ASP+ACCESS医药公司网站建设毕业设计(源代码+论文+答辩PPT)
收藏
资源目录
压缩包内文档预览:
编号:438616
类型:共享资源
大小:1010.89KB
格式:RAR
上传时间:2015-06-03
上传人:小***
认证信息
个人认证
林**(实名认证)
福建
IP属地:福建
20
积分
- 关 键 词:
-
asp
access
医药公司
网站
建设
毕业设计
源代码
论文
答辩
ppt
- 资源描述:
-
ASP+ACCESS医药公司网站建设毕业设计(源代码+论文+答辩PPT),asp,access,医药公司,网站,建设,毕业设计,源代码,论文,答辩,ppt
- 内容简介:
-
外文翻译(附英文原文)Dreamweaver MX 中的数据库Macromedia Dreamweaver MX是一个令人兴奋的版本,它在建立动态网的应用方面带来了一个很大的推进。越来越多的人拥有了他们需要的工具去快速且简单的把他们的网站连接到数据库,他们可以做从收取e-mail到使用完全的网络商店数据服务的所有事情。在强大功能同时也带来的一点责任,无论是你自己、你的客户还有你网站的用户都有。你有责任去建立一个安全的应用端,我们的目的是为了保护你收集的数据和商店免于被非法盗用。建立一个安全连接并不是一个很困难的任务,但是他要让你切实注意你所做的一切。你将要采取一些保护数据措施才能使你的站点在发展和推广期间走的更远。他们不仅包括Dreamweaver MX还包括你使用的数据程序。带索引序列存取(ISAM)数据库包括了一些流行的基于文件的数据库里例如Microsoft Access, FileMaker, 以及FoxPro。他们都是典型的独立体且能通过一个驱动程序访问,他们不需要服务端请求去运行。这些程序是本地建立的然后通过DSN上传到网络服务器,一总硬件代码连接方式,或者象ASP里面的Server.MapPath一样的方法。ISAM是廉价并且易于使用。但是如果你不用一些简单的方法保护他们的话也是很容易被突破的。首先,注意你存储数据的文件。如果可能的话,把数据库的文件夹放在你网站根目录的上层。例如,如果到你的服务器上的网站的物理路径是c:websitesmywebsite,mywebsite文件夹和下层的内容就都是从浏览器可看到的内容。这意味着如果你把你的数据库文件放到c:websitesmywebsitedatabase,那么某些知道或者猜到你的文件名的人就能简单的通过/database/filename.mdb去下载到你的数据文件。因为服务器没有关联程序去运行mdb文件,它就默许了用户下载这个文件。其次,你能通过一些简单的操作解决Windows NT 和 Windows 2000服务器上的一些bug来避免用户下载数据库文件。在ACCESS里加密或者将扩展名有.mdb改成.asp。然后用.asp文件名来使用数据连接。由于数据库是加密的且用了.asp的扩展名,ASP服务器将在用户试图下载这个文件时用ASP程序去调用,然后出现调用失败而给用户一个错误窗口。最后,给你的Microsoft Access分配一个用户名和密码,例如,用缺省的用户名Admin,用一个唯一的密码。无论什么时候当数据库文件被访问时,程序假设访问者是用Admin用户登陆且密码为空。如果某些人可以发现且下载你的数据库文件,他将会被终止打开和检验你的数据。安全数据serversDatabase服务器象Microsoft SQL Server 和 Oracle 在你把你的数据应用到网络时有3件事需要考虑:物理安全问题,虚拟安全问题和互联网安全问题。你数据库的物理安全问题有若干方面。他们延伸范围从保护你的电脑本身到你的网络设置。对这些问题的控制取决于你是否运行你自己的数据中心或购买一个主机的解决方案。不考虑你的情形,你应该确信你建立的工程能达到的必要的安全级或者其他的安排。你的数据库物理安全问题包括几个方面。首先是当在建立你的数据中心时选择你计算机上的数据区有几点需要牢记:与一般的办公室区域分开。最理想的是你能在封闭的房间里完全的拒绝外人的访问。你的机器应该放置在高于地面的地方,当然你可以买昂贵的专业机架,不过一套摆设理想的普通架子也可以达到同样的效果。还有你应该让你的机器不贴地面以防止水进入机器造成短路。房间应该通风良好。CPU和硬盘应该需要良好的散热设施来协助降温。拥挤着靠墙放置,或者是没有足够的空调设备的地方都是不适合的。安装电力保证系统。添加断电保护,好的电力系统也可以决定你的电器设备免于损坏以及数据的稳定保存。牢记专业的设施需要一条30安培的电路和捻锁容器,这样你能保证提供足够的电力给服务器。对于数据中心昂贵的设施来说防火是很重要的。常用的防火系统是用水的。因为水对电子设备不适宜,所以数据中心常常利用泡沫灭火器来扑灭电子设备的火灾而不是把计算机淋湿。如果你不能负担这种完整的系统,你至少要作好备份的工作。在你的服务器所在地,确保你不会把计算机登陆在那里就擅自离开或者让一些企业管理人员运行和打开你的数据。许多安全程序都是建立于诚实的人之间的。不要在这些必要的事情上打折扣,尤其是在你的工作间可能会有客户或者雇员出入时他们是没必要访问你的数据信息的。虽然你要增加网络安全需要做很多步骤,但是中间有2个主题就是必须要在这里讨论的。这不是网络拓扑的问题,我无法详细的告诉你怎么成功使用这些工具,但是可以给你一点正确方向的简要描叙。(当然也有很多可以帮助到你的详细资料)这2个你可能找到的有用的网络工具就代理服务器和防火墙。你应该知道通过防火墙和代理服务器可以执行一些简单的任务,而且他们也不是同一个事情。用代理服务器的主要目的是从私人网络找到一条通路到公共网络并且提供缓冲能力给许多顾客机器通过internet的访问。防火墙提供了分离并且保护私人网络的具体办法,包括公共网络,DMZs(非军方区域)和私人网络的远程访问。那就是说,一个代理服务器能对你的在线SQL服务器提供一些有效的保护。使用代理服务器象Microsoft的代理服务器,代理服务器提供了一个在私人和公共网络之间的传送级别。例如,你可以在你的办公室建立一个私人的网络包括了所有客户端机器的静态IP(就是说在到55之间的所有IP)。这个网络在这种IP配置下就是一个私人网络。这些网络里的计算机都是安全的因为不用考虑和其他internet的IP冲突。当一个私人网络想要访问公共网络象internet的时候,有了代理服务器就不需要把客户端机器让外界访问到。代理服务器(通常通过一个软件来管理网络连接)从私人网络得到请求然后发送到internet,就象一个代理一样。当请求被返回时,代理使用2个网络截面,一个是私人IP地址,一个是用公共网络IP地址。这个地址也可以让私人网络的一些部分可以让公共网络通过代理界面访问到。在使用SQL服务器的情况时,访问SQL本身的服务也通过代理服务器。所有到SQL服务器的访问在缺省设置下都通过1433端口。所以如果你只把1433端口开放,就能合理的操作数据而不会把你的整个计算机都放到internet上去。Microsoft就提供了这样的方法。你能够设置你的SQL服务器置身于代理服务器的保护下,以下是步骤:1,安装代理服务器,让它同时运行于私人和公共网络。2,安装代理客户端软件在你的拥有唯一内部网络IP的SQL服务器上。3,在SQL服务器上建立一个叫wspcfg.ini的文件(它代表“Winsock PC构造”)。这是一个文本文件,内容有以下的字:sqlservrServerBindTCPPorts = 1433Persistent = 1KillOldSession = 14.在主要的SQL服务器目录下面保存这个文件。5。在代理服务器运行时,重启你的SQL服务器。这个设置文件在SQL每次启动的时候运行。本地代理服务器检测到客户端并且开放1433端口给SQL。所有的来自公共网络IP的1433端口请求都直接传送到了SQL服务器。SQL服务器并没有暴露本身的其他文件。安装防火墙是去防止网络受到来自于internet的威胁,你应该考虑安装一个复杂的防火墙解决方案。一些是基于软件还有一些是基于硬件,基于硬件的意思是有专门的硬件去运行这个软件的解决方案。你也能安排一个解决方案,包括硬件,软件,监控和每个月的维护费用。防火墙为你的网络的地址和端口如何被internet访问提供更细微的控制级别。一个防火墙把你的网络主要划分为3个区域:internet不可访问的私人区域,internet可访问的公共区域,介于以上2者之间的信用区域(DMZ)。DMZ区域里的计算机容易到达私人或公共区域但是除非被指令否则不允许在他们之间传输信息。防火墙系统就是这么命名的因为他们很象也叫防火墙的砖块建筑。防火墙是商业建筑里用来延缓火势使其局限于可更易控制区域的建筑。防火墙决定了一场火灾要花多久时间能传播到临近的区域。例如,2小时防火墙的设计就是用来抵挡火势2小时,在这时间内可以采取措施灭火。网络防火墙多数也是同样的目的。它们被设计为延缓攻击并警告人们有问题,允许人们在网络被威胁前有时间加以处理。没有什么方案是完美的,即使最好的防火墙也需要仔细的计划,观测和维护才能保护好你的数据。你经常需要衡量什么是你需要的和什么是你必须要避开的危险。虽然如此,防火墙确实是我们必要的保护存储数据的核心机会之一。SQL服务器容易被若干服务器攻击或者被人获取安全帐号和口令。每次对一台网络服务器或者电子商务应用程序的攻击都可能使SQL服务器被损害。保护你的数据取决于你保护你的整个网络被侵入的能力。把你的网络作为你的一个成员你将能更好的保护他。防火墙在这个方向上作出了重大的进步。下文将讲叙虚拟安全的问题,即你数据库固有的安全性而不是你的应用。SQL服务器提供的功能有允许和拒绝对数据,表或其他组件的访问。虚拟安全就是用于登陆相关的。SQL允许两种登陆鉴定模式:Windows NT和混合模式。Windows NT模式里,SQL服务器假设每个连接到SQL服务器的域名帐号都已经被操作系统所确认。混合模式则允许连接使用Windows帐号或者SQL服务器帐号。提供给SQL存取用的登陆帐号要建立一个确认的方式。我更倾向于使用SQL服务器的方法(或者混合模式)因为更象是在主机环境。你第一个要做的事是建立一个系统的超级用户帐号(SA)用于SQL服务器的。象Access,SQL服务器用超级帐号就没有关联口令。SA帐号有完全操作整个数据库的权利。如果你不设口令,那么每一个使用这个的管理员都可以连接到你的数据库并用超级用户登陆。用这来警告你好象比较愚蠢,但是最近的研究表示有惊人数量的连接到internet的SQL服务器没有SA口令。在一个新的SQL服务器的安装时第一件要做的事情就是设置一个只有你知道的SA口令。登陆的内容是一个很大的课题。你可以设置允许很大范围的人登陆你的数据库,你可以让别人能建立表,做备份,管理某些数据库,或者仅仅是几个主题的访问。他们能看到的仅仅只是你允许他们看的东西,也可以什么都看不到。在这一点,你的任务就是建立一个与你用来登陆和管理的SA相独立的登陆帐号。这个登陆将被用于连接到你的网站去获取数据,还可以控制你的用户的操作。由企业管理员查找和开发这个安全文件夹。在这个文件夹里,你应该看到一个叫Logins的部分。这个部分包括了整个服务器的登陆帐号。一个详细的登陆帐号可以给予很多数据库,有服务器的安全级别,而不是一个单独的数据库。1,右击登陆,选择新注册。2,在新注册对话框里选择一个名字来登陆。3。选择SQL服务器,输入登陆的口令。4,选择你工作的数据库作为缺省数据库。这个数据库是当连接到访问服务器时用的缺省数据库。如果没有其他数据库被列入,你就可以连接到这个数据库。你可能在网络服务器建立DSN时看到过这个过程。如果数据库的登陆通过了,你也可以选择一个其他连接去登陆。5,你可以将这个帐号分配到服务器工作台里去,但是现在请点击Access数据库工作台。这个工作台列表将显示所有服务器的数据库上允许的连接。6,点击你正在建立的登陆数据库对话框。如果你选择了一个缺省的数据库,但是不要使用Access数据库工作台,你就会得到一个信息告诉你不能连接到这个数据库的用户。7,点击OK。一旦你校验了口令,这个帐号就建立好了。你能在企业管理员内容里点击登陆选项可以看到所有的连接,然后选择一个你将来可能要改动的帐号去管理。这对你要达到的目的就足够了。你可以让这个帐号有权利管理你的部分数据库,象仓储程序。当你在Dreamweaver里连接到这个数据库时,你就能正常的建立一些记录和命令。这些帐号也可以被成组的进行管理称之为任务组,他可以帮助你定义那些用户用来分配任务的连接。你可以给你的用户个别的登陆权限,你也能够允许很多用户访问数据库。但是一个更简单的办法就是定义一个你能添加帐号的任务。这个任务就是简单的普通用户组。你可以有一个操作者备份任务组允许成员备份数据库,或者一个数据阅读者允许数据被成员阅读,但是不是插入,更新或者删除。任务组可以建立在服务器安全管理文件夹之上,这已经脱离了我们要讨论的主题。然而他们并不难使用,稍微研究就可以维持很久。主要的,你右击特定数据库上的任务组,选择新建数据库任务组去建立一个新的。命名然后点击许可。你将得到所有在这个数据库里能给出给你选择的访问者能访问的项目,即许可的访问。一旦完成,用添加按钮去把这些添加好。所有那些成员帐号现在都得到了许可。对比物理和虚拟安全,内在的安全参考决定了你应用程序代码要采取的步骤。这包括了你连接到数据库的方法以及你用于连接的帐号。这里是一些你要记住的你的数据存取使用的过程。用存储程序保存所有数据访问。这允许你直接拒绝访问你的数据用户表。你可以建立你的数据组成,观点,储存程序串。你用一个帐号可以实现指定的请求。确信这个帐号可以执行存取而不是其他功能。这个帐号不能直接查询表或者添加和更新任何存取程序外部的数据。即使你的网络崩溃了,数据仍然可以被提取,黑客将不能实行任何数据操作。要做到这点,打开一个你建立的存取程序点击在窗口右上方的允许按钮。你将得到一个所有得到允许访问你工作的数据库的用户帐号的列表。选择,插入,更新和删除条将出现,但是这些存取程序不能操作所有那里没有相应的对话框。优秀的数据库保护程序的第一步是保护你的数据。它能被强有力的保护还是完全失效取决于你怎么在Dreamweaver MX建立你的请求。Dreamweaver MX证明是一个网络数据驱动的重要部分。不管是用户指令还是扩充内容,你都想知道谁在线从而方便你能控制系统和监控他们的操作。有代表性的就是建立一个有用户名和口令的帐号验证系统,可以独立于数据库进行检测。你怎么搜集用户信息然后传送到数据库需要注意Dreamweaver。这个缺省的帐号只是简单的搜集用户名和口令用来实现SQL请求。这也容易理解因为可以允许你的程序设计有很大的弹性,但是它对程序代码不安全。你的请求怎么写,匿名用户怎么登陆,都是一个成功的帐号系统要支持的。有的人建议Macromedia应该使这些操作有更安全的方法,但那不必要,它会产生一些无用的东西。你可以用动态的方式自己改正这个问题,允许你自己控制你的数据进程。当一个服务器记录进程正在初始化时,你可以询问缺省的和运行状态的用户信息。这就使服务器可以进行SQL状态的测试,一旦哪里有数据不支持可以发现。这里有2个要点要记住。首先,不要在有效数据区支持缺省量。它对真实数据检测是方便的,可以让用户不能简单的只是填写一些空白信息。第二,仔细思考你现在使用的运行量。例如,为了解决匿名用户问题,你可以用简单的HTML代码。不要用Request(username),要用HTMLEncode(Request(username)。这个HTML的代码可以使匿名用户用HTML的方式(象., = <)。下面就是你的用户不能使用的用户名和口令的符号,但是这些只是一部分。Dreamweaver MX最好的一个地方就是Dreamweaver MX里可以查看你的数据资源,可以制表。它可以用一个文件服务器完成这个。这些文件不是你开发文件的一部分,但是他们在你完成你的网站时需要删除掉。他们在你的站点根目录下一个叫mmserverscripts的文件夹里。这个文件夹包括了3个文件。我们不提供详细资料以防被黑客利用。阅读一篇象本文的东西可以教你一些有用的资源。可以让你的数据获得足够的安全保证。英文原文:Databases in Dreamweaver MXMacromedia Dreamweaver MX is an exciting release because it brings the ability to create dynamic web applications to a large audience. More people than ever before now have the tools they need to quickly and easily connect their web sites to databases and do everything from collect e-mail address to open fully functional storefronts.With that power comes quite a bit of responsibility, however-both to yourself, your clients, and the users of your site. You have a responsibility to create a secure application, which for our purposes means protecting the data that you collect and store so that it doesnt fall into unauthorized hands.Creating a secure application is not an especially difficult task, but it does mean paying some attention to what you are doing. Some steps that you can take during the development and deployment of your site will go a long way toward protecting your data. They involve not only Dreamweaver MX itself but the database program that you use. Indexed Sequential Access Method (ISAM) databases include the popular file-based databases like Microsoft Access, FileMaker, and FoxPro. They are typically self-contained and can be accessed through a driver; they dont need a server application to run them. They are often created locally and then uploaded to a web server when a connection is made through a Data Source Name (DSN), a hard-coded connection path (DSNless connection), or a server-specific method like Server.MapPath in ASP. ISAM databases are inexpensive and easy to use. They are also easy to compromise if you dont follow a few simple steps to protect them.First, take care where you store the database file. If at all possible, store the database file in a folder that is above the root of your website on the server. For instance, if the physical path to your website on the web server is c:websitesmywebsite, then the root folder mywebsite and all the folders underneath it are accessible from a browser. This means that if you store your database file in the folder c:websitesmywebsitedatabase, someone who knew or guessed the name of your file could download it from your site by simply browsing to /database/filename.mdb. Because the server would have no associated program with which to run an MDB file, it would allow the user to download the file.Second, you can avoid the possibility of a user downloading your database by performing a simple operation that takes advantage of a bug in Windows NT and Windows 2000 Server. Encrypt the database in Access and rename its extension from .mdb to .asp. Then, use the .asp filename in a DSN-less connection. Because the database is encrypted and named with the .asp extension, the ASP server will try to process it as ASP-and will fail and throw an ASP tag error if a user tries to download the file.Finally, assign your database a username and password. Microsoft Access, for instance, comes with the default username, Admin. Until a password is assigned for the Admin user, none is required. So whenever the database file is accessed, the program assumes that it is to log in the Admin user with a blank password. If someone is able to find and download your database file, there will be nothing stopping that person from opening it and examining your data.Securing database serversDatabase servers are full-featured data store applications like Microsoft SQL Server and Oracle. (I wont get into middle-ground applications like MySQL but some of the same concepts apply.) There are three things you need to take into consideration when securing applications that run on databases that are accessible to the Internet: physical security, virtual security, and internal security. There are several aspects to the physical security of your database. They range from how your computers themselves are protected to how your network is set up. How much control you have over these issues varies depending on whether you run your own data center or purchase a hosted solution. Regardless of your situation, you should make sure that the environment you construct or the solution you purchase meets the security level necessary for your project, or else make other arrangements.The physical security of your database involves several facets. First is the location of the computers that host your data. There are several points to remember when choosing where to set up your data center:The area should be separated from general office traffic. Ideally, you will be able to lock the room or area to keep out nosey visitors. The machines should be raised off the floor. You can, of course, purchase expensive raised flooring, but a good set of shelves can accomplish the same thing. Either way, you want the computers a few inches off the floor so that minor water intrusion does not short them out. The area should be well ventilated and cooled. CPUs and hard drives need good circulation to help keep them cool. Placing exhaust ports up against the wall, or using an area that does not have sufficient air conditioning, is asking for trouble. Allow room for power protection. In addition to power-loss protection, good power protection units also condition the power coming in to remove spikes that can damage electronic equipment and take your data offline. Remember that most professional units require a 30-Amp circuit and twist-lock receptacles, so make sure you are able to provide that power to the server area. Fire is an important hazard to consider and can be an expensive one to plan for in a data center environment. Typical fire suppression systems use water. Because water is bad for electronics, data centers often utilize a foam system that puts out fires without soaking the computers. If you cannot afford this kind of system, make sure you do a good job maintaining backups. In addition to the location of your servers, make sure that you do not invite prying eyes by leaving the computers logged in or leaving the Enterprise Manager running with a table of sensitive data open. Many security procedures are geared toward keeping honest people honest. Dont discount the need to take these simple security steps when your office is subject to visitors or employees who have no need to access database information.Securing the networkAlthough there are a number of steps that you can take to augment the security of your network, there are two general topics that bear discussion here. This is not a network topology article and I cant provide near the level of detail that you will need to implement these tools successfully, but a brief description may send you in the right direction. (There are numerous resources available to help you with the details, too.) The two network tools that you might find useful are proxies and firewalls .You should know that although a firewall and proxy may perform similar tasks, they are by no means the same thing. The main purpose of a proxy server is to serve as a gateway from a private network to a public network and to offer some caching capability to a number of client machines accessing the Internet through it. A firewall provides a detailed method of separating and protecting private networks, public networks, DMZs (demilitarized zones), and remote access to private networks. That said, a proxy server can offer some limited protection to your online SQL Server.Using proxy serversLike Microsofts Proxy Server, proxy servers provide a level of translation between a private and public network. For instance, you might construct a private network at your office by assigning non-routable IP addresses to all client machines (say, anything between and 55). This network is private because that IP range, as well as a couple of others, has been deemed as non-routable by the people who deem such things. Those addresses are safe to be used by any network of computers without fear of conflicting with other hosts on the Internet and without fear that those addresses can be accessed from the Internet.When a private network wants to access a public network, like the Internet, without making the client computers visible to the outside world, a proxy server can be used. The proxy server (usually through a piece of software on the client that manages the connection) takes requests from the private network computers and delivers them to the Internet in their place, acting as a proxy. When the responses come back, the proxy server receives them and dispatches them to the correct client computer. In this way, all of your client computers can access the Internet over your T1 connection without being exposed themselves. The proxy does this by using two network interfaces: one with a private network IP address and one with a public network IP address.This address translation service can also be used to expose certain parts of a private network to the Internet through the proxy interface. In the case of SQL Server, access to the SQL service itself can be exposed through Proxy Server. All requests to SQL Server come through port 1433 by default. So if you can expose just port 1433 of a SQL Server, then legitimate activity can proceed without exposing the computer itself to the Internet. Microsoft provides a way to do just that. You can set your SQL Server up behind Proxy Server by following these steps:1.Install Proxy Server and get it up and running on the private and public networks. 2.Install the Proxy Client software on your SQL server, which has only a private network IP address. 3.Create a file called wspcfg.ini (which stands for Winsock PC configuration) on the SQL server. This is just a text file with the following lines in it:sqlservrServerBindTCPPorts = 1433Persistent = 1KillOldSession = 14.Save this file to the Bin directory under the main SQL Server directory on your server. 5.With Proxy Server running, reboot your SQL server. This configuration file runs each time the SQL Server service is started. If it locates the proxy server that is identified in its client installation, port 1433 is bound to it. Any requests coming to port 1433 at the public network IP address of the proxy server are treated as though they were requests directly to the SQL server. This exposes SQL Servers functionality without exposing the computer itself.Installing firewallsTo truly protect a network from the dangers of the Internet, you should consider installing a sophisticated firewall solution. Some are software-based and some are hardware-based, meaning really that they have a dedicated piece of hardware running a software solution. You can also arrange for a managed solution that usually includes hardware, software, monitoring, and maintenance for a monthly fee.Firewalls provide a much more granular level of control over the addresses and ports of your network and how they are made available to the Internet. Basically, a firewall divides your network into three zones: a private zone that is not visible to the Internet, a public zone that is visible to the Internet, and a trusted zone (or DMZ) that sits between the two. The computers in the DMZ are accessible from the private network and the public network but do not allow traffic through except when they are specifically told to do so.Firewalls are so named because of their similarity to the brick and mortar structures that are also called firewalls. A firewall in a commercial building provides a barrier to slow down a fire so that it is more readily contained within a controllable area. Firewalls are rated based on how long a fire will take to burn through and encroach on the adjoining area. For example, a two-hour firewall is designed to withstand a fire for two hours, allowing time for action to be taken and the fire put out.Network firewalls serve much the same purpose. They are designed to slow an attack and alert people that there is a problem, allowing them time to handle the problem before the adjoining network areas are compromised. No solution is perfect and even the best firewall solutions need careful planning, observation, and maintenance to protect your data. There is often a careful balance to be achieved between the access that you need and the danger you are trying to avoid.Nonetheless, firewalls do present one of the core opportunities that we have to protect stored data. A SQL server is vulnerable to attack from several angles-by taking control of the server itself or by obtaining passwords to its security accounts. SQL servers can often be compromised as a result of an attack on a web server or an e-commerce application. The protection of your data relies on your ability to protect your entire network from intrusion. Think of your network as one unit and you will have better luck protecting it. Firewalls provide an important step in that direction. The term virtual security refers, in this context, to security that is inherent to your database, rather than your application. It is the functionality provided by SQL Server that grants and denies access to databases, tables, and other components. Virtual security is handled using logins and roles.Using loginsSQL Server has two modes by which it allows authentication: Windows NT and Mixed Mode. In Windows NT mode, SQL Server assumes that any connection that has made it to the SQL server has already been validated by the operating system against a domain account. Mixed Mode allows connections using either a Windows account or a SQL Server security account. Login accounts, which provide access to SQL Server, can be set up to validate either way. I will focus on the SQL Server authentication method (or Mixed Mode) because thats what is likely to be used in a hosted environment.The first thing to concern yourself with when setting up your SQL Server logins is the system administrator (SA) account. Like Access, SQL Server comes with an administrator account that has no associated password. The SA account has full rights to everything in the database. If you leave it with no password, anyone using Enterprise Manager can connect to your database and login with full privileges. Now this might sound like a silly thing to warn you about, but a recent study discovered a surprising number of SQL Server databases exposed to the Internet with no SA password. The first thing you should do to provide security to a new SQL Server installation is place a password on the SA account that only you know.The topic of logins is a broad subject. You can set up logins to allow access to your database by many people with a wide range of responsibilities. By granting permissions to certain databases and to only certain activities within those databases, you can allow people to create tables, perform backups, administer certain databases, or have only public access. They can see only what you have allowed them to see, which could also be nothing at all.At this point, your goal is to create a login that is separate from the SA (or other administrator) login that you use to create and interact with your databases. This login will be used in the connection string that allows your website to pull data from the database and will restrict the user to only certain controlled activities.In Enterprise Manager, locate and expand the Security folder. Within this folder, you will see a section called Logins. This section manages logins for the entire server. A particular login can be given rights to numerous databases, so think of security from a server level at this point, not from that of a particular database.1.Right-click on Logins and choose New Login. 2.In the New Login dialog box, choose a name for this login. 3.Select the SQL Server Authentication option and enter a password for this login. 4.Choose the database that you are working on as the default database for this login. This database is chosen by default when the login tries to access the server. If no other database is specified, this is the database that will be connected to. You may have seen this happen when setting up a DSN on a web server. If the login has permissions for databases other than the default, you may also select one of those at the time of connection. 5.You may assign this login to a server role in the Server Roles tab, but for now click the Database Access tab. This tab lists all the databases in the server and allows you to check which ones the login has access to. 6.Click the box next to the database that you are creating this login to be used with. If you select a default database, but dont provide access to that database in the Database Access tab, you will get a message when saving that says the user cannot access this default database. 7.Click OK. Once you verify the password, the login is created. You can click the Logins option in the Enterprise Manager to see all of the logins and select one for maintenance should you need to make changes in the future. This is enough for your purposes at this point. You can now supply this login with permissions to individual components of your database, like stored procedures. When you connect to the database in Dreamweaver, you will be able to interact with those components to create recordsets and commands. Logins can also be managed in groups called Roles, which help to define the permissions that you want specific groups of users to have.Assigning rolesYou can certainly provide access to your users through the use of individual logins, which you then painstakingly customize to grant permissions to the many components of your database. But an easier way is to define roles to which you can add logins. Roles are simply groups of logins that have common permissions. You might have a Backup Operator role that allows members to back up a database; or a Data Reader role that allows data to be read by its members, but not inserted, updated, or deleted. Roles can be created at the server level under the Security folder in Enterprise Manager, on at the database level under each database.Roles are really a SQL Server administration topic; they are beyond the scope of this article. They are not difficult to use, however, and a little investigation will take you a long way. Basically, you right-click on Roles under a particular database and select New Database Role to create a new role. Name the role and click the Permissions tab. You will be presented with all of the objects in the database from which you can select those that this role should have access to, and what kind of access should be granted. Once that is complete, use the Add button to add existing logins to the role. All of those logins now have the permissions defined for that role and any others of which they are members. In contrast to physical and virtual security, internal security refers to the steps that you take within the actual code of your application. This includes the way in which you connect to the database and the accounts that you use in your connection. Here are some pointers to keep in mind as you develop.Use stored procedures for all your data access. This allows you to deny direct table access for your applications user. You can create your database components, views, and stored procedures using your regular SQL Server account. But do not use that account login in your connection string. Instead, use a login that you have established specifically for your application. Make sure this login executes the stored procedures that are part of the application and nothing else. This login will not be able to query tables directly or add or update any data outside the confines of the stored procedures you have constructed and the specific parameters they expect to see. Even if your web application is compromised and login information is obtained, hackers will not be able to perform any operation on the database other than those they could using the application itself.To do this, open a stored procedure that you have created and click the Permissions button in the upper-right corner of the window. You will be presented with a list of all the logins that have been given permission to access the database in which you are working. The Select, Insert, Update, and Delete columns will appear, but because these do not apply to stored procedures there are no boxes for you to check. Locate the Execute column and check the box next to the login that you will be using in your sites connection string.Securing your database is an excellent first step to protecting your data. It can either be reinforced or totally nullified depending on the way in which you construct your application in Dreamweaver MX.Dreamweaver MX authentication Authentication is an important part of most data-driven websites. Whether users take orders or upload content, you will want to know who is signed in so that you can control the parts of the system that they have access to and track the changes they make. Typically, authentication is performed by a login script where a visitor provides a username and password, which is then checked against a database. How you collect that user information and pass it to your database needs attention in Dreamweaver.The default login scripts simply collect the field data from a username and
- 温馨提示:
1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
2: 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
3.本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
人人文库网所有资源均是用户自行上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作他用。
川公网安备: 51019002004831号