|
Try currentStyle .
-----BEGIN GEEK CODE BLOCK-----
Version: 3.21
GCS/G/MU d- s: a- C++++ UL@ P++(+++) L+(--) E--- W+++ N++ o+ K? w++++ O- M(+) V? PS-- PE Y++ PGP++ t++@ 5 X+++ R+@ tv+ b(-)>b++ DI++++ D+ G e++>+++ h---* r+++ y+++
-----END GEEK CODE BLOCK-----
|
|
|
|
|
I've got a problem with a form in ASP. The first page accepts two picture files and 3 text fields, and the next page is supposed to save them into an Access database. The pictures save fine, but as soon as I try and use a Request.Form() on the text fields I get an HTTP500 error. Here are the pages:
add_record.asp:
<form method="post" action="write_record.asp" enctype="multipart/form-data"><br />
thumb: <input type="file" name="thumbfield"><br><br />
picture: <input name="picturefield" type="file"><br><br />
make: <input name="makefield" type="text"><br><br />
price: <input name="pricefield" type="text"<>br><br />
description:<br><br />
<textarea name="descriptionfield" cols="50" rows="10"></textarea><br><br />
<input type="submit" name="submit" value="submit"><br />
</form>
write_record.asp:
<% <br />
Set theForm = Server.CreateObject("ABCUpload4.XForm")<br />
Set theField = theForm("picturefield")(1)<br />
<br />
If theField.FileExists and theField.ImageType <> 0 Then<br />
Set cn = Server.CreateObject("ADODB.Connection")<br />
theConn = "dsn=vos;"<br />
cn.Open theConn<br />
Set rs = Server.CreateObject("ADODB.Recordset")<br />
rs.Open "occasions", cn, 1, 3<br />
rs.AddNew<br />
rs("picture").Value = theField.Data<br />
Set theField = theForm("thumbfield")(1)<br />
If theField.FileExists and theField.ImageType <> 0 Then<br />
rs("thumb").Value = theField.Data<br />
end if<br />
<br />
'rs("make").Value = Request.Form("makefield") 'this causes it to die<br />
<br />
rs.Update<br />
rs.Close<br />
cn.Close<br />
End If <br />
<br />
%>
Any help will be appreciated.
Paul
modified 18-Jul-18 11:59am.
|
|
|
|
|
When uploading anything in traditional ASP and using an upload component, you cannot use Request.Form. When you set the enctype attribute on your form tag to "multipart/form-data", the HTTP headers change from what traditionally is sent. The upload component's job is to then process the header for you and give you access to all the form items through it.
Therefore, if you change the following line:
'rs("make").Value = Request.Form("makefield") 'this causes it to die
to
'assuming this is correct... It may be w/o an index. Don't know the component
rs("make").Value = theForm("makefield")(1)
That should help.
Steve
|
|
|
|
|
|
Ok, i think i'm the only person in the world who cant get this to work.
I've got an html page:
<html>
<body>
<TABLE BORDER="1" CELLSPACING="0"
BACKGROUND="border1.gif">
<tr><td>
this is text
</td</tr>
</body>
</html>
I cant get my image to show up as the background for the table. it doesnt show up at all. if i do it works great.
i'm stuck, i have been for an hour...grr.
*.*
cin >> knowledge;
|
|
|
|
|
Maybe it's because the <table> tag isn't closed, or the </td should really be a </td> ?
- Mike
|
|
|
|
|
See this example and change image path for background parameter...
Cheers
|
|
|
|
|
Hi ,
I have tried it out its working fine for me .
You can try with out using caps.
|
|
|
|
|
Would anyone happen to know if it's possible to add a custom flag to IIS smtp logs, and if so how would you go about doing this. I support/develope an automated email program and have moved from using OUTLOOK 2000 as a client and am now using CDO to bypass outlook. needless to say, I no longer have outlook's gui to have some sort of per email tracking. I'm hoping to pass iis some sort of email id so I can connect iis' smtp log with my email archive.
|
|
|
|
|
Hello,
I am working with a few frames. When I push a button in one frame I would like to refresh another frame. I have the following code:
function Refresh()
{
parent.frames[2].location.reload();
}
When I run this code I get a message that the page could not be refreshed. But the following code does work (DTree.aspx is usually the page already in the frame):
function Refresh()
{
parent.frames[2].location = "DTree.aspx";
}
Any idea why the reload() function is not working?
Thanks for you help,
RC
|
|
|
|
|
try this out.
<script language='javascript'>
function Refresh() {
parent.frames[2].location = parent.frames[2].location ;
}
</script>
|
|
|
|
|
It worked! Thanks for your help!!
RC
|
|
|
|
|
How does your browser know when you are no longer busy with the current website. Lets say you are browsing www.abc.com, and then you go to another site called www.def.com. The reason why i ask is because I want all variables created, server variables to be destroyed when a user goes to a new website, one different than the current one. If possible, please supply some code.
|
|
|
|
|
Brendan Vogt wrote:
How does your browser know when you are no longer busy with the current website.
You don't. Really. HTTP is stateless; you have no concrete way of knowing when the user is done browsing your website. Even things like Flash objects or Java applets that try to send a dying gasp to the server are unreliable since the user's browser can crash, the object can be destroyed before it has a chance to communicate, the user's phone line is unplugged, etc.
To handle resource cleanup, you can set a time limit on how long the resources can be active. Occasionally run through the active resources and clean up old resources.
- Mike
|
|
|
|
|
Below I gave some server sided validation. This validates if the username and password is correct. If they are correct, it redirects the user to a new page. Could someone please check if my way is a good way of checking. Any modifications will be appreciated.
If boolIsPost Then
' Get username and password
strUserName = Request.Form("username")
strPassword = Request.Form("password")
'-----------------------------------------------------------------
' Validate login details
'-----------------------------------------------------------------
' Check username
If Len(strUsername) < 4 or Len(strUserName) > 20 Then
strErrorTitle = "Invalid Username!"
strError = "Please enter the required field."
boolHasError = True
' Check password
ElseIf Len(strPassword) < 4 or Len(strPassword) > 20 Then
strErrorTitle = "Invalid Password!"
strError = "Please enter the required field."
boolHasError = True
'-----------------------------------------------------------------
' If all is ok
'-----------------------------------------------------------------
Else
Set objRs = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT User_Username, User_Password FROM tblUser WHERE
User_Username = '" & strUserName & "';"
objRs.Open strSQL, objConn, 0, 2
If objRs.EOF Then
strErrorTitle = "Username does not exist!"
strError = "Please enter the correct username."
boolHasError = True
ElseIf strPassword = objRs("User_Password") Then
' Username and password is valid
Response.Write "Username and password exists!!!"
Response.Redirect "project.asp"
Else
' Password is invalid
strErrorTitle = "Password is invalid!"
strError = "Please enter the correct password!"
boolHasError = True
End If
' Close and release all resources
objRs.Close
Set objRs = Nothing
End If
I await your reply.
Brendan Vogt
brcvogt@yahoo.com
|
|
|
|
|
After a quick look, your code seems vulnerable to SQL injection through the username field. You should check first that it contains only characters allowed in usernames (letters and numbers).
|
|
|
|
|
Please explain a bit more please. I intend on using the e-mail as a username, or would you suggest otherwise? If possible, can you maybe supply some sample code please? If possible, may I send you this page and then you update it accordingly? Your help will be appreciated. You can mail me on brcvogt@yahoo.com then I will reply.
Thanks
|
|
|
|
|
Functionally it looks OK, but you have a number of potential security problems.
Firstly, you're storing your passwords in plain text in the database, which allows an attacker who can inspect your database to impersonate any user. It's typically better to use some form of hashing in order to prevent a direct attack. Look at the CAPICOM API for use of cryptographic hashing functions.
Your maximum limit on passwords seems quite short, and your minimum limit is very short. There are ways of computing the effective bit length of a password, which suggest that a 20 character password can only be considered equivalent to a 128-bit symmetric encryption key if the password includes both upper and lower case letters, digits and punctuation marks.
Your use of string concatenation to build a SQL string is very weak and could subject you to SQL injection attacks. For example, if an attacker typed
' DROP tblUser -- your strSQL would end up as
SELECT User_Username, User_Password FROM tblUser WHERE
User_Username = '' DROP tblUser --'; The comment operator -- prevents the trailing quote mark from causing a syntax error. This would then cause a denial of service to all valid users. You should not trust user data in this way - any user data. It is generally better to use regular expressions to define the set of characters allowed in inputs.
You can mitigate the problem by using an ADO Command object with a collection of parameters, which will cause ADO and the database engine to perform any quoting necessary.
Finally, and I'll admit this one is a bit contentious, you may be giving too much information away in case of failure - you inform the user whether the username or the password was incorrect. This allows an attacker to narrow the problem set - first he has to find the username, then the password. If you don't indicate which is incorrect, the attacker has to generate all possible passwords for all possible usernames, or use some kind of social engineering to discover one or both.
If you decide to do this, you might decide to get the database to perform all the comparisons:
SELECT User_Username FROM tblUser WHERE User_Username = ? AND User_Password = ? where the ? represent parameters.
|
|
|
|
|
Can you maybe tell me where to get alternative information on this? I have searched the web but was unable to find info.
You stated the following... "It is generally better to use regular expressions to define the set of characters allowed in inputs", how can I improve my code to do this?
|
|
|
|
|
A good source of security information is the book I've just been reading (can you tell? ), Writing Secure Code[^] by Michael Howard and David LeBlanc (MS Press). Michael Howard also writes the MSDN Code Secure[^] column, which you can also find via the MSDN Security Developer Centre[^].
To use regular expressions in an ASP page, use the RegExp[^] object.
|
|
|
|
|
Hi
I am trying to develop a toolbar (for IE)to bring up the annotations on the page on the browser . When a section of the text is highlited on the browser then i need to return the parent ID of he item selected .By ID i mean that assuming that each of the html atags in the page are given an ID tag such that we have a tree structure .
for eg
thus
the question is having sucha page i need to write a function to return the id of the parent node(since we have a tree structure ) of the portion of the text selected . I guess this can be one using javasscripts . I have tried to implement in a crude form . Can any one guide me to do it . Is there any other way to do it . (USing C#) etc .The toolbar is implemented in C# .
Srikar Y
NITK Surathkal
|
|
|
|
|
When I view a directory through my browser, I get the following fields:
Name, Last Modified, Size, Description
How can I access the Description field to update it on uploads?
"The beat goes on.. da-da-dum dadum dum" BW
|
|
|
|
|
If the web server is Apache, then the description is determined by the AddDescription directive, which you can place in the .htaccess for that directory. Example:
AddDescription "Something different" foo.gif<br />
AddDescription "Something interesting" bar.gif
Documentation:
http://httpd.apache.org/docs/mod/mod_autoindex.html#adddescription[^]
- Mike
|
|
|
|
|
Has anyone installed VS6 after they installed VS .Net and if so are there any issues that need to be addressed. I have VS.Net installed on Windows XP Pro but still need to take care of older ASP and VB applications.
|
|
|
|
|
I actually had to install VS6 a few weeks ago, after using VS.NET and VS.NET 2k3 for a while. No problems so far... all three versions are happily coexisting, it seems.
- Mike
|
|
|
|