With the development of the Internet, the Web technology has different new months. After the general gateway interface (CGI), "ACTIVE SERVER PAGES) is used as a typical server-side web design technology, which is widely used in various Internet applications such as online banking, e-commerce, search engines. At the same time, the Access database serves as a desktop database system that Microsoft's launched a standard JET as the engine, has a large user group due to the characteristics of simple operation, friendly interface. Therefore, ASP Access has become the preferred solution for many small and medium-sized online application systems. But the ASP Access solution has brought us convenience, it also brings a security issue that cannot be ignored. ASP Access's safety hazard
The main security hidden dangers of the ASP Access solution come from Access database, followed by security vulnerabilities during the ASP web design.
1. Access database storage hidden dangers
In the ASP Access application, if you get or guess the storage path of the Access database and the database name, the database can be downloaded to the local. For example: For the Access database of the online bookstore, people are generally named book.mdb, store.mdb, etc., and the stored path is generally "URL / Database" or simply placed under the root of the root ("URL /"). In this way, just type the address in the browser address bar: "URL / DATABASE / STORE.MDB", you can easily download the Store.mdb to the local machine.
2. Decryption hidden dangers of caccess database
Since the encryption mechanism of the Access database is very simple, it is easy to decrypt even if the database is set. The database system forms an encrypted string by dividing the user input password with a certain fixed key, and stores it in the address "& H42" in the * .mdb file. Since the different or operation is characterized by "two different or restore the original value", the ACCESS database can be easily obtained with this key with the encrypted string in the * .mdb file. Password. Based on this principle, the decryption program can be easily prepared.
It can be seen that if the database password is set, it is not possible if the database is downloaded.
3. Safety hidden dangers of source code
Because the ASP program uses non-compiled language, this greatly reduces the security of the program source code. Anyone can get the source code as long as you enter the site, resulting in the disclosure of the ASP application source code.
4. Safety hidden dangers in programming
The ASP code utilizes the functionality of the user interacts with the user, and the corresponding content will be reflected in the browser's address bar. If appropriate security measures are not used, as soon as you can write down these content, you can bypass the verification. One page. For example, in the browser, "... Page.asp® X = 1" is knocked, you can directly enter the page that satisfies the "X = 1" condition without the form page. Therefore, when designing verification or registration pages, special measures must be taken to avoid such problems.
Improve the security of the database
Since the Access database encryption mechanism is too simple, how to effectively prevent the Access database from being downloaded, it has become the top priority of the security of the ASP Access Solutions.
Unconventional nomenclature
A simple way to prevent the database is a complex unconventional name for Access database files and store it in multi-layer directory. For example, for database files on the online bookstore, don't simply name "BOOK.MDB" or "Store.mdb", but a unconventional name, such as FAQ19JHSVZBAL.MDB, then put it like ./ Akkjj16t / kJHGB661 / ACD / AVCCX55 is in deep catalogs. In this way, the illegal access method of the Access database file name is obtained for some ways to obtain the ACCESS database file name. 2. Use ODBC data sources
In the ASP program design, you should try to use the ODBC data source. Do not write the database name directly in the program, otherwise, the database name will be lost with the discontinuation of the ASP source code. E.g:
Dbpath = server.mappath ("./ akkjj16t /
KJHGB661 / ACD / AVCCX55 / FAQ19JHSVZBAL.MDB ")
Conn.open "Driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath
It can be seen that even if the database name is weird, the hidden directory is deeper, the ASP source code is lost, and the database is also easy to download. If you use an ODBC data source, there will be no such problem:
Conn.open "ODBC-DSN Name"
Encrypt the ASP page
To effectively prevent ASP source leakage, an ASP page can be encrypted. There are generally two ways to encrypt the ASP page. One is to use component technology to encapsulate programming logic into the DLL; the other is to encrypt the ASP page using Microsoft Script Encoder. The author believes that the main problem exists in the use of component technology is that each code needs to be a component, and the operation is more cumbersome and the workload is large; and the Script Encod is encrypted with the ASP page, the operation is simple, and good effect is good. The Script Encoder method has many advantages:
1.Html still has good editable. Script Encoder only encrypts the ASP code embedded in the HTML page, which makes it remained unchanged, which makes us still use the common web editing tools such as FrontPage or Dreamweaver to modify the HTML section, but cannot be performed on the ASP encryption part. Modify, otherwise it will cause file failure.
2. Simple operation. Just master a few command line parameters. Script Encoder running program is Screnc.exe, which is as follows:
Screnc [/ s] [/ f] [/ xl] [/ l Deflanguage] InputFile OutputFile
The parameters are as follows:
S: Shield screen output;
f: Specify whether the output file overwrites the same name input file;
XL: Do you add an @language command at the top of the .asp file;
l: DeflanguAg Specifies the default scripting language;
E: Defextension Specifies the extension of the file to be encrypted.
3. Encrypted files in batches. Using Script Encoder can encrypt all ASP files in the current directory and output encrypted files to the appropriate directory. E.g:
Screnc * .asp C: / Temp
4. Script Encoder is a free software. The encryption software can download from Microsoft website: http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe. After download, run the installation. Register verification with session objects
To prevent unregistered users from bypassing the registration interface directly into the application, the session object can be registered. The biggest advantage of the session object is that the information of the user can keep the user's information and let the subsequent web page read.
The design requires the user to start the HRMIS.ASP® Page = 1 after the user registers successfully. If you do not register authentication with the session object, the user will bypass the registration interface in the browser to bypass, and enter the system directly. The use of Session objects can effectively prevent the occurrence of this. The relevant program code is as follows:
<%
'Read the account and password entered by the user
Userid = Request ("UserID")
Password = Request ("password")
'Check if UserID and Password are correct (actual program may be more complicated)
IF userid <> "hrmis" or password <>
"Password" then
Response.write "Account Error!"
Response.end
END IF
'Set the session object to pass the verification status
Session ("passed") = TRUE
%>
After entering the application, first verify:
<%
'If you do not pass verification, return to the login state
IF not session ("passed") THEN
Response.Redirect "login.asp"
END IF
%>
