About Access database security
Another article from 9cbs, database security is the most headache of people playing websites, looking for such a one, see if you are useful! ~~ I have seen it, a little bit! Today again Seeing the Access database security article, every time I see this article, I want to say two sentences. There are several popular statements: I, the password gives a randomly complex name to the database, avoid being guessed, this The way is very popular before, because everyone is very confident on their code. However, as the error prompts the disclosure of the database address, the database is illegally downloaded, and this method is increasingly used. Second, "#" plus ## in the database name, requesting the request from the URL # is a separate character of the request address and request parameter, if you know the database name, direct request, such as: http://www.xx .com / access # .mdb, the web server will consider the request is Access instead # .mdb, so it will be prompted to find the file, but unfortunately, there is a special way for these special characters in the URL. # Special representation is% 23, such as http://www.xx.com/access#.mdb, then Access # .mdb will be downloaded. There is also a download tool such as flash Get, you can also download it. Third, the ASP style is a major professional but is also very safe and is now a popular practice, but now many people are only half, just change the data name into the ASP, so the words are directly used. The download tool can be downloaded, and the correct process of this method has two steps: Step 1: Create a field in the database, the name is free, the type is the OLE object, the content is set to "<%", That is (ASP code CHRB (ASC ("<")) & chRB (ASC ("%")) running results) Step 2: Run the database to ASP This database will be directly requesting this database from the URL will be prompted "missing off Script separator, thus refuse to download, because this way is more trouble I find a small code online to complete the insertion of the OLE object, just set the database name, then put it in the database, you can run it. . Code full number: <% db = "d.mdb" "This is changed to your database address set conn = server.createObject (" adoDb.connection "connStr =" provider = microsoft.jet.Oledb.4.0; data source = "& Server.MapPath (db) conn.open connstrconn.execute (" create table notdownload (notdown oleobject) ") set rs = server.createobject (" adodb.recordset ") sql =" select * from notdownload "rs.open sql CONN, 1, 3rs.AddNewrs ("notdown"). Appendchunk (chrb ("")) & chrb (ASC ("%"))) rUpdaters.closset = nothingconn.closeset conn = Nothing% > This code will generate a nodownload table in the database after running, and the field is NOTDOWN.
