Simple security protection of Zblog database

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Most domestic ASP programs use mostly Access databases, such as Zblog. Access is a desktop-level database with the greatest advantage of simple maintenance and easy management. No specific private space is required, as long as the program files are uploaded directly to the virtual host.

The most common database type used as an ASP program, the ACC database has many unsatisfactory locations, such as his invocation efficiency and data security issues. The nature of the ACC database is the Microsoft development of Office Series Software, one of the data management system, since the desktop office level, then there is its limitations, the ACC database in size and concurrent user support is very limited, once the database file is too large, concurrent users will cause serious performance problems. (The specific advantages and disadvantages of the ACC database can be seen in this article)

The ACC database is not only a drawback of these, not enough security is the biggest drawback of ACC.

Hackers in this type of ASP program Web site, the first is to start from the database, because the error of IIS is easy to expose the address of the database, hackers can easily get to the database. How to prevent the database from being maliciously downloaded, is the webmaster first, must attach great importance to the problem.

Today, Xiaoyu is talking about several simple and effective ways to prevent the ACC database from being maliciously downloaded.

One, the simplest way to confuse complex encryption with file names

1, place the database in the file directory as deep as possible, and the database file name and. The MDB suffix is changed to a name similar to that of the directory file.

To avoid the problem of space permissions and FTP being downloaded after the landing of someone else.

Disadvantages, the database is generally large, easy to distinguish; The error alert for IIS exposes the real address of the database.

Even in the default directory, as much as possible to set the database file name long and complex, the best in English, symbol mixing settings, in case some hacker tools to enumerate.

Second, before or after the name of the database Plus "#" number

1, before the database file name plus the "#" number, because the browser or download tool can only recognize the "#" part of the address before the symbol, when the download such as http://www.huceo.com/DATA/#123456. mdb, you will get the http:// www.huceo.com/DATA/index.html first file, if you do not have the file, you will receive an error message.

2, the database name added #, when requested from the URL # is only a separator character, even if you know the database name, in the browser to download, the Web server will ignore the character behind the # number. For example: 123#456.mdb, when downloading with a tool, the Web server considers the request to be 123.mdb instead of 123#456.mdb, resulting in an error indicating that the file cannot be found.

Disadvantage, because there is a special representation of special characters in the URL, #的特殊表示就是% 23, if it is 123%23456.mdb, the file will be downloaded. In addition, some download tools such as thunder can directly download this file.

Third, put the database in a directory other than the web directory

For most virtual hosts today, space will have four default directories, for example: Wwwroot,databases,logfiles,others. In the HTTP environment, only wwwroot is an open directory, generally used to store can be external access to the program files, databases is generally the ACC database dedicated directory, LogFiles is the System log directory, others used to put their own not open to the private file directory.

As long as the database is moved to the databases directory, it is generally very safe, because in the HTTP environment, databases is a completely closed directory, only the FTP tool can find this directory. Hackers cannot find your database unless they have direct control of the host.

Moving the database from/web/123456.mdb to the databases directory requires changing the database connection address in the database connection file, depending on the program, for example, Zblog is the file: c_custom.asp, please change the database connection address to "

.. /databases/123456.mdb ". If you change the database file name or suffix name, you need to change to the appropriate address.

The above is only a few simple and easy to operate the protection method, slightly more complex point of the data name to Asp,asa, the database encryption, and through IIS set to the database name Add extension mapping method. (More ACC database security protection methods and countermeasures)

To sum up, the third way: The database is placed in the Web directory, database-specific directory is the simplest, convenient and effective.

This article from: Xiao Yu blog, Address: http://www.huceo.com/post/266.html, reproduced Please indicate the source, thank you!