How to better achieve preventing hackers, I have mentioned my personal opinion! First, the free program is free of charge. Since you can share the original code, the attacker can also analyze the code. If you pay attention to the details, the security of your site will be greatly improved. Even if there is a vulnerability such as SQL Injection, an attacker cannot immediately get your site.
Due to the convenience and easy use of ASP, more and more website background programs use ASP script language. However, because there are some security vulnerabilities in ASP itself, a little accidental will provide hackers with opportunities. In fact, security is not only a matter of network management, but also the programmers must also pay attention to some security details to develop good security habits, otherwise they will bring huge security risks to their website. At present, most of the ASP programs on most websites have such security vulnerabilities, but if you pay attention to the program, you can still avoid it.
1. Username and password are cracked
Attack principle: Usernames and passwords are often the most interested in hackers. If you see the source code in some way, the consequences are serious.
Precautions: It is best to encapsulate the user name and password on the server side. Try to appear in the ASP file as little as possible. The user name and password connecting to the database should give the minimum permissions. The user name and password with a large number of times can be written in a hidden file in one position. If it involves connecting with the database, only the permissions of the storage procedure are performed in an ideal state. Do not directly give the user to modify, insert, and delete the record of records.
2. Verification is bypassed
Attack principle: Most of the ASP programs that need to be verified now are added a judgment statement on the page head, but this is not enough, and it may be bypassing the verification directly by hackers.
Defense skills: The verified ASP page is required to track the file name of the previous page. Only a session transferred from the previous page can you read this page.
3. INC file leakage problem
Attack principle: When the homepage of ASP is being made and the final debugging is completed, it can be added by some search engines to search objects. If someone uses a search engine to find these web pages at this time, it will get the positioning of the relevant files, and you can find the details of the database location and structure in the browser, and to reveal the complete source code.
Precautions: programmers should completely debug it before the webpage release; security experts need to strengthen ASP files so that external users cannot see them. First, the content of the .inc file is encrypted, and secondly, you can also use the .ASP file instead of .inc file so that users could not directly watch the source code of the file from the browser. The file name of the INC file should not use the default system or the name that is easily guessed by the user, and try to use the irregular English letters as much as possible.
4. Automatic backup is downloaded
Attack principle: In some tools edit ASP programs, when creating or modifying an ASP file, the editor will automatically create a backup file, such as: Ultraedit will back up a .bak file, such as you created or modified aME.ASP, The editor will automatically generate a SOME.ASP.BAK file. If you do not delete this bak file, the attacker can directly download the SOME.ASP.BAK file, so that the source program of the SOME.ASP will be downloaded.
Precautions: Check carefully before uploading the program to delete unnecessary documents. Be careful about files with BAK as the suffix.
5. Special characters
Attack principle: The input box is a goal used by hackers. They can cause damage to the user client by entering the script language; if the input box involves data inquiry, they will use special query statements to get more database data, or even tables. All. Therefore, the input box must be filtered. However, in order to improve the efficiency of input legality only on the client, it may still be bypassed.
Defense skills: In ASP programs such as a message board, BBS and other input boxes, it is best to block HTML, JavaScript, and VBScript statements. If there are no special requirements, you can limit the input letters and numbers to block special characters. At the same time, the length of the input character is limited. Moreover, not only must be performed in the client, but similar inspections must be performed in the server program.
6. Database download vulnerability
Attack principle: When using Access as a background database, if anyone knows or guess the path and database name of the server's access database through various methods, then he can also download this access database file, which is very dangerous.
Defense skills:
(1) Get a complex unconventional name for your database file and put it in several layers of directory. The so -called unconventional, for example, for example, if there is a database to save information about books, do not give it a book name, but a weird name, such as D34KSFSLF.MDB, and take down It is placed in the few layers of ./kdslf/i44/studi/, so that hackers want to get your Access database file through a guessing method.
(2) Do not write the database name in the program. Some people like to write DSN in the program, such as:
Dbpath = server.mappath (cmddb.mdb)
conn.open driver = {microSoft Access Driver (*.mdb)}; dbq = & dbpath
If you get the source program, the name of your Access database will be at a glance. Therefore, it is recommended that you set the data source in ODBC and then write in the program:
conn.openshujiyuan
(3) Use Access to encode and encrypt the database file. First, select the database (such as Employer.mdb) in the tool → security → encryption/decryption database, and then press OK, and then the database encrypted window can be stored after the database encrypted, which can be stored as an Employer1.mdb.
It should be noted that the above actions are not setting a password for the database, but only encoding the database file. The purpose is to prevent others from using other tools to view the content of the database file.
Next we are encrypted for the database. First, open the encoded Employer1.MDB. When opening, choose the monopolis method. Then select the tool of the function table → security → set the database password, and then enter the password. In this way, even if others get the Employer1.mdb file, there is no password and he cannot see the content in Employer1.mdb.