It turns out that changing mdb to asp can prevent downloading is nonsense. Use Flashget to test download the data.asp file and save it as a data.mdb file. I found that it is intact when opened with ACCESS! 1. Use your imagination to modify the database file name
However, if the attacker obtains the path to the database through a third-party method, he can download the database. Therefore confidentiality is at a minimum.
2. Change the database name suffix to ASA, ASP, etc.
This method must be combined with some settings, otherwise the situation at the beginning of this article will occur.
(1) Binary field added.
(2) Add <% or %> to this file, IIS will parse it according to ASP syntax, and then report a 500 error, naturally it cannot be downloaded. However, it is useless to simply add <% to the text or memo field of the database, because ACCESS will process the content, and it will exist in the database as <%, which is invalid! The correct method is to store <% in the OLE object field, so that our purpose can be achieved.
How to do it:
First, use notepad to create a new text file with the content <%, give it a random name and save it.
Next, open your database file with Access, create a new table, give it a random name, add an OLE object field to the table, then add a record, and insert the text file created before. If done correctly, you should be able to see A new record named "Data Packet". That's it
3. Add # before the database name
Just add # to the front name of the database file, and then modify the database address in the database connection file (such as conn.asp). The principle is that when downloading, only the part before the # sign can be recognized, and the following parts will be automatically removed. For example, if you want to download: http://www.pcdigest.com/date/#123.mdb (assuming it exists). Whether it is IE or FLASHGET, what you get is http://www.test.com/date/index.htm (index.asp, default.jsp, etc., the homepage documents you set in IIS)
In addition, retaining some spaces in the database file name also plays a similar role. Due to the particularity of the HTTP protocol for address resolution, spaces will be encoded as %, such as http://www.test.com/date/123;456.mdb , downloaded from http://www.test.com/date/123%456.mdb. Our directory does not have the file 123%456.mdb at all, so the download is invalid. After this modification, even if you expose the database address, generally others will not be able to download it!
4. Encrypt the database
First, select Tools->Security->Encrypt/Decrypt Database, select the database (for example: employee.mdb), and then click OK. Then a window will appear to save the database after encryption, and save it as: employee1.mdb. Then employee.mdb will be encoded and then saved as employee1.mdb. It should be noted that the above action does not set a password for the database, but only encodes the database file. The purpose is to prevent others from using other tools to View the contents of the database file.
Next, we encrypt the database. First, open the encoded employee1.mdb. When opening, select the exclusive mode. Then select Tools->Security->Set Database Password from the menu, and then enter the password. In this way, even if someone else gets the employee1.mdb file, he cannot see employee1.mdb without the password.
After encryption, you need to modify the database connection page, such as:
conn.open driver={microsoft access driver (*.mdb)};uid=admin;pwd=database password;dbq=database path
After this modification, even if the database is downloaded, others cannot open it (provided that the password in your database connection page has not been leaked)
But it is worth noting that because the encryption mechanism of the Access database is relatively simple, even if a password is set, decryption is easy. The database system forms an encrypted string by XORing the password entered by the user with a fixed key, and stores it in the area of the *.mdb file starting from address &H42. So a good programmer can easily make a small program with dozens of lines to easily obtain the password of any Access database. Therefore, as long as the database is downloaded, its information security remains unknown.
5. Place the database outside the WEB directory or place the database connection file in other virtual directories
If your WEB directory is e:/webroot, you can put the database in the folder e:/data, and modify the database connection address on the database connection page in e:/webroot to: ../data/database name form, so that the database can be called normally, but it cannot be downloaded because it is not in the WEB directory! This method is generally not suitable for users who purchase virtual space.
6. Use ODBC data sources.
In programming such as ASP, if possible, you should try to use ODBC data sources and do not write the database name in the program. Otherwise, the database name will be lost along with the confidentiality of the ASP source code. For example: DBPath = Server.MapPath(. ./123/abc/asfadf.mdb )
conn.open driver={Microsoft Access Driver (*.mdb)};dbq=& DBPath
It can be seen that no matter how weird the name of the database is, no matter how deep the hidden directory is, after the ASP source code is compromised, it can be easily downloaded. If you use ODBC data source, there will be no such problem: conn.open ODBC-DSN name, but this is more annoying. If you move the directory, you have to reset the data source. For a more convenient method, please see Chapter 7. 8 methods!
7. Add extended mapping of database name such as MDB
This method is achieved by modifying the IIS settings. It is suitable for friends who have IIS control, but is not suitable for users who purchase virtual hosts (unless the administrator has set it up). I think this method is the best currently. With just one change, the entire site's database can be prevented from being downloaded. Downloads can be prevented even if the target address is exposed without modifying the code.
We add the application parsing of the .mdb file in IIS Properties---Home Directory---Configuration---Mapping---Application Extension. Note that the DLL (or EXE, etc.) selected here does not seem to be arbitrary. If the selection is not appropriate, the MDB file can still be downloaded. Note that it is best not to select asp.dll, etc. You can test it yourself
After this modification, download the database such as: http://www.test.com/data/dvbbs6.mdb. It will appear (errors such as 404 or 500)
8: Advantages of using .net
Mu Niao from Dongwang has written a WBAL anti-hotlink tool to prevent illegal downloading of files. For details, please log in to http://www.9seek.com/WBAL/;
However, that one only prevents non-local downloads and does not have the function of truly preventing database downloads. However, this method is almost the same as method 5. You can modify the .NET file so that it cannot be downloaded locally!
Among these methods, only the 7th and 8th methods can be changed uniformly. After modifying the configuration once, the database of the entire site can be prevented from being downloaded. The other several methods require modifying the database name and connection file respectively, which is more troublesome, but for virtual Host friends can only do this!
In fact, the sixth method should be an extension of the fifth method, which can achieve special functions. However, for hosts that do not support .net or are afraid of troublesome settings, it is better to use the fifth method directly, and the sixth method is used by default. Method, you can still publish by copying and connecting to the forum or guestbook of the same host, and then click to download (because such reference pages are from the same host)
9. Use the file permission settings of the NTFS partition (by percyboy)
We already know that ASP.NET uses ADO.NET to access the database, and the Access database - one of our very commonly used low-end databases - can be accessed through the OleDb connection. This article discusses several error prompts that may be seen in ASP.NET. It is seen that database files created by Access 2000 and Access XP will have different error prompts when access errors occur. Hope it helps everyone. Another important point is that I hope that through this article, everyone will have a new understanding of the NTFS permission settings of Access database files in ASP.NET.