Recommended: The difference and connection between ASP and JSP I went to the forum today and saw a netizen bluesky asked a question, which is better, ASP or JSP, and what is the difference? There seems to be no thread safety problem for ASP, while there is a thread safety problem for JSP. This does not mean that ASP is good, on the contrary, it means that ASP is not as good as
With the development of the Internet, web technology is changing with each passing day. Following the General Gateway Interface (CGI), ASP (Active Server Pages) is a typical server-side web design technology and is widely used in various Internet applications such as online banking, e-commerce, and search engines. At the same time, Access database, as a desktop database system launched by Microsoft with standard JET as the engine, has a large user base due to its simple operation and friendly interface. Therefore, ASP+Access has become the preferred solution for many small and medium-sized online application systems. But while ASP+Access solutions bring us convenience, they also bring security issues that cannot be ignored.
Security hazards of ASP+Access The main security hazards of ASP+Access solutions come from the security of Access database, and secondly lies in security vulnerabilities in the ASP web design process.
1. Storage risks of Access database
In the ASP+Access application system, if the storage path and database name of the Access database are obtained or guessed, the database can be downloaded locally. For example: For the Access database of online bookstores, people generally name it book.mdb, store.mdb, etc., and the storage path is generally URL/database or simply placed in the root directory (URL/). In this way, just type in the address: URL/database/store.mdb in the browser address bar, you can easily download store.mdb to the local machine.
2. Hidden dangers of Access database decryption
Since the encryption mechanism of the Access database is very simple, decryption is easy even if the database has a password set. The database system forms an encryption string by XORing the password entered by the user with a fixed key and stores it in the area starting from address & H42 in the *.mdb file. Since the XOR operation is characterized by restoring the original value after two XORs, you can easily get the password of the Access database by performing the second XOR operation with this key and the encryption string in the *.mdb file. Based on this principle, decryption programs can be easily prepared.
It can be seen that no matter whether the database password is set or not, as long as the database is downloaded, its information will have no security.
3. Security risks of source code
Since ASP programs use non-compiled languages, this greatly reduces the security of program source code. Anyone can obtain the source code as long as they enter the site, resulting in the leakage of the source code of the ASP application.
4. Safety hazards in programming
ASP code uses forms to realize the function of interacting with users, and the corresponding content will be reflected in the browser's address bar. If appropriate security measures are not adopted, just write down these contents and you can bypass verification and go directly to a certain page. For example, in the browser, you can directly enter the page that meets the x=1 condition without going through the form page. Therefore, special measures must be taken to avoid such problems when designing verification or registration pages.
Improving database security Since the Access database encryption mechanism is too simple, how to effectively prevent the Access database from being downloaded has become the top priority for improving the security of ASP+Access solutions.
1. Unconventional nomenclature
An easy way to prevent a database from being found is to give the Access database file a complex and unconventional name and store it in a multi-layer directory. For example, for online bookstore database files, do not simply name them book.mdb or store.mdb, but give them an unconventional name, for example:
faq19jhsvzbal.mdb, and then put it in a deep directory such as ./akkjj16t/kjhgb661/acd/avccx55. In this way, it can effectively prevent some illegal access methods that obtain Access database file names through guessing.
2. Use ODBC data source
In ASP programming, you should try to use ODBC data sources and do not write the database name directly in the program. Otherwise, the database name will lose its secrets along with the ASP source code. For example:
| DBPath = Server.MapPath(./akkjj16t/ kjhgb661/acd/avccx55/faq19jhsvzbal.mdb ) conn.Open driver={Microsoft Access Driver (*.mdb)};dbq= & DBPath |
It can be seen that no matter how weird the database name is or how deep the hidden directory is, the database will be easily downloaded after the ASP source code is lost. If you use ODBC data source, there will be no such problem:
conn.open ODBC-DSN name
Encrypting ASP pages To effectively prevent ASP source code leakage, ASP pages can be encrypted. There are generally two ways to encrypt ASP pages. One is to use component technology to encapsulate programming logic into the DLL; the other is to use Microsoft's Script Encoder to encrypt ASP pages. The author believes that the main problem with using component technology is that each piece of code needs to be componentized, which is more cumbersome and has a large workload; while using Script Encoder to encrypt ASP pages is simple to operate and has good results.
The Script Encoder method has many advantages:
1.HTML is still very editable. Script Encoder only encrypts ASP code embedded in HTML pages, and other parts remain unchanged, which allows us to still use common web editing tools such as FrontPage or Dreamweaver to modify and improve the HTML part. However, the ASP encrypted part cannot be modified, otherwise the file will be invalid.
2. Simple operation. Just master a few command line parameters. The running program of Script Encoder is screnc.exe, which is used as follows:
| screnc [/s] [/f] [/xl] [/l defLanguage ] [/e defExtension] inputfile outputfile |
Share: ASP Optimization: Several Best Choices to Improve ASP Performance ASP developers are constantly working to get better performance and scalability in their design projects. Fortunately, there are many books and sites that provide great advice on this. However, the basis of these suggestions is the conclusion drawn from the structure of the ASP platform work,
2 pages in total Previous page 12 Next page