|
I have searched and searched and can't find specific answers to these questions on LDAP. If you respond to this thread, please be detailed, and thanks very much for your help!
I have a ActiveX LDAP component that I am using from within an ASP page to authenticate users (by doing a bind a search). I have a two part question:
a) is it necessary to have a component to perform this? Is there no VBScript or other way of authenticating and passing the results to an ASP page?
b) what is necessary to perform this securely. Other than pointing to port 636, I know that I have to have SSL cert installed on my IIS, but is that it? I have SSL and I point to 636 (assuming 636 is listening).
Any help is greatly appreciated, I just can't seem to find much on this PARTICULAR situation. I have no experience with PHP, but if there is a way to do it and pass the LDAP response to ASP, that's fine with me too!
|
|
|
|
|
I think the follow snippet is fairly self explanatory:
<SCRIPT language="VBScript">
Sub SetNum(num)
document.some_form.AddHiddenVariable("var5", "value="&num) QUESTION 1: I want to do something like this. If you dont suggest this, perhaps you can show me how to add hidden form variable and "submit" on server side script?
document.some_form.submit
End Sub
</SCRIPT>
<html>
...
<body>
<form name=some_form action=page2.asp method=post>
<input type=hidden name="var1" value="1">
</form>
<table>
Dim num
num=3
<tr OnMouseDown="SetNum(num)"> QUESTION 2: Is it okay if SetNum() client side and num is server side? But to "submit", SetNum() needs to be client side... dilema.
<td>....</td>
</tr>
</table>
</body>
</html>
Thanks a bunch!
norm
|
|
|
|
|
I have four variables. A,B,C,D.
I want to check as below (ie) I NEED TO SELECT RECORDS ONLY IF THE BELOW CONDITION SATISFIES.
A < 0 AND B < 0 OR A > 0 AND B > 0.
I have written a code like.
IFF A<0 AND B<0 OR C>0 AND D>0. (ie.) even if A is greater than 0 and B is less than zero, it should not select records. So I coded like this.
I would just like to know whether the above is right or the below one which my colleage is insisting about (ie).
IFF (A>0 AND B>0) OR (C<0 AND D<0).
Basically what is he insisting is that there should be a bracket, whereas I am telling it is not required since those are logical operators and logical operators rule whatever it is OR FUNCTION WILL PRECEDE THE AND FUNCTION, so
need not put brackets.
Which is correct? If both are correct, which one is recommended from a good coding standards perspective?
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
Deepak Kumar Vasudevan wrote:
A < 0 AND B < 0 OR A > 0 AND B > 0.
I have written a code like.
IFF A<0 AND B<0 OR C>0 AND D>0. (ie.) even if A is greater than 0 and B is less than zero, it should not select records. So I coded like this.
I would just like to know whether the above is right or the below one which my colleage is insisting about (ie).
IFF (A>0 AND B>0) OR (C<0 AND D<0).
I admit I'm slightly confused because your condition seems to keep changing, but if you're just asking whether to use brackets or not then YES, use them, always and everywhere. It doesn't matter if they're unnnecessary, it makes them easy to read.
If you say
Condition1 AND Condition2 OR Condition3 AND Condition4
then it's impossible for me to know whether you intend to say
(Condition1 AND Condition2) OR (Condition3 AND Condition4) [AND precedence]
or
Condition1 AND (Condition2 OR Condition3) AND Condition4 [OR precendence]
or
((Condition1 AND Condition2) OR Condition3) AND Condition4 [NO precedence]
If I remember correctly, different languages will react different ways, but I put unnecessary brackets everywhere so I don't need to know if a given language requires the brackets or not.
Remember, the compiler will not act in a negative way when encountering unnecessary brackets, so what harm can there be in clarifying your intention?
Paul
And you run and you run to catch up with the sun, but it's sinking
Racing around to come up behind you again
The sun is the same in a relative way, but you're older
Shorter of breath, one day closer to death - Pink Floyd, Time
|
|
|
|
|
Hi, I have this simple ASP app that maintain login status information "bLogin" by "posting" bLogin as hidden form variable. The site is not a ecommerce site, but it'd be nice to know there's some way to make this more secured. To attack the site, simply view the source code to find out what state variables are there, then post values (trial and error) to the ASP page and make your way in.
But this is rather simple - and this means that the ASP application is wide open to attacks. Any suggestion?
btw, I try to avoid Session variables as much as I can.
Thanks.
norm
|
|
|
|
|
norm wrote:
btw, I try to avoid Session variables as much as I can.
The way I'd prevent a brute force attack like that would be to verify the logon information (name, password, etc) and if not valid create a session variable holding the time the logon failed and the number of attempts, and then increment the latter on each failed attempt. When you've hit three failed logon attempts within, say, one minute, you'd block that session from logging in either till it expires or for a set period of time. (Make sure you feed the block information back to the user in case they have a legitimate reason for getting the information wrong). When the user logs in correctly, check if those two variables exist, and if so delete them. Then store the result of the log in in a session variable rather than put/getting it from the client every trip.
If you really don't want to touch the session object I suppose you could encrypt some of the logon information at the server and store it in the document as a key, (but keep one field, i.e. the name, plaintext so you have something to recalculate the key with), then in future trips fetch the information on the user however you currently are, encrypt the key and compare it with the one the client is sending you.
|
|
|
|
|
My problem is, this mechanism protects the site AT "login.asp". All scripts behind this gateway is protected only by bLoginStatus "posted" from one page after another.
hacker can trick the "subseqent" pages by "posting" "bLoginStatus=1" - making subsequent pages thinks that the person has cleared "login.asp" when in fact it isnt.
norm
|
|
|
|
|
I think that you are approaching your problem from the wrong angle. I can see what you are trying to do, but if you are relying on a single variable sent with the document like that which you are not able to encrypt somehow and that is used solely to determine of the client is authorised then there will always be that risk. That's probably why no one does it like it. 
Why are you so unwilling to use session variables?
What about the second example I gave, with the encrypted key?
In either case you can protect scripts other than login.asp by simply checking the user's status at the top of each page and returning them to the logon sript if they are not logged in or have timed out, etc. As a rule of thumb you should never rely on the client to provide state information like that because there are always ways it can be faked.
|
|
|
|
|
How can you tell if a checkbox is checked? I dont have an ASP book, and all tutorial on the internets tells you:
but NONE tells me how to retrieve the state of the checkbox. So, I tried this:
If document.unreg_form.bAreUSure.value="1" Then
MsgBox("Please confirm your intention to un-register.")
End If
But unfortunately, this condition is always met.
Thanks.
|
|
|
|
|
As a checkbox only has two states (checked and unchecked) it has it's own property to represent them:
<script>
If document.unreg_form.bAreUSure.checked Then
MsgBox("Please confirm your intention to un-register.")
End If
</script>
It will be True or False depending on whether it is checked or not.
|
|
|
|
|
Thanks. One more question:
What about "posting" checkboxes variables states?
If Request.Form("bAreUSure").checked=true Then
MsgBox "Fire at will"
End If
??
norm
|
|
|
|
|
On the server side, Request.Form("bAreUSure") will return the value if the box is checked, or an empty string otherwise.
Also, you can't use the MsgBox function in server-side code!
If Request.Form("bAreUSure") = "1" Then
Response.Write "Fire at will"
End If
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
|
|
|
|
|
1) I am looking for some good books on Perl and CGI scripting that cover beginner to advanced topics, any suggestions?
2) Is it possible to have a download counter on a website that can keep track of how many downloads the file is getting if it is being hyperlinked from another website? If so can someone point me in the right direction?
Thanks.
|
|
|
|
|
1. ) Perl Cookbook - O'Reily is good. Perl is probably one of the most available languages for source code, examples, and tutorials on the web. There is a script for everything. Due to Perls age there is a lot of code, just look.
2.)http://www.utilmind.com/scripts/downloadcounter.html
source code
See how easy that was, it only took me 5 seconds to find #2.
R.Bischoff | C++
.NET, Kommst du mit?
|
|
|
|
|
Thanks for the info...there is definitely endless amounts of info for Perl and scripts on the internet but I seem to learn best when reading from a book. I will give the one you suggested a shot.
|
|
|
|
|
I recently put a PHP poll on my web site with automatically updating results on the homepage from an SQL database. The problem is that the page does not reload when the user clicks the "go back" link:
go back
How do I reload the page without creating an infinite loop? By the way, I run a Unix server with everything but ASP (only for NT servers and I don't have the money for that laying around), so I need a solution for PHP.
-- Steve
|
|
|
|
|
what do u mean when u say you need to "go back" and "infinite loop"? sounds like you're not very exact with the logic/execution sequence. If PAGE_1 updates PAGE_2 and PAGE_2 "go back" to PAGE_1 every update cycle, of course you have an infinite loop.
But if your problem is with loading page variables properly...? Then:
page2.asp:
">
...
...
And if you are simply updating results on a homepage drawing data from a backend data source, the "fininte loop" problem is rather irrelevant. Every time the user load your "homepage", the IIS gets a fresh copy of data from the data source (text file or a SQL server or anything).
Usually, data on the server (perhaps an Access database or SQL server or anything) gets updated thru continously in the event that u have an online system (OLTP) or that updates are done in batches (every nite a DTS package is run). But you have to figure out what exactly you wish to do. If your homepage is just to display information drawn from a backend, you DO NOT have an infinite loop, and you shouldnt.
If your homepage "poll" the backend data source periodically - in which case you dont reload the form - just use a timing loop and periodically draw from the database, but that's a lot of network traffic isnt it? Is there any particular reason you need to "poll" your data source?
norm
|
|
|
|
|
What I mean is that when I hit the back button, I want the page to refresh once. I put the history.go() code into the home.php file and I got an infinite loading loop like I thought. That's what I meant. Is there some way to use my SQL database to solve this problem?
-- Steve
|
|
|
|
|
sorry, not quite sure what u're trying to do here. click back button to refresh? why not click the "refresh" button to refresh?
but in my brief ASP experience, history.go() is somewhat unreliable - depending on browser setting. i prefer to POST hidden form variables.
anywaz...
norm
|
|
|
|
|
Hi friends,
Please give me the source code javascript of counter of visitors on website.(Included its graphic). And then I will add to my webpage.
Any advice or idea appreciated.
Thank you very much in advance.
Email : thuydinh76@yahoo.com
Thuydinh,
|
|
|
|
|
It can't be done in javascript - how would that be possible ? Your web server needs to keep track of visitors and increment a counter. By the time your javascript is running, you're on the client and it's too late to be storing *anything* except a cookie, which is not of much help to you.
Are you running an asp website, or just html ? If asp, then it's something you need to do in your database. If you don't have a database, you've had it.
Christian
No offense, but I don't really want to encourage the creation of another VB developer.
- Larry Antram 22 Oct 2002
C# will attract all comers, where VB is for IT Journalists and managers - Michael
P Butler 05-12-2002
It'd probably be fairly easy to make a bot that'd post random stupid VB questions, and nobody would probably ever notice - benjymous - 21-Jan-2003
|
|
|
|
|
Hey Thuy Dinh ,
You need server-side intervention to keep track of visitors and clientside JavaScript alone cannot achieve this trick. Perhaps if you do not have access to serverside scripts and can use only static html pages, check out
http://www.thefreesite.com/
(Webmaster Freebies section) and there are lot of cobranded counters/site stat services, that can help you).
Deepak Kumar Vasudevan
http://deepak.portland.co.uk/
|
|
|
|
|
Thank you very much for your help. I'll find what I want now.
Thuydinh,
|
|
|
|
|
I am suffering from a lot of pain doing this. And I have decided to bring this to you genius - with the belief that someone on this planet will safe me further trauma debuggin this script.
Here's what i have on my ASP script:
'Connecting to Microsoft SQL Server:
oConn.ConnectionString = "Provider=sqloledb; Data Source=(local); Initial Catalog='dummyDB'; User ID=sa; Password=sa"
oConn.Open
'Update profile through stored procedure "sproc_ChangeProfile":
Set oCmd = Server.CreateObject("ADODB.Command")
With oCmd
.ActiveConnection = oConn
.CommandText = "dbo.sproc_ChangeProfile"
.CommandType = adCmdStoredProc
.Parameters.Append .CreateParameter("@old_login", adChar, adParamInput, 15, Request.Form("txtOldLogin") )
.Parameters.Append .CreateParameter("@login", adChar, adParamInput, 15, Request.Form("txtLogin") )
.Parameters.Append .CreateParameter("@password", adChar, adParamInput, 15, Request.Form("txtPasswd") )
.Parameters.Append .CreateParameter("@first_name", adChar, adParamInput, 50, Request.Form("first_name") )
.Parameters.Append .CreateParameter("@middle_name", adChar, adParamInput, 50, Request.Form("middle_name") )
.Parameters.Append .CreateParameter("@last_name", adChar, adParamInput, 50, Request.Form("last_name") )
.Parameters.Append .CreateParameter("@email1", adChar, adParamInput, 50, Request.Form("email1") )
.Parameters.Append .CreateParameter("@email2", adChar, adParamInput, 50, Request.Form("email2") )
.Parameters.Append .CreateParameter("@tel_home", adChar, adParamInput, 30, Request.Form("tel_home") )
.Parameters.Append .CreateParameter("@tel_office", adChar, adParamInput, 30, Request.Form("tel_office") )
.Parameters.Append .CreateParameter("@tel_fax", adChar, adParamInput, 30, Request.Form("tel_fax") )
.Parameters.Append .CreateParameter("@tel_cell", adChar, adParamInput, 30, Request.Form("tel_cell") )
.Parameters.Append .CreateParameter("@tel_pager", adChar, adParamInput, 30, Request.Form("tel_pager") )
.Parameters.Append .CreateParameter("@title", adChar, adParamInput, 100, Request.Form("title") )
.Parameters.Append .CreateParameter("@association", adChar, adParamInput, 50, Request.Form("association") )
.Parameters.Append .CreateParameter("@address_unit_num", adChar, adParamInput, 15, Request.Form("address_unit_num") )
.Parameters.Append .CreateParameter("@address_bldg_name", adChar, adParamInput, 50, Request.Form("address_bldg_name") )
.Parameters.Append .CreateParameter("@address_street_num", adChar, adParamInput, 15, Request.Form("address_street_num") )
.Parameters.Append .CreateParameter("@address_street", adChar, adParamInput, 100, Request.Form("address_street") )
.Parameters.Append .CreateParameter("@address_city", adChar, adParamInput, 100, Request.Form("address_city") )
.Parameters.Append .CreateParameter("@address_province", adChar, adParamInput, 100, Request.Form("address_province") )
.Parameters.Append .CreateParameter("@address_country", adChar, adParamInput, 100, Request.Form("address_country") )
.Parameters.Append .CreateParameter("@address_zipcode", adChar, adParamInput, 100, Request.Form("address_zipcode") )
.Parameters.Append .CreateParameter("@update_target", adInteger, adParamInput, 4, Request.Form("update_target"))
.Parameters.Append .CreateParameter("@error_status", adInteger, adParamOutput, 4, 0) 'OUTPUT: error status.
'Execute the stored procedure:
.Execute
End With
'Check return status:
If oCmd.Parameters("@error_status")=0 Then
'No error.
Else
'exception handling - please refer to stored procedure for error code interpretation.
bstatuscode=oCmd.Parameters("@error_status")
End If
Here's the declaration of the stored procedure in question:
CREATE PROCEDURE dbo.sproc_ChangeProfile(
@old_login char(15) =NULL,
@login char(15) =NULL,
@password char(15) =NULL,
@first_name char(50) =NULL,
@middle_name char(50) =NULL,
@last_name char(50) =NULL,
@email1 char(50) =NULL,
@email2 char(50) =NULL,
@tel_home char(30) =NULL,
@tel_office char(30) =NULL,
@tel_fax char(30) =NULL,
@tel_cell char(30) =NULL,
@tel_pager char(30) =NULL,
@title char(100) =NULL,
@association char(50) =NULL,
@address_unit_num char(15) =NULL,
@address_bldg_name char(50) =NULL,
@address_street_num char(15) =NULL,
@address_street char(100) =NULL,
@address_city char(100) =NULL,
@address_province char(100) =NULL,
@address_country char(100) =NULL,
@address_zipcode char(100) =NULL,
@update_target int=0,
@error_status int OUTPUT
)
I have checked and cross referenced many times. The types and parameters between the ASP and SQL script matches exactly. I have NO idea why I keep getting this following message when this script is executed:
ADODB.Command error '800a0bb9'
Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another.
/submit_changed_profile.asp, line 39
Help!
norm
|
|
|
|
|
Line 39 where the error occurs, which one is it?
Philip Patrick
Web-site: www.stpworks.com
"Two beer or not two beer?" Shakesbeer
|
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
