|
I am looking for MS oriented non-DOTNET Tutorials on Web design
Any links?
Thanks
Paul
|
|
|
|
|
|
Hi all,
Below is a HTML file. It contains VBScript to display a messagebox. Can
anyone see any obvious reason why it doesn't display the messagebox? I've
converted it to Javascript (ie. alert("Hello");) and it works fine. I've
also tried looking though the security settings to see if there was any
VBScript specific settings there and couldn't find any.
Any thoughts/solutions appreciated,
Rob
<title>Untitled
Start
msgbox "Hello"
End
|
|
|
|
|
This problem only occurs on 1 PC out of about 20.
All have VBScript V.5.5.0.5207 installed.
The VBScript code is being ignored in the same way it would if I had inserted the line instead of <Script Language="VBScript">
|
|
|
|
|
In my experience msgboxes like that don't work. What you can do is pass the ASP variable to a javascript variable and then display an alert.
But you say this is for all VBScript only every now and then on certain pc's? Can you response.write that message?
Deploying a web application without understanding security is roughly equivalent to driving a car without seatbelts - down a slippery road, over a monstrous chasm, with no brakes, and the throttle jammed on full. Hacking Exposed - Web Applications. Joel Scambray & Mike Shema
|
|
|
|
|
Sorry, I probably didn't make my additional information very clear. The problem occurs on 1 PC all the time. It also ignores ALL VBScript so response.writes don't work either.
|
|
|
|
|
It could be a virus checker or firewall app filtering or disabling the vbscript
--
Help me! I'm turning into a grapefruit!
|
|
|
|
|
It's not going through a firewall but I'll check my virus-checker settings.
|
|
|
|
|
What are the security settings on the browser?
Is the browser configured to "show all script errors"?
Cheers,
Simon
"VB.NET ... the STD of choice", me, internal company memo
|
|
|
|
|
Intranet Security Settings are:-
ActiveX controls and plug-ins : All Enabled
Cookies : All Enabled
Downloads : All Enabled
Java Permissions : Medium Security
Miscellaneous
Access data sources across domains : Prompt
Dont promp for client certificate... : Enable
Drag and drop or copy and paste files : Enable
Installations of desktop items : Prompt
Launching programs and files in an IFRAME : Prompt
Navigate sub-frames across different domains : Enable
Software channel permissions : Medium safety
Submit nonencrypted from data : Enable
Userdata persistence : Enable
Scripting : All Enabled
User Authentication
Logon : Automatic logon only in Intranet zone
|
|
|
|
|
Hi BountyBob,
Try updating the Windows Scripting Engine or Internet Explorer Update. You may try to visit http://windowsupdate.microsoft.com and the website would show if your Scripting Engine or some of the components need updating.
Once Scripting Engine is updated, this problem should be solved.
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
I use cuteFTP to submit the site. When I tried to upload the same site with frontpage 2000, it says error. It displays that the server doesnt support folders with spaces in it. But that goes fine with cute FTP. Whats the solution for this??
|
|
|
|
|
Easiest one would be to not use folders with spaces in the names.
Either use underscores instead not bother with spaces at all
--
Help me! I'm turning into a grapefruit!
|
|
|
|
|
Thanks.... but it will take a long time to change all the pages. So... I did the submission using frontpage itself.....
|
|
|
|
|
Hi SPS,
It would be better that Web URLs do not have spaces intermixed with them. Of late, only uplevel browsers like MSIE automatically URLEncode them whenever the user clicks the link with embedded spaces. Clicking a link with spaces in Netscape etc. also generates a HTTP 400 Error (Bad Request)
Perhaps instead of spacing, you may adopt
(*)Underscores to separate (Site_Support_Utilities)
(*)Pascal Case Notation (SiteSupportUtilities)
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
Thanks.... but it will take a long time to change all the pages. So... I did the submission using frontpage itself.....
|
|
|
|
|
I am aware one should do this on the server side of things for security reasons...I assume it has to do with the fact that it's pretty easy easy to create a bunk form and send malicious data, that if not parsed at the sever end...could run system commands and SQL statements like 'DROP TABLE'
So what i'd like to know is it possible for a PHP/ASP script to determine if the data is coming from a form on a web page on my site...???
I'm thinking refferal IP or whatever (i'd have to peak at my docs but you know what I mean) i could check that and if it didn't match then I wouldn't accept the data...
Would this be acceptable or would i cause serious security loop holes???
p.s-The reason I ask is i've designed a messsage forum system like here at CP, but I wanna strip the naughty words out at the client end as a user sends the message, instead of on the server...
Thanx
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
Hi, your main question is about validation of the user really isn't it?
Are you requireing the user to be logged in before allowing them to post? If so, simple checks for a login id stored in Session would suffice to check if the post was coming from a valid place.
Another thing. In ASP if you dont want to have stuff like DROP TABLE run, just use the command object. You shouldn't ever build an SQL string if you cant trust the source.
E.g. "Select * From Customer Where Name = '" & strName & "'"
Can be broken by typing in
' DROP TABLE Customer --
Which would build the SQL string
Select * From Customer Where Name = '' DROP TABLE Customer -- '
All is lost! Fires of Hell!
So, just use the Command object instead.
E.g. (Off the top of my head)
Dim objCommand as new Command
set objCommand.ActiveConnection = objConn ' Get the connection elsewhere
objCommand.CommandText = "Select * From Customer Where Name = '@Name'"
objCommand.parameters.Add("@Name", strName)
dim rs as Recordset
set rs = objCommand.Execute
I cant remember which version of ASP/ADO you need to run names parameters but its in there somewhere, unless I'm completely forgetting something.
Executing this code should really check for the presence of a name "' DROP TABLE Customer --" in the customer.Name field rather than executing the code.
So, using these two methods you dont really need to worry where things come from. So, write your client side profanity stripper and if the user isn't logged on, dont let them post.
Pete
Insert Sig. Here!
|
|
|
|
|
No, it's trivial to write a program that sends a HTTP POST request with any headers you want, including "Referer:". It's not a security mechanism.
|
|
|
|
|
Trivial...?
How do you do it then...? What would be the steps involved...?
Thanx!
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
HTTP is just a text protocol. All you have to do is create a Socket connection to the web server on port 80 and sent a property formatted HTTP request to it. GET and POST are equally easy to do.
But, of course, you really have to want to annoy the web server to go and write an app to do it.
Pete
Pete
Insert Sig. Here!
|
|
|
|
|
Ah...you have to use a compiled language...
I have always been under the impression you could accomplish this with JScript or Php, but I could NEVER figure out how...
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|
|
You could use Perl or Python. For example, here's an excerpt of the Python manual showing how to send a POST request. Just change the "headers" variable to suit yor needs:
>>> import httplib, urllib
>>> params = urllib.urlencode({'spam': 1, 'eggs': 2, 'bacon': 0})
>>> headers = {"Content-type": "application/x-www-form-urlencoded",
... "Accept": "text/plain"}
>>> conn = httplib.HTTPConnection("musi-cal.mojam.com:80")
>>> conn.request("POST", "/cgi-bin/query", params, headers)
>>> response = conn.getresponse()
>>> print response.status, response.reason
200 OK
>>> data = response.read()
>>> conn.close()
The >>> and ... prompts in the line starts mean that you are supposed to type the stuff directly to a Python interpreter. Try it if you have Python installed. The variable "data" will contain the HTML returned by the server.
|
|
|
|
|
Hi,
Actually in PHP, there is a builtin function called
'escapeshellcmd' to automatically escape shell commands and pass them as plain text.
http://www.php.net/manual/en/function.escapeshellcmd.php
I think PHPMyAdmin (the PHP interface to MYsQL) has some features to disable queries with Drop etc.) Seeing that you can get how they have achieved this.
Perhaps in ASP, you may have to mimic the above functionality to deter the user from passing potentially harmful commands to the system.
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
Cool PHP is my language of choice for server side scripting, but I have yet to ocome across this function...
i'll have to check it out...
Thanx!
"An expert is someone who has made all the mistakes in his or her field" - Niels Bohr
|
|
|
|