|
I've been fiddling with ASP and ADO for maintaining a simple event calendar page, and my head is getting sore from beating it against so many weird walls. The latest is, I'm sure, very simple, but I'm certainly not seeing it.
The database connection works great, and when I enter:
Response.Write objSubj where the database entry for objSubj is "Board of Directors Meeting", displays perfectly as a standalone command. But when I attempt to embed it in HTML, in this case as the value parameter of a form INPUT text box, it returns only the first word of the string, "Board." I also tried using the shortcut notation, =objSubj, in the same location and got the same result. All fields that contain any spaces return only the first word when used in this manner. The text boxes in the form all have lengths greater than the data they're supposed to contain, so truncation doesn't appear to be the problem. What simple idiot thing am I missing here?
"When in danger, fear, or doubt, run in circles, scream and shout!" - Lorelei and Lapis Lazuli Long
|
|
|
|
|
Take a look at your rendered HTML source code and see if it reads something like:
<INPUT VALUE=Board of Directors Meeting>
You need to quote your value parameters. For example,
<INPUT VALUE = "Board of Directors Meeting">
-- Ingram
|
|
|
|
|
Dang! I knew it had to be obvious... the hard parts I rarely have trouble with. Thanks!!!
"When in danger, fear, or doubt, run in circles, scream and shout!" - Lorelei and Lapis Lazuli Long
|
|
|
|
|
Hey!
That's nothing to worry. Just get the value in a quoted string and your problem would be solved. Even in this case, if you have done a view source, you could have seen the entire value would have been fetched except that IE considers only the first to be a valid value for the HTML tag attribute and rest to be 'unknown' attributes and ignores.
Solution: Have Entire thing in quoted string
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
It worked like a charm... good info, thanks!
"When in danger, fear, or doubt, run in circles, scream and shout!" - Lorelei and Lapis Lazuli Long
|
|
|
|
|
Hi,
We have our IIS in our development center behind a firewall and that also runs a Apache Web Server with Proxy enabled. Our IIS can be reached through the ProxyPass directive over the Apache running on the firewall server.
Of late we have noticed that links in the pages that we give using the Virtual Directory Notation in our ASP.NET/ASP applications fail and these links point to Apache's directory structure instead of IIS.
Example:
On IIS:
For URL: http://deepak/deepakapp/test.asp, I give link
/deepakapp/test.asp and it works fine.
When someone from outside visits my IIS through the firewall using the URL:
http://guardianserver/deepak/deepakapp/
the link in the default page shows up as:
/test.asp (and the word /deepak (the ProxyPass directive for my IIS behind the firewall) is ignored.
Any workaround for this?
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
I am looking for MS oriented non-DOTNET Tutorials on Web design
Any links?
Thanks
Paul
|
|
|
|
|
|
Hi all,
Below is a HTML file. It contains VBScript to display a messagebox. Can
anyone see any obvious reason why it doesn't display the messagebox? I've
converted it to Javascript (ie. alert("Hello");) and it works fine. I've
also tried looking though the security settings to see if there was any
VBScript specific settings there and couldn't find any.
Any thoughts/solutions appreciated,
Rob
<title>Untitled
Start
msgbox "Hello"
End
|
|
|
|
|
This problem only occurs on 1 PC out of about 20.
All have VBScript V.5.5.0.5207 installed.
The VBScript code is being ignored in the same way it would if I had inserted the line instead of <Script Language="VBScript">
|
|
|
|
|
In my experience msgboxes like that don't work. What you can do is pass the ASP variable to a javascript variable and then display an alert.
But you say this is for all VBScript only every now and then on certain pc's? Can you response.write that message?
Deploying a web application without understanding security is roughly equivalent to driving a car without seatbelts - down a slippery road, over a monstrous chasm, with no brakes, and the throttle jammed on full. Hacking Exposed - Web Applications. Joel Scambray & Mike Shema
|
|
|
|
|
Sorry, I probably didn't make my additional information very clear. The problem occurs on 1 PC all the time. It also ignores ALL VBScript so response.writes don't work either.
|
|
|
|
|
It could be a virus checker or firewall app filtering or disabling the vbscript
--
Help me! I'm turning into a grapefruit!
|
|
|
|
|
It's not going through a firewall but I'll check my virus-checker settings.
|
|
|
|
|
What are the security settings on the browser?
Is the browser configured to "show all script errors"?
Cheers,
Simon
"VB.NET ... the STD of choice", me, internal company memo
|
|
|
|
|
Intranet Security Settings are:-
ActiveX controls and plug-ins : All Enabled
Cookies : All Enabled
Downloads : All Enabled
Java Permissions : Medium Security
Miscellaneous
Access data sources across domains : Prompt
Dont promp for client certificate... : Enable
Drag and drop or copy and paste files : Enable
Installations of desktop items : Prompt
Launching programs and files in an IFRAME : Prompt
Navigate sub-frames across different domains : Enable
Software channel permissions : Medium safety
Submit nonencrypted from data : Enable
Userdata persistence : Enable
Scripting : All Enabled
User Authentication
Logon : Automatic logon only in Intranet zone
|
|
|
|
|
Hi BountyBob,
Try updating the Windows Scripting Engine or Internet Explorer Update. You may try to visit http://windowsupdate.microsoft.com and the website would show if your Scripting Engine or some of the components need updating.
Once Scripting Engine is updated, this problem should be solved.
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
I use cuteFTP to submit the site. When I tried to upload the same site with frontpage 2000, it says error. It displays that the server doesnt support folders with spaces in it. But that goes fine with cute FTP. Whats the solution for this??
|
|
|
|
|
Easiest one would be to not use folders with spaces in the names.
Either use underscores instead not bother with spaces at all
--
Help me! I'm turning into a grapefruit!
|
|
|
|
|
Thanks.... but it will take a long time to change all the pages. So... I did the submission using frontpage itself.....
|
|
|
|
|
Hi SPS,
It would be better that Web URLs do not have spaces intermixed with them. Of late, only uplevel browsers like MSIE automatically URLEncode them whenever the user clicks the link with embedded spaces. Clicking a link with spaces in Netscape etc. also generates a HTTP 400 Error (Bad Request)
Perhaps instead of spacing, you may adopt
(*)Underscores to separate (Site_Support_Utilities)
(*)Pascal Case Notation (SiteSupportUtilities)
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
Thanks.... but it will take a long time to change all the pages. So... I did the submission using frontpage itself.....
|
|
|
|
|
I am aware one should do this on the server side of things for security reasons...I assume it has to do with the fact that it's pretty easy easy to create a bunk form and send malicious data, that if not parsed at the sever end...could run system commands and SQL statements like 'DROP TABLE'
So what i'd like to know is it possible for a PHP/ASP script to determine if the data is coming from a form on a web page on my site...???
I'm thinking refferal IP or whatever (i'd have to peak at my docs but you know what I mean) i could check that and if it didn't match then I wouldn't accept the data...
Would this be acceptable or would i cause serious security loop holes???
p.s-The reason I ask is i've designed a messsage forum system like here at CP, but I wanna strip the naughty words out at the client end as a user sends the message, instead of on the server...
Thanx
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
Hi, your main question is about validation of the user really isn't it?
Are you requireing the user to be logged in before allowing them to post? If so, simple checks for a login id stored in Session would suffice to check if the post was coming from a valid place.
Another thing. In ASP if you dont want to have stuff like DROP TABLE run, just use the command object. You shouldn't ever build an SQL string if you cant trust the source.
E.g. "Select * From Customer Where Name = '" & strName & "'"
Can be broken by typing in
' DROP TABLE Customer --
Which would build the SQL string
Select * From Customer Where Name = '' DROP TABLE Customer -- '
All is lost! Fires of Hell!
So, just use the Command object instead.
E.g. (Off the top of my head)
Dim objCommand as new Command
set objCommand.ActiveConnection = objConn ' Get the connection elsewhere
objCommand.CommandText = "Select * From Customer Where Name = '@Name'"
objCommand.parameters.Add("@Name", strName)
dim rs as Recordset
set rs = objCommand.Execute
I cant remember which version of ASP/ADO you need to run names parameters but its in there somewhere, unless I'm completely forgetting something.
Executing this code should really check for the presence of a name "' DROP TABLE Customer --" in the customer.Name field rather than executing the code.
So, using these two methods you dont really need to worry where things come from. So, write your client side profanity stripper and if the user isn't logged on, dont let them post.
Pete
Insert Sig. Here!
|
|
|
|
|
No, it's trivial to write a program that sends a HTTP POST request with any headers you want, including "Referer:". It's not a security mechanism.
|
|
|
|