|
It worked! Thanks for your help!!
RC
|
|
|
|
|
How does your browser know when you are no longer busy with the current website. Lets say you are browsing www.abc.com, and then you go to another site called www.def.com. The reason why i ask is because I want all variables created, server variables to be destroyed when a user goes to a new website, one different than the current one. If possible, please supply some code.
|
|
|
|
|
Brendan Vogt wrote:
How does your browser know when you are no longer busy with the current website.
You don't. Really. HTTP is stateless; you have no concrete way of knowing when the user is done browsing your website. Even things like Flash objects or Java applets that try to send a dying gasp to the server are unreliable since the user's browser can crash, the object can be destroyed before it has a chance to communicate, the user's phone line is unplugged, etc.
To handle resource cleanup, you can set a time limit on how long the resources can be active. Occasionally run through the active resources and clean up old resources.
- Mike
|
|
|
|
|
Below I gave some server sided validation. This validates if the username and password is correct. If they are correct, it redirects the user to a new page. Could someone please check if my way is a good way of checking. Any modifications will be appreciated.
If boolIsPost Then
' Get username and password
strUserName = Request.Form("username")
strPassword = Request.Form("password")
'-----------------------------------------------------------------
' Validate login details
'-----------------------------------------------------------------
' Check username
If Len(strUsername) < 4 or Len(strUserName) > 20 Then
strErrorTitle = "Invalid Username!"
strError = "Please enter the required field."
boolHasError = True
' Check password
ElseIf Len(strPassword) < 4 or Len(strPassword) > 20 Then
strErrorTitle = "Invalid Password!"
strError = "Please enter the required field."
boolHasError = True
'-----------------------------------------------------------------
' If all is ok
'-----------------------------------------------------------------
Else
Set objRs = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT User_Username, User_Password FROM tblUser WHERE
User_Username = '" & strUserName & "';"
objRs.Open strSQL, objConn, 0, 2
If objRs.EOF Then
strErrorTitle = "Username does not exist!"
strError = "Please enter the correct username."
boolHasError = True
ElseIf strPassword = objRs("User_Password") Then
' Username and password is valid
Response.Write "Username and password exists!!!"
Response.Redirect "project.asp"
Else
' Password is invalid
strErrorTitle = "Password is invalid!"
strError = "Please enter the correct password!"
boolHasError = True
End If
' Close and release all resources
objRs.Close
Set objRs = Nothing
End If
I await your reply.
Brendan Vogt
brcvogt@yahoo.com
|
|
|
|
|
After a quick look, your code seems vulnerable to SQL injection through the username field. You should check first that it contains only characters allowed in usernames (letters and numbers).
|
|
|
|
|
Please explain a bit more please. I intend on using the e-mail as a username, or would you suggest otherwise? If possible, can you maybe supply some sample code please? If possible, may I send you this page and then you update it accordingly? Your help will be appreciated. You can mail me on brcvogt@yahoo.com then I will reply.
Thanks
|
|
|
|
|
Functionally it looks OK, but you have a number of potential security problems.
Firstly, you're storing your passwords in plain text in the database, which allows an attacker who can inspect your database to impersonate any user. It's typically better to use some form of hashing in order to prevent a direct attack. Look at the CAPICOM API for use of cryptographic hashing functions.
Your maximum limit on passwords seems quite short, and your minimum limit is very short. There are ways of computing the effective bit length of a password, which suggest that a 20 character password can only be considered equivalent to a 128-bit symmetric encryption key if the password includes both upper and lower case letters, digits and punctuation marks.
Your use of string concatenation to build a SQL string is very weak and could subject you to SQL injection attacks. For example, if an attacker typed
' DROP tblUser -- your strSQL would end up as
SELECT User_Username, User_Password FROM tblUser WHERE
User_Username = '' DROP tblUser --'; The comment operator -- prevents the trailing quote mark from causing a syntax error. This would then cause a denial of service to all valid users. You should not trust user data in this way - any user data. It is generally better to use regular expressions to define the set of characters allowed in inputs.
You can mitigate the problem by using an ADO Command object with a collection of parameters, which will cause ADO and the database engine to perform any quoting necessary.
Finally, and I'll admit this one is a bit contentious, you may be giving too much information away in case of failure - you inform the user whether the username or the password was incorrect. This allows an attacker to narrow the problem set - first he has to find the username, then the password. If you don't indicate which is incorrect, the attacker has to generate all possible passwords for all possible usernames, or use some kind of social engineering to discover one or both.
If you decide to do this, you might decide to get the database to perform all the comparisons:
SELECT User_Username FROM tblUser WHERE User_Username = ? AND User_Password = ? where the ? represent parameters.
|
|
|
|
|
Can you maybe tell me where to get alternative information on this? I have searched the web but was unable to find info.
You stated the following... "It is generally better to use regular expressions to define the set of characters allowed in inputs", how can I improve my code to do this?
|
|
|
|
|
A good source of security information is the book I've just been reading (can you tell? ), Writing Secure Code[^] by Michael Howard and David LeBlanc (MS Press). Michael Howard also writes the MSDN Code Secure[^] column, which you can also find via the MSDN Security Developer Centre[^].
To use regular expressions in an ASP page, use the RegExp[^] object.
|
|
|
|
|
Hi
I am trying to develop a toolbar (for IE)to bring up the annotations on the page on the browser . When a section of the text is highlited on the browser then i need to return the parent ID of he item selected .By ID i mean that assuming that each of the html atags in the page are given an ID tag such that we have a tree structure .
for eg
thus
the question is having sucha page i need to write a function to return the id of the parent node(since we have a tree structure ) of the portion of the text selected . I guess this can be one using javasscripts . I have tried to implement in a crude form . Can any one guide me to do it . Is there any other way to do it . (USing C#) etc .The toolbar is implemented in C# .
Srikar Y
NITK Surathkal
|
|
|
|
|
When I view a directory through my browser, I get the following fields:
Name, Last Modified, Size, Description
How can I access the Description field to update it on uploads?
"The beat goes on.. da-da-dum dadum dum" BW
|
|
|
|
|
If the web server is Apache, then the description is determined by the AddDescription directive, which you can place in the .htaccess for that directory. Example:
AddDescription "Something different" foo.gif<br />
AddDescription "Something interesting" bar.gif
Documentation:
http://httpd.apache.org/docs/mod/mod_autoindex.html#adddescription[^]
- Mike
|
|
|
|
|
Has anyone installed VS6 after they installed VS .Net and if so are there any issues that need to be addressed. I have VS.Net installed on Windows XP Pro but still need to take care of older ASP and VB applications.
|
|
|
|
|
I actually had to install VS6 a few weeks ago, after using VS.NET and VS.NET 2k3 for a while. No problems so far... all three versions are happily coexisting, it seems.
- Mike
|
|
|
|
|
I am running PHP script.
I am displaying contents using HTML.
I have date field. After user enters date , report is displayed.
I call the same script for submit action.
When report is displayed , value from date field is lost.
I want to retain this value next time when report is displayed . How to retain the previous field value, when
page is refreshed?
|
|
|
|
|
Well, first you switch to ASP.NET...
--
-Blake (com/bcdev/blake)
|
|
|
|
|
Is it not possible to remember values of any fields like edit control from previous page , on the next page using php and html?
|
|
|
|
|
Remember this is a stateless environment. You need to provide the mechanism by query strings, hidden fields, or other methods. ASP.NET uses viewstate which is in essence a hidden field.
|
|
|
|
|
I am running PHP script.
I am displaying contents using HTML.
I want to display file path. Problem is it does not display '\' in path .
e.g c:\temp1\test.c
It displays it as c:temp1temp.c
I am reading the path from MYSQL database.
how can I disply '\' in the file path.
|
|
|
|
|
Do you need to escape the backslash with another backslash?
c:\\temp1\\test.c ?
|
|
|
|
|
I did not get your question.
'/' in text is not getting displayed
e.g. text to be displayed.
c:\temp\tree\install
It gets displayed as follows
c:temptreeinstall
|
|
|
|
|
What does your code for displaying the data look like? Please try to narrow your problem down to a small piece of code to make it easier for us to find your problem.
- Mike
|
|
|
|
|
Hi, im running IIS and someimtes apache on my home machine and would like to know how to convert the localhost word in the url to something that someone from another computer can access.
if the url I use to access the page is
localhost:8080/Home.html
and my IP adress is 152.103.2.19
then i test the url as
http://152.103.2.19:8080/Home.html but it says page not found... am I doing something wrong?
|
|
|
|
|
If you have iis and apache on same machine then first of all stop apache service then start IIS server(start-setting-control panel-administrative tools-internet services manager) click on default web site. start service.
Now browse to url(eg:- "http://160.2.80.6/test.htm")
Since you have html page you need to check its extension as it may be .htm or .html
You can also use computer name rather than using IP address.
Cheers
Amit Chowdhury
|
|
|
|
|
You might have the web server listening specifically on 127.0.0.1 or a name-based host "localhost", or a firewall might be blocking port 8080.
Are you actually connecting, but getting a 404, or is the browser unable to connect at all?
- Mike
|
|
|
|