4. Several ways to prevent ACCESS database from being downloaded
Many dynamic sites have applied databases in large quantities, and the database has naturally become the core file of a site. Once the database is downloaded illegally, it is very likely that the website will be destroyed by malicious people. Or steal information.
The methods provided below are applicable to users who use virtual host space and users who have IIS control respectively!
1: If you purchase a virtual host space, it is suitable for not having IIS control rights.
1: Use your imagination to modify the database file name
This is the most basic. I don't think there are many people who are too lazy to change the database file name now, right? As for what to change, you can do it yourself, at least you must ensure that the file name is complex and cannot be guessed. Of course, at this time, the directory where your database is located cannot be opened for directory browsing permissions!
2: Change the database name suffix to ASA, ASP, etc.
This is said to be very popular, but I have tested it many times and found that it is not ideal. If you really want to prevent downloading, you need to add some binary fields and other settings. In a word, it is complex and complicated (if you have a lot of databases, this method is really not very good)
3: Add "#" before the database name
Just add # to the database file prefix, and then modify the database address in the database connection file (such as). The principle is that when downloading, you can only identify the part of the previous name of the # number, and automatically remove the following ones. For example, you want to download: /date/# (assuming that there is). Whether it is IE or FLASHGET, what you go down is /date/
In addition, keeping some spaces in the database file name also plays a similar role. Due to the particularity of the HTTP protocol for address resolution, spaces will be encoded as "%20", such as /date/123
/date/123% when downloaded. Our directory does not have 123% of the file, so the download is invalid. Even if you expose the database address, others cannot download it in general. It is best to use "#" + spaces at the same time, such as /date/#123
4: Encrypt the database
After using ACCESS to open your database exclusively, set the database password in Tools - Security - and modify the database connection page after encryption, such as:
"driver={microsoft access driver (*.mdb)};uid=admin;pwd=database password;dbq=database path"
After this modification, even if the database is downloaded, others will not be able to open it (provided that the password in your database connection page has not been leaked)
But it is worth noting that since the encryption mechanism of the Access database is relatively simple, decryption is easy even if the password is set. The database system forms an encryption string by "exor" the password entered by the user with a fixed key and stores it in the area where the *.mdb file starts from the address "&H42". So a good programmer can easily make a small program with dozens of lines and easily get the password of any Access database. Therefore, as long as the database is downloaded, its security remains unknown.
2: Have host control (of course, the settings of virtual space can still be used here)
5: The database is placed outside the WEB directory
If your WEB directory is e:\webroot, you can put the database into the e:\data folder and in the database connection page in e:\webroot
Modify the database connection address to the form: "../data/#123" so that the database can be called normally, but cannot be downloaded because it is not in the WEB directory! This method is generally suitable for users who purchase virtual spaces.
6: Use ODBC data source.
In ASP and other programming, if conditions are available, try to use ODBC data source and do not write the database name in the program. Otherwise, the database name will lose its secret along with the ASP source code loss.
For example:
"driver={Microsoft Access Driver (*.mdb)};dbq="&("../123/abc/")
It can be seen that no matter how weird the database name is or how deep the hidden directory is, it is easy to download after the ASP source code is lost.
If you use the ODBC data source, there will be no such problem: "ODBC-DSN name", but this is quite annoying. If the directory is moved, you have to reset the data source again!
7: Add database name extension map such as MDB
This method is achieved by modifying the IIS settings. It is suitable for friends with IIS control and is not suitable for purchasing virtual host users (unless the administrator has already set it up). I think this method is the best at present. As long as you modify one place, the entire site's database can be prevented from being downloaded. No need to modify the code, even if the target address is exposed, it can prevent downloading.
set up:
Add application parsing of .mdb files in IIS properties ---Home directory ---Configuration ---Mapping ---Application extension. Note that the DLL (or EXE, etc.) selected here does not seem to be arbitrary. If the selection is inappropriate, the MDB file can still be downloaded. Be careful not to choose the selection, etc. You can test it yourself
After modifying this, download the database such as: /data/. (404 or 500 or other errors)
8: The advantages of using .net
Muniao from Dongwang wrote a "WBAL Anti-theft Chain Tool" to prevent illegal download of files. I remember that a great man in this forum also published a database anti-download plug-in, which was loaded into IIS by .dll.
However, that only implements the function of preventing non-local downloads and does not play a real anti-downloading database. But this method is similar to the fifth type
You can modify the .NET file and can't download it locally!
Among these methods, only the 7th and 8th are unified. After modifying the configuration once, the database of the entire site can be downloaded. The other several need to modify the database name and connection file respectively, which is more troublesome, but for friends of virtual hosts, this is the only way!
In fact, the 6th method should be an extension of the 5th method, which can implement special functions. However, for hosts that do not support .net or are afraid of troubles in setting up, you should use the 5th method directly. Moreover, by default, the 6th method can still be copied to the forum or message book published on the same host, and then you can click to download it (because such a reference page is from the same host)
These methods have their own strengths and weaknesses, please use them selectively. These methods are not absolutely safe. Webmasters also need to pay attention to the security of some systems and the security of writing ASP code itself, otherwise they may still be downloaded or modified by others!