Three measures to set up database security to ensure the safe operation of website

Database, the foundation of website operation, the elements of website survival, whether individual user or enterprise user are very dependent on http://www.aliyun.com/zixun/aggregation/8613.html "> website database support, However, many of the attackers who have ulterior motives also "value" the website database.

For personal sites, by the conditions of the establishment of the restrictions, Access database has become the majority of personal webmaster preferred. However, the Access database itself has a lot of security implications, and once an attacker finds the storage path and file name of the database file, the Access database file with the suffix ". mdb" is downloaded and many of the important information in the Web site is very scary. Of course, you have taken various measures to enhance the security of Access database files, but really effective?

Protective measures with vulnerabilities

The most widely circulated Access database file Protection is to change the suffix name of an Access database file from ". mdb" to ". asp", and then modify the database address contents in the database connection file (such as conn.asp). This makes it impossible to download even if someone knows the file name and storage location of the database file.

This is one of the most popular ways to enhance Access database security, and there is a strong "theoretical foundation".

Because the ". mdb" file is not processed by the IIS server, the content is exported directly to the Web browser, and the ". asp" file is processed by the IIS server, and the Web browser displays the processing results, not the contents of the ASP file.

But you're ignoring a very important question, which is what the IIS server does with the ASP document. Here I would remind you that only the contents of the "" identifier in the ASP file are processed by the IIS server, while the other content is exported directly to the user's Web browser. Do you have these special identifiers in your database file? Even if you do, access may have special handling for the "" marker in your document to invalidate it. Therefore, the database file with the suffix ". asp" is also unsafe and will be downloaded maliciously.

In the face of the persuasive theory, as well as the people's Echo, the author also began to believe that the effectiveness of this method. But the facts speak louder than words, an unintentional experiment, let the author completely debunk this rumor.

The author first named "Cpcw.mdb" Database file renamed "Cpcw.asp", and then uploaded to the website server. Run FlashGet, enter the Add New Download Task dialog box, enter the storage path for the "cpcw.asp" file in the URL field, and then enter "Cpcw.mdb" in the Rename column. After downloading, the author found that the "Cpcw.mdb" could be turned on smoothly, and the information it stored was at a glance. This is a good explanation for simply changing the suffix ". mdb" of the database file name to ". asp" or a security risk.

No most "safe", only more "secure"

Nothing is absolute, so enhancing the security of an Access database file is only relative. After all, access can only be used for small database solutions, which are inherently congenitally deficient, especially in terms of security.

We have adopted a variety of methods, but also only relatively enhanced access to the database file security, and can not achieve absolute security, after all, congenitally deficient problems can not be solved. The following is an introduction to some methods, although you can't completely prevent people from downloading Access database files, but as long as you use them, Access database files will be more secure.

Method One: The database file name should be complex

To download an Access database file, you must first know the storage path and file name of the database file. If you modify a very simple database file name more complex, so those "malicious" people will spend more time guessing the database file name, virtually enhance the Access database security.