIS settings, and is suitable for friends with IIS control and is not suitable for buying virtual host users (unless the administrator has already set them up). I think this method is the best at present. As long as you modify one place, the entire site's database can be prevented from being downloaded. There is no need to modify the code, even exposing the destination address can prevent downloads.
We add the application resolution of the. mdb file in the IIS properties---home directory---configuration---mapping---application extensions. Note that the selection of the DLL (or EXE, etc.) does not seem to be arbitrary, the choice of improper, this MDB file can still be downloaded, note that it is best not to choose Asp.dll. You can test it yourself.
After this modification, download the database such as: Http://www.test.com/data/dvbbs6.mdb. Appears (404 or 500 Errors)

8: Use. NET's advantages
The wooden bird on the net has written a "Wbal anti-theft chain tool" to prevent illegal downloading of files. Concrete can be landed http://www.9seek.com/WBAL/;
But that only implemented to prevent non-local downloads, did not play a real download database functionality. But this method has been similar to the 5 law can be modified. NET files and cannot be downloaded locally.

These methods, only the 7th and 8 are unified change, once modified configuration, the entire site of the database can be prevented from downloading, the other several to modify the database name and connection files, more trouble, but for the virtual host friend can only do so.

In fact, the 6th method should be the 5th extension of the method, you can achieve special functions, But not for support. NET host or afraid of setting trouble, or directly using the 5th method, and by default, the 6th method, still can be connected to the same host by copying the forum or message published, and then you can click to download (because such a reference page is from the same host)

9. Use NTFS partition file permission settings (by Percyboy)
We already know that Access databases are accessed using Ado.net in asp.net, and Access databases are accessed via OLE DB connections-one of our most common low-end databases. This article discusses some of the error prompts you may see in ASP.net, where you see the database files created by Access 2000 and Access XP, and a less common error message occurs when an error occurs. Hope to help you. Another important point is that, hopefully, this article will give you a new understanding of NTFS permissions settings for Access database files in asp.net.