Today, I will see the security article of Access database. Every time I see this article, I want to say two sentences, and there are several popular statements: I, password to the database, a randomly complex name, avoid being guessed, This approach is very popular before, because everyone is very confident on their code. However, as the error prompts the disclosure of the database address, the database is illegally downloaded, and this method is increasingly used. Second, "#" plus ## in the database name, requesting the request from the URL # is a separate character of the request address and request parameter, if you know the database name, direct request, such as: http://www.xx .com / access # .mdb, the web server will consider the request is Access instead # .mdb, so it will be prompted to find the file, but unfortunately, there is a special way for these special characters in the URL. # Special representation is% 23, such as http://www.xx.com/access#.mdb, then Access # .mdb will be downloaded. There is also a download tool such as flash Get, you can also download it. Third, the ASP style is a major professional but is also very safe and is now a popular practice, but now many people are only half, just change the data name into the ASP, so the words are directly used. The download tool can be downloaded, and the correct process of this method has two steps: Step 1: Create a field in the database, the name is free, the type is the OLE object, the content is set to "<%", That is (ASP code CHRB (ASC ("<")) & chRB (ASC ("%")) running results) Step 2: Run the database to ASP This database will be directly requesting this database from the URL will be prompted "missing off Script separator, thus refuse to download, because this way is more trouble I find a small code online to complete the insertion of the OLE object, just set the database name, then put it in the database, you can run it. . Under the full number of code: <% db = "d.mdb" This is changed to your database address set conn = server.createObject ("AdoDb.Connection") connStr = "provider = microsoft.jet.Oledb.4.0; Data Source = "& Server.MapPath (db) conn.open connstrconn.execute (" create table notdownload (notdown oleobject) ") set rs = server.createobject (" adodb.recordset ") sql =" select * from notdownload "rs.open sql CONN, 1, 3rs.AddNewrs ("notdown"). Appendchunk (chrb ("")) & chrb (ASC ("%"))) rUpdaters.closset = nothingconn.closeset conn = Nothing% > This code will generate a nodownload table in the database after running, and the field is NOTDOWN. If there is a data table for the same name in the database, you can change Nodownload Nodownload to the data table name you want.
Fourth, the true meaning of the ASA style is the use of IIS to protect the ASA file, so that the database file cannot download directly from the URL, but this way is erroneous as long as the file suffix is changed to ASA. To know that IIS is just a request protection for the Global.asa file name, so this way can only set the database name to global.asa, and note that it is best not to put it on the host after setting to global.asa. Or in the root directory of the virtual directory, will otherwise be tried by the normal Global.asa file of IIS. I feel that the third fourth is to be more secure unless IIS has a vulnerability to view the ASP or ASA source code, it is not possible to download the database.
Supplement on January 1, 2006: I have seen a hacker's article, there is a paragraph of Access's anti-download <%, saying that it is aorted by%> to let the database download directly, so I suggest you write Enter <% response.end%> <% in this way, even if it is added%> The database cannot be completely downloaded. It is more secure, and this device I have written in the gadget I have written "Access Database Defense Download Set Tool". If you are interested, you can search for a place to provide a download. I just wrote this thing today, I won't spread .. However, I believe that good things will be used, I wish you all good luck this year :)