Database, Web site operators basis, the website survive the elements, whether it is individual users or corporate users are very dependent on the web site database support, but a lot of people with ulterior motives attackers also very "values" web site database.
For personal website, by the establishment of conditions, a vast number of individual Access database Webmaster of choice. However, the Access database itself there are many hidden dangers and attacks once they find a database file storage path and file name suffix name. "Mdb" Access database file will be downloaded from the website, many of the important information will be sweeping, very terrible. Certainly, we used a variety of measures to strengthen the Access database file security, but really effective?
There are loopholes in the protection measures
A most widely circulated Access database file protection measures, is the Access database files from the suffix. "Mdb" with the words. "Asp" and then modify the database linking documents (such as conn.asp) in the address database, Such a database to document even if people know that the file name and storage location, can download.
This is the most popular online an enhanced Access database security, but also a strong "theoretical basis."
Because. "Mdb" document will not be IIS server, but the content will be directly output to the Web browser, and. "Asp" document will have to deal with the IIS server, a Web browser is shown in the results, not the document ASP content.
But we overlooked a very important issue, which is dealt with in the end IIS server in the ASP document what. Here I remind you that only ASP in the document, "" signs at the content would be IIS server, and other content directly output to the user's Web browser. Your database file contains these special identifier?, If any, Access also may be in the document, "" signs at a special treatment so that it null and void. So for the suffix. "Asp" database documents are unsafe, or malicious download.
Faced with the theory to confuse people, and everyone agreed, I also began to believe that the effectiveness of the method. But facts speak louder than words, one has no intention of the test, the author thoroughly expose this rumor.
I will be the first one called "cpcw.mdb" database file is renamed as a "cpcw.asp", and then uploaded to the Web server. FlashGet run into "add a new task to download" dialog in the "Web site" column type "cpcw.asp" document storage path, and then "re-named" column type "cpcw.mdb." After the download, and the author found that can be smoothly opened, "cpcw.mdb", and it was also the information that is stored sweeping. This fully shows that the database simply the file name suffix. "Mdb" with the words. "Asp," there is still potential safety problems.
Nothing, "security", only a "security"
Nothing is absolute, and therefore enhance the safety of Access database files only relative. Access can only be used after all of database solution, there are many congenitally deficient, especially in the area of security.
We have adopted various methods, it was only relatively Access database files enhanced security, and achieve absolute security, after all, the problem is congenitally deficient insurmountable. Below the author to introduce some ways, although not completely prevent people downloading Access database files, but if you use them, Access database files will be more secure.
Method 1: database file name should be complex
To download the Access database files, we must first know that the database file storage paths and file names. If you had a very simple database files were modified in the more complex, so the "ill intentions" who should spend more time to guess database file name, virtually enhanced Access database security.
Many ASP procedures for user-friendly, its database files are named "data.mdb" which greatly facilitates the experienced attacker. If we modify the database file name in the complex, difficult to guess on others, such as "data.mdb" was changed to "one rtj0ma27xi.mdb", and then modify the database linking the corresponding information in the document. This Access database on the number of relative safety. This method is suitable for those who rented Web space users.
Inadequacy of: Once Show documents connected to the database (such as conn.asp), the contents of more complex documents also were of no avail.
Method 2: Using ODBC Data Source
Many Web sites procedures, Access database file storage path and file name stored in the database linking documents. Once these documents linking the contents of compromise, then no matter how complex the database file name will be revealed traces.
Then you can use ODBC data source, the contents of the documents even if the connection compromise, others only know that the Web site used by ODBC data source name, and database file storage path and file name is not found.
Database Connection revised manual document (such as conn.asp) in the content, and the creation of ODBC data source. Below the author of the forum proceedings as an example, the first document in the conn.asp
DBPath = Server.MapPath ( "./data/1rtj0ma27xi.mdb")
Conn.Open "driver = (Microsoft Access Driver (*. mdb)); dbq =" & DBPath
Is amended as follows: conn.open "rtjmaxi", "rtjmaxi" refers to ODBC data source name.
Then in the new IIS server called "rtjmaxi" ODBC data source, and in which the designation of "1 rtj0ma27xi.mdb" can be the location of the database file, and click the "OK" button to complete configuration.
Inadequacy of: This method is not suitable for space rental Web users, in order to use ODBC data source, must have management and maintenance IIS server permissions.
Method 3: storage location change
Under normal circumstances, Access database files stored in the corresponding Web directory, many hackers use of this law is to find and download database files.
Therefore can be used to change the location of the database files, database files will be stored in a Web directory outside the folder so that hackers difficult to speculate storage location.
Then Database Connection properly amend the document (such as conn.asp) database files corresponding information, such Access database files on security more. Even if an attacker connect to the database files to find documents stored path, as database files stored in a place other than a Web directory, the attacker will not be able to download via HTTP database files.
For example, IIS Web site directory at the "D: \ wwwroot", in the Web directory "DATA" stored in a folder, "a rtj0ma27xi.mdb" Now, the author of the database file transfer to the Web directory other than the "D : \ CPCW "folder. Then amend the document database connection, "DBPath = Server.MapPath (" ./data/1rtj0ma27xi.mdb ")" was revised to "DBPath = Server.MapPath ("../ cpcw/1rtj0ma27xi.mdb"), "This Access database more on security paper. Although the document does not stored in the database Web directory, but does not affect ASP Program Access database.
Inadequacy of: This method is not suitable for space rental Web users, because Access database files will be moved to Web directory, generally require great privilege.
Above, in varying degrees, increase the Access database file security, but we can not be them as "Xiandan magic", after all, is a complex network environment, the destruction means hackers are growing stronger, we can according to their own needs, Select a variety of methods used in conjunction with, the effect was satisfactory, Access database files will be more secure. |
