based database, website operation, website elements of existence, whether individual users or business users are very dependent on the website database support, but many of the attackers have an ulterior motive is also very "value" website database.
for personal web site, subject to the conditions of the site, Access database has become the first choice of the majority of personal web site webmaster. However, the Access database itself has many security risks, the attacker finds storage path and file name of the database file, the suffix ".Mdb" Access database files will be downloaded, many important information in the web site will be sweeping, very terrible. Of course, various measures have been adopted to strengthen the security of Access database files, but is it really effective?
One of the most popular
Access database file protection widely, is the Access database file name suffix ".Mdb" to ".Asp", then modify the database connection file (such as CONN.ASP) address of the database contents, so that even if people know the database file name and storage location. Cannot download.
, this is the most popular method to enhance the security of Access database on the Internet, and there is a strong theoretical foundation".
".Mdb" because the file is not a IIS server, but directly to the output to the Web browser, and the ".Asp" file to the IIS server, the Web browser is shown in the results, not the contents of the ASP file.
, but one of the important questions that has been overlooked is what the IIS server is dealing with in the ASP document. Here, I remind you that only the contents of the "Web" symbol in the ASP file will be processed by the IIS server, while others will be output directly to the user’s Web browser. Do you have these special symbols in your database file? Even if you have, Access may also render it invalid for a special "sign" in the document. Therefore, the database file with Suffix ".Asp" is equally insecure and will still be maliciously downloaded.
In the face of the
theory and the public befog the minds of the people, the author also echoed, began to believe that this method is effective. But the fact is better than eloquence, an unintentional experiment, let the author thoroughly exposed the rumor.
the author first renamed a database file named cpcw.mdb to cpcw.asp, and then uploaded it to the web server. Run flashGet, enter the add new download task dialog box, enter the storage path of the cpcw.asp file in the URL bar, and then enter cpcw.mdb in the rename column". After downloading, the author found that "cpcw.m>" can be successfully opened