|
Intranet Security Settings are:-
ActiveX controls and plug-ins : All Enabled
Cookies : All Enabled
Downloads : All Enabled
Java Permissions : Medium Security
Miscellaneous
Access data sources across domains : Prompt
Dont promp for client certificate... : Enable
Drag and drop or copy and paste files : Enable
Installations of desktop items : Prompt
Launching programs and files in an IFRAME : Prompt
Navigate sub-frames across different domains : Enable
Software channel permissions : Medium safety
Submit nonencrypted from data : Enable
Userdata persistence : Enable
Scripting : All Enabled
User Authentication
Logon : Automatic logon only in Intranet zone
|
|
|
|
|
Hi BountyBob,
Try updating the Windows Scripting Engine or Internet Explorer Update. You may try to visit http://windowsupdate.microsoft.com and the website would show if your Scripting Engine or some of the components need updating.
Once Scripting Engine is updated, this problem should be solved.
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
I use cuteFTP to submit the site. When I tried to upload the same site with frontpage 2000, it says error. It displays that the server doesnt support folders with spaces in it. But that goes fine with cute FTP. Whats the solution for this??
|
|
|
|
|
Easiest one would be to not use folders with spaces in the names.
Either use underscores instead not bother with spaces at all
--
Help me! I'm turning into a grapefruit!
|
|
|
|
|
Thanks.... but it will take a long time to change all the pages. So... I did the submission using frontpage itself.....
|
|
|
|
|
Hi SPS,
It would be better that Web URLs do not have spaces intermixed with them. Of late, only uplevel browsers like MSIE automatically URLEncode them whenever the user clicks the link with embedded spaces. Clicking a link with spaces in Netscape etc. also generates a HTTP 400 Error (Bad Request)
Perhaps instead of spacing, you may adopt
(*)Underscores to separate (Site_Support_Utilities)
(*)Pascal Case Notation (SiteSupportUtilities)
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
Thanks.... but it will take a long time to change all the pages. So... I did the submission using frontpage itself.....
|
|
|
|
|
I am aware one should do this on the server side of things for security reasons...I assume it has to do with the fact that it's pretty easy easy to create a bunk form and send malicious data, that if not parsed at the sever end...could run system commands and SQL statements like 'DROP TABLE' 
So what i'd like to know is it possible for a PHP/ASP script to determine if the data is coming from a form on a web page on my site...???
I'm thinking refferal IP or whatever (i'd have to peak at my docs but you know what I mean) i could check that and if it didn't match then I wouldn't accept the data...
Would this be acceptable or would i cause serious security loop holes???
p.s-The reason I ask is i've designed a messsage forum system like here at CP, but I wanna strip the naughty words out at the client end as a user sends the message, instead of on the server...
Thanx 
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
Hi, your main question is about validation of the user really isn't it?
Are you requireing the user to be logged in before allowing them to post? If so, simple checks for a login id stored in Session would suffice to check if the post was coming from a valid place.
Another thing. In ASP if you dont want to have stuff like DROP TABLE run, just use the command object. You shouldn't ever build an SQL string if you cant trust the source.
E.g. "Select * From Customer Where Name = '" & strName & "'"
Can be broken by typing in
' DROP TABLE Customer --
Which would build the SQL string
Select * From Customer Where Name = '' DROP TABLE Customer -- '
All is lost! Fires of Hell!
So, just use the Command object instead.
E.g. (Off the top of my head)
Dim objCommand as new Command
set objCommand.ActiveConnection = objConn ' Get the connection elsewhere
objCommand.CommandText = "Select * From Customer Where Name = '@Name'"
objCommand.parameters.Add("@Name", strName)
dim rs as Recordset
set rs = objCommand.Execute
I cant remember which version of ASP/ADO you need to run names parameters but its in there somewhere, unless I'm completely forgetting something.
Executing this code should really check for the presence of a name "' DROP TABLE Customer --" in the customer.Name field rather than executing the code.
So, using these two methods you dont really need to worry where things come from. So, write your client side profanity stripper and if the user isn't logged on, dont let them post.
Pete
Insert Sig. Here!
|
|
|
|
|
No, it's trivial to write a program that sends a HTTP POST request with any headers you want, including "Referer:". It's not a security mechanism.
|
|
|
|
|
Trivial...?
How do you do it then...? What would be the steps involved...?
Thanx!
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
HTTP is just a text protocol. All you have to do is create a Socket connection to the web server on port 80 and sent a property formatted HTTP request to it. GET and POST are equally easy to do.
But, of course, you really have to want to annoy the web server to go and write an app to do it.
Pete
Pete
Insert Sig. Here!
|
|
|
|
|
Ah...you have to use a compiled language...
I have always been under the impression you could accomplish this with JScript or Php, but I could NEVER figure out how...
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
You could use Perl or Python. For example, here's an excerpt of the Python manual showing how to send a POST request. Just change the "headers" variable to suit yor needs:
>>> import httplib, urllib
>>> params = urllib.urlencode({'spam': 1, 'eggs': 2, 'bacon': 0})
>>> headers = {"Content-type": "application/x-www-form-urlencoded",
... "Accept": "text/plain"}
>>> conn = httplib.HTTPConnection("musi-cal.mojam.com:80")
>>> conn.request("POST", "/cgi-bin/query", params, headers)
>>> response = conn.getresponse()
>>> print response.status, response.reason
200 OK
>>> data = response.read()
>>> conn.close()
The >>> and ... prompts in the line starts mean that you are supposed to type the stuff directly to a Python interpreter. Try it if you have Python installed. The variable "data" will contain the HTML returned by the server.
|
|
|
|
|
Hi,
Actually in PHP, there is a builtin function called
'escapeshellcmd' to automatically escape shell commands and pass them as plain text.
http://www.php.net/manual/en/function.escapeshellcmd.php
I think PHPMyAdmin (the PHP interface to MYsQL) has some features to disable queries with Drop etc.) Seeing that you can get how they have achieved this.
Perhaps in ASP, you may have to mimic the above functionality to deter the user from passing potentially harmful commands to the system.
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
Cool PHP is my language of choice for server side scripting, but I have yet to ocome across this function...
i'll have to check it out...
Thanx!
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
Hi all
OK I have posted this "bug" (flaw) before but wasnt sure what was causing it, but I have now pinned it down. Have look at the following and paste into a page.
<table width="100%" border="1">
<tr>
<td>Some Text</td>
<td width="200">Some Text</td>
</tr>
<tr>
<td colspan=2>Some Text</td>
</tr>
</table>
<br>
<table width="100%" border="1">
<tr>
<td>Some Text</td>
<td width="200">Some Text</td>
</tr>
<tr>
<td colspan=2>Some really really really really really really long boring Text to prove my point just as long as it is wider than the above right column</td>
</tr>
</table>
OK some mite say this is not a bug, but what must I do then to "render" something as simple as the above. NS 6 / Mozilla 1.1 renders this correctly IMHO.
ANy suggestions welcome
[edit] it seems the colspan'ed TD "binds" to the last TD that it is spanning, this is dumb IMO, it should "bind" to the 1st TD or infact all of them...[/edit]
"There are no stupid question's, just stupid people."
|
|
|
|
|
Didn't I tell you already there is no warrant regarding the user agent implementation ?
To get this displayed fine with IE, add this class :
<STYLE TYPE="text/css">
<!--
.TABLEFIXED { table-layout:fixed }
-->
</STYLE>
And set the class="TABLEFIXED" attribute to both table tags.
Back to real work : D-27.
|
|
|
|
|
Thank you, Thank you, Thank you! I can live with problems if there are solutions
"There are no stupid question's, just stupid people."
|
|
|
|
|
Why don't you use CSS to define the widths rather? Then the odd bug does not appear.
Paul Watson
Bluegrass
Cape Town, South Africa
Ray Cassick wrote:
Well I am not female, not gay and I am not Paul Watson
|
|
|
|
|
Paul Watson wrote:
Why don't you use CSS to define the widths rather?
Hmm, thanx , I'll try that So CSS styles work for almost all table elements?
"There are no stupid question's, just stupid people."
|
|
|
|
|
leppie wrote:
So CSS styles work for almost all table elements?
Oh yeah fully. CSS can be applied to any element within (and including) the BODY element. You can apply CSS classes to TD, TR, BODY, TH, FORM etc. etc. etc. Absolutely any element.
Paul Watson
Bluegrass
Cape Town, South Africa
Ray Cassick wrote:
Well I am not female, not gay and I am not Paul Watson
|
|
|
|
|
Since you recommended CSS months back I've been playing with them. Very effective!!!
"When in danger, fear, or doubt, run in circles, scream and shout!" - Lorelei and Lapis Lazuli Long
|
|
|
|
|
Paul Watson wrote:
Then the odd bug does not appear.
I tried the table using CSS to set widths but it still does that if I dont add the table-layout:fixed style. I can live with that though...the forum site I'm working on too doesnt like fixed layout at all , so I guess its back to the drawing board 
"There are no stupid question's, just stupid people."
|
|
|
|
|
Hi all
What font do you consider the best for viewing webpages (generally content, not menus).
This is my preference : Tahoma, Verdana, Arial
Any one have problems with that?
"There are no stupid question's, just stupid people."
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
