Basic rules for novice asp programming 1. Common mistakes novices make
I saw a common basic error in the code of many posts in the forum, which is the wrong field type.
The program and the database are closely connected. Database fields of text type or time type use single quotes.
For example, the following modified statement:
conn.execute update Counts set counts='&counts&' where num=&num& and Atime='&now()&'
The left side of the equal sign is the field name, and the right side of the equal sign is the variable name passed in. The counts field is of text type, so single quotes must be added before and after writing. It is the same whether it is writing or querying. In the subsequent search statement, The num field is of numeric type, so there are no single quotes before and after it. The Atime field is of time type, so single quotes are needed before and after.
The most important thing is to query by ID. The ID field is unique and of numeric type. Obviously, there cannot be single quotes before and after when querying the ID number.
conn.execute update Counts set counts='&counts&' where id='&id&' 'wrong way of writing
conn.execute update Counts set counts='&counts&' where id=&id 'Correct way to write
2. ACCESS database connection
Usually there are two ways to connect to databases. Newbies basically don’t know which way to use, or which one to use under what circumstances, or they don’t know the principles of both.
① Directly connect to database files
Set conn = Server.CreateObject(ADODB.Connection)
conn.Open DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=&Server.MapPath(database/yanhang.mdb)
②Connect the database file through the data source
Set conn = Server.CreateObject(ADODB.Connection)
conn.Open Provider=Microsoft.Jet.OLEDB.4.0; Data Source=&Server.MapPath(database/yanhang.mdb)
So, which one of the two is better? Of course it is the second one, because the first one is that the client browser actually reads the database directly, so the security is much different. The second one is connected through the data source, which uses server data The source tool is connected and has nothing to do with the client, so the database will not be exposed to the client, and the security factor is much higher.
Application of ACCESS database corresponding program: ① Directly connect to database files
conn.Open DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=&Server.MapPath(database/yanhang.mdb)
For this database connection method, add the statement:
set rs=server.createobject(adodb.recordset) '(correct writing)
rs.open select * from dndj,conn,1,3
rs.addnew
rs(bh) = bh
rs(bm) = bm
rs(xm) = xm
rs(xsq) = xsq
rs.update
rs.close
set rs=nothing
set rs=server.createobject(adodb.recordset) '(wrong writing)
sql=insert into dndj(bh,bm,xm,xsq) values('bh','bm','xm','xsq')
rs.open sql,conn,1,3
Application of ACCESS database corresponding program: ② Connect database files through data sources
conn.Open Provider=Microsoft.Jet.OLEDB.4.0; Data Source=&Server.MapPath(database/yanhang.mdb)
For this database connection method, add the statement:
conn.execute insert into dndj(bh,bm,xm,xsq) values('&bh&','&bm&','&xm&','&xsq&') '(correct writing)
set rs=server.createobject(adodb.recordset) '(wrong writing)
sql=insert into dndj(bh,bm,xm,xsq) values('bh','bm','xm','xsq')
rs.open sql,conn,1,3
3. Application of double quotation marks
Usually we write a super link like this <a href=abc.asp?id=<%=rs(id)%>>super link</a>
But what if this hyperlink is compiled into asp?
response.write <a href=abc.asp?id=&rs(id)&>Super Connection</a> '(correct writing)
response.write <a href='abc.asp?id=&rs(id)&'>Super Connection</a> '(correct writing)
response.write <a href=abc.asp?id=&rs(id)&>Super Connection</a> '(correct writing)
response.write <a href=abc.asp?id=<%=rs(id)%>>Super connection</a> '(wrong writing)
response.write <a href=abc.asp?id=&rs(id)&>Super Connection</a> '(wrong writing)
The form is compiled into asp <input type=text name=id value=<%rs(id)%> />
response.write <input type=text name=id value=&rs(id)& /> '(correct writing) Note: There are three double quotes here
response.write <input type='text' name='id' value='&rs(id)&' /> '(correct writing)
response.write <input type=text name=id value=&rs(id)& /> '(correct writing)
response.write <input type=text name=id value=<%=rs(id)%> /> '(wrong writing)
response.write <input type=text name=id value=&rs(id)& /> '(wrong writing)
Basic rules of asp programming for novices
4. Several methods to prevent the ACCESS database from being downloaded
Many dynamic sites make extensive use of databases, and the database has naturally become the core file of a site. Once the database is downloaded illegally, it is very likely that malicious persons will destroy the website. Or steal information.
The methods provided below are applicable to users using virtual host space and users with IIS control rights!
1: Purchasing virtual host space is suitable for those who do not have IIS control
1: Use your imagination to modify the database file name
This is the most basic. I don’t think there are many people who are too lazy to change the database file name now, right? As for what to change to, it's up to you. At least make sure the file name is complex and unguessable. Of course, at this time, the directory where your database is located cannot have directory browsing permissions!
2: Change the database name suffix to ASA, ASP, etc.
I heard that this is very popular, but I have tested it many times and found that it is not ideal. If you really want to prevent downloads, you need to add some binary fields and other settings. In a word, it is complicated and complex (if your database has many If so, this method is really not very good)
3: Add # before the database name
Just add # to the front name of the database file, and then modify the database address in the database connection file (such as conn.asp). The principle is that when downloading, only the part before the # sign can be recognized, and the following parts will be automatically removed. For example, if you want to download: http://bbs.bccn.net/date/#123.mdb (assuming it exists). Whether it is IE or FLASHGET, etc., what you get is http://bbs.bccn.net/date/index.htm
In addition, retaining some spaces in the database file name also plays a similar role. Due to the particularity of the HTTP protocol for address resolution, spaces will be encoded as %20, such as http://bbs.bccn.net/date/123 456.mdb
When downloading, http://bbs.bccn.net/date/123%20456.mdb. Our directory does not have the file 123%20456.mdb at all, so the download is invalid. Even if you expose the database address, others generally cannot download it. It is best to use #+space in both methods, such as http: //bbs.bccn.net/date/#123 456.mdb
4: Encrypt the database
After using ACCESS to open your database in exclusive mode, go to Tools-Security-Set the database password, and modify the database connection page after encryption, such as:
conn.open driver={microsoft access driver (*.mdb)};uid=admin;pwd=database password;dbq=database path
After this modification, even if the database is downloaded, others cannot open it (provided that the password in your database connection page has not been leaked)
But it is worth noting that because the encryption mechanism of the Access database is relatively simple, even if a password is set, decryption is easy. The database system forms an encrypted string by XORing the password entered by the user with a fixed key, and stores it in the area of the *.mdb file starting from address &H42. So a good programmer can easily make a small program with dozens of lines to easily obtain the password of any Access database. Therefore, as long as the database is downloaded, its security remains unknown.
Two: Have host control (of course the virtual space settings can still be used here)
5: The database is placed outside the WEB directory
If your WEB directory is e:/webroot, you can put the database in the folder e:/data and go to the database connection page in e:/webroot.
Modify the database connection address to the form: ../data/#123 456.mdb, so that the database can be called normally, but it cannot be downloaded because it is not in the WEB directory! This method is generally suitable for users who purchase virtual space.
6: Use ODBC data source.
In programming such as ASP, if possible, you should try to use ODBC data sources and do not write the database name in the program. Otherwise, the database name will be lost along with the confidentiality of the ASP source code.
For example:
conn.open driver={Microsoft Access Driver (*.mdb)};dbq=&Server.MapPath(../123/abc/asfadf.mdb)
It can be seen that no matter how weird the name of the database is, no matter how deep the hidden directory is, after the ASP source code is compromised, it can be easily downloaded.
If you use ODBC data source, there will be no such problem: conn.open ODBC-DSN name, but this is more annoying. If the directory is moved, the data source must be reset!
7: Add extended mapping of database name such as MDB
This method is achieved by modifying the IIS settings. It is suitable for friends who have IIS control, but is not suitable for users who purchase virtual hosts (unless the administrator has set it up). I think this method is the best currently. With just one change, the entire site's database can be prevented from being downloaded. Downloads can be prevented even if the target address is exposed without modifying the code.
set up:
Add the application parsing of the .mdb file in IIS Properties---Home Directory---Configuration---Mapping---Application Extension. Note that the DLL (or EXE, etc.) selected here does not seem to be arbitrary. If the selection is not appropriate, the MDB file can still be downloaded. Note that it is best not to select asp.dll, etc. You can test it yourself
After this modification, download the database such as: http://bbs.bccn.net/data/dvbbs6.mdb. It will appear (errors such as 404 or 500)
8: Advantages of using .net
Mu Niao from Dongwang has written a WBAL anti-hotlink tool to prevent illegal downloading of files. I remember that an expert in this forum once published a database anti-download plug-in, which is a .dll loaded into IIS.
However, that one only prevents non-local downloads and does not have the function of truly preventing database downloads. But this method is similar to the 5th method
You can modify the .NET file so that it cannot be downloaded locally!
Among these methods, only the 7th and 8th methods can be changed uniformly. After modifying the configuration once, the database of the entire site can be prevented from being downloaded. The other several methods require modifying the database name and connection file respectively, which is more troublesome, but for virtual Host friends can only do this!
In fact, the 6th method should be an extension of the 5th method, which can achieve special functions. However, for hosts that do not support .net or are afraid of troublesome settings, it is better to use the 5th method directly, and the 6th method is used by default. Method, you can still publish by copying and connecting to the forum or guestbook of the same host, and then click to download (because such reference pages are from the same host)
Each of these methods has its own pros and cons, so please use them selectively. These methods are not absolutely safe. Website administrators also need to pay attention to the security of some systems and the security of writing ASP code itself. Otherwise, it is still possible for someone to download or modify the database!