So i have this program that sending notification value to other page and show the notification, but the problem is you can edit the value in the url,
If lngErrNo <> 0 Then
response.write "Error while update Product."
response.end
Else
v_strMsg = "Edit Kelipatan Jumlah Pesanan Berhasil!"
Response.Redirect "global_notification.asp?strMsg=" & v_strMsg
End If
the problem is you can edit v_strMsg in url for the example abc.com/global_notification.asp?strMsg= "anything you can edit the value here", and the display page is look like this
<body>
<table class="1" width=70% cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" background="images/bgtable.gif"><div align="left" class="fontwhiteheader13">
ATTENTION!!</div>
</td>
</tr>
<tr>
<td valign="top"><table width=100% height="360" cellpadding="2" cellspacing="2" bgcolor="white">
<tr>
<td align=center class="fontblueheader13"><%=Request.QueryString("strMsg")%>
</td>
</tr>
</table></td></tr></table>
</body>
any possible way to sending the value without changing it to POST metod? i try htmlEncode but v_strMsg still can be edited in url, any suggestion?
You need a signed URL.
A signed URL includes a digital signature that proves the request was generated by the server.
The first thing you need to do is create a secret key:
' Generate your own key from:
' https://www.allkeysgenerator.com/Random/Security-Encryption-Key-Generator.aspx
Const secret_key = "G+KbPeShVmYq3s6v9y$B&E)H#McQfTjW"
In this example it's a 256 bit key.
You also need a hashing function:
hash.asp
<%
' Might as well store the secret key constant in this file:
Const secret_key = "G+KbPeShVmYq3s6v9y$B&E)H#McQfTjW"
Function Hash(ByVal Input, HashAlgorithm)
' Select the System.Security.Cryptography value.
Select Case uCase(HashAlgorithm)
Case "MD5"
HashAlgorithm = "MD5CryptoServiceProvider"
Case "SHA1"
HashAlgorithm = "SHA1CryptoServiceProvider"
Case "SHA2","SHA256"
HashAlgorithm = "SHA256Managed"
Case "SHA384"
HashAlgorithm = "SHA384Managed"
Case "SHA5","SHA512"
HashAlgorithm = "SHA512Managed"
Case Else
HashAlgorithm = "SHA1CryptoServiceProvider"
End Select
' Convert the input to bytes if not already.
If NOT VarType(Input) = 8209 Then
Dim utf8 : Set utf8 = Server.CreateObject("System.Text.UTF8Encoding")
Input = utf8.GetBytes_4(Input)
Set utf8 = Nothing
End If
' Perform the hash.
Dim hAlg : Set hAlg = Server.CreateObject("System.Security.Cryptography." & HashAlgorithm)
Dim hEnc : Set hEnc = Server.CreateObject("MSXML2.DomDocument").CreateElement("encode")
hEnc.dataType = "bin.hex"
hEnc.nodeTypedValue = hAlg.ComputeHash_2((Input))
Hash = hEnc.Text
Set hEnc = Nothing
Set hAlg = Nothing
End Function
%>
Now you're ready to sign your URL with a digital signature.
' Be sure to include "hash.asp"
' Your message:
v_strMsg = "Edit Kelipatan Jumlah Pesanan Berhasil!"
' A unix timestamp:
v_uts = DateDiff("s","1970-01-01 00:00:00",Now())
' NOTE: Your servers timezone should be set to UTC to generate a true unix timestamp,
' but it doesn't really matter, as long as "global_notification.asp" is on the same
' server, or a server set to the same timezone as the page you're generating the
' signature from.
' Now we create the signature as so:
v_signature = Hash(v_strMsg & v_uts & secret_key,"SHA256")
' Finally, redirect to "global_notification.asp"
Response.Redirect "global_notification.asp?strMsg=" & Server.URLEncode(v_strMsg) & "&ts=" & v_uts & "&signature=" & v_signature
Example redirect:
global_notification.asp?strMsg=Edit+Kelipatan+Jumlah+Pesanan+Berhasil%21&ts=1612794802&signature=61016c0a0460902cc4a19f092dcbb4fd818aa9c88d2631e087868253e73983da
Now to validate the signature on global_notification.asp:
<!--#include file = "hash.asp" -->
<%
Dim v_strMsg, v_uts, v_signature, v_uts_now
v_strMsg = Request.QueryString("strMsg")
v_uts = Request.QueryString("ts")
v_signature = Request.QueryString("signature")
' Do some basic validation first.
If v_signature = "" Then
Response.Write "Missing Signature"
Response.End()
ElseIf v_uts = "" Then
Response.Write "Missing Timestamp"
Response.End()
ElseIf NOT Len(v_signature) = 64 Then
Response.Write "Invalid Signature"
Response.End()
ElseIf NOT (IsNumeric(v_uts) AND Len(v_uts) = 10) Then
Response.Write "Invalid Timestamp"
Response.End()
End If
' Validate the signature. To do this, we simply recreate what we're expecting the signature
' to be, and compare it to the one being passed.
If NOT Hash(v_strMsg & v_uts & secret_key,"SHA256") = v_signature Then
Response.Write "Invalid Signature"
Response.End()
End If
' Now let's set an expiration period for the link, say 30 seconds? (or 86400 seconds for a day, 604800 for a week etc).
v_uts = Int(v_uts) + 30
v_uts_now = DateDiff("s","1970-01-01 00:00:00",Now())
If v_uts_now >= v_uts Then
Response.Write "Expired Link"
Response.End()
End If
' At this point, everything is good.
' Go ahead and display the message:
%>
<body>
<table class="1" width="70%" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" background="images/bgtable.gif"><div align="left" class="fontwhiteheader13"> ATTENTION!!</div></td>
</tr>
<tr>
<td valign="top"><table width="100%" height="360" cellpadding="2" cellspacing="2" bgcolor="white">
<tr>
<td align=center class="fontblueheader13"><%=v_strMsg%></td>
</tr>
</table></td>
</tr>
</table>
</body>
Now if you try and change the message (or the timestamp) you'll get an Invalid Signature error. The only way to generate a valid working link is to know the secret key, which of course is hidden.
Related
i want to send email using Persits.MailSender object. i found one solution and i include this code this solution works and Object created:
<%
posted = request.form ("submit")
if posted = "Submit" then
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Customize the following 5 lines with your own information. ''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
vtoaddress = "_____" ' Change this to the email address you will be receiving your notices.
vmailhost = Application("ServerAddress") ' Change this to your actual Domain name.
vfromaddress = "_____" ' Change this to the email address you will use to send and authenticate with.
vfrompwd = "_______________" ' Change this to the above email addresses password.
vsubject = "ASP Contact Form" 'Change this to your own email message subject.
'''''''''''''''''''''''''''''''''''''''''''
'' DO NOT CHANGE ANYTHING PAST THIS LINE ''
'''''''''''''''''''''''''''''''''''''''''''
vfromname = request.form ("TName")
vbody = request.form ("TBody")
vrplyto = request.form ("TEmail")
vmsgbody = vfromname &"<br>"& vrplyto &"<br>"& vbody
Set objEmail = Server.CreateObject("Persits.MailSender")
objEmail.Username = vfromaddress
objEmail.Password = vfrompwd
objEmail.Host = vmailhost
objEmail.From = vfromaddress
objEmail.AddAddress vtoaddress
objEmail.Subject = vsubject
objEmail.Body = vmsgbody
objEmail.IsHTML = True
objEmail.Send
vErr = Err.Description
if vErr <> "" then
response.write vErr & "<br><br>There was an error on this page."
else
response.write "Thank you, your message has been sent."
End If
Set objEmail = Nothing
response.write "Thank you, your message has been sent."
end if
%>
<html><body>
<form name="SendEmail01" method="post">
<table border=0>
<tr>
<td>Name:</td>
<td><input type="text" name="TName" size="30"></td>
</tr>
<tr>
<td>Email:</td>
<td><input type="text" name="TEmail" size="30"></td>
</tr>
<tr>
<td>Body:</td>
<td><textarea rows="4" name="TBody" cols="30"></textarea></td>
</tr>
<tr>
<td><input type="submit" name="Submit" value="Submit"></td>
</tr>
</form>
</body></html>
after filling all fields and submitting page then error occured like:
Persits.MailSender.4 error '800a0004'
Cannot assign requested address.
/contact_form.asp, line 34
please help me..
I hope so this piece of code will help you
<%
Class HVMailer
Private mMail
Private Sub Class_Initialize()
Set mMail = Server.CreateObject("Persits.MailSender")
mMail.Host = ""
mMail.Username = ""
mMail.Password = ""
mMail.TLS = True
End Sub
Public Property Let FromAddress(sFrom)
mMail.From = trim(sFrom)
End Property
Public Property Let FromName(sFromName)
mMail.FromName = trim(sFromName)
End Property
Public Property Let ReplyTo(sReply)
mMail.AddReplyTo trim(sReply), trim(sReply)
End Property
Public Property Let Subject(sSubject)
mMail.Subject = sSubject
End Property
Public Property Let BodyText(sBodyText)
mMail.Body = sBodyText
End Property
Public Property Let HTML(bHTML)
mMail.isHTML = bHTML
End Property
Public Sub AddRecipient(sAddress, sName)
sAddress = trim(sAddress)
if mMail.ValidateAddress(sAddress)= 0 Then
mMail.AddAddress sAddress, sName
end if
End Sub
Public Sub AddCC(sAddress, sName)
sAddress = trim(sAddress)
if mMail.ValidateAddress(sAddress)= 0 Then
mMail.AddCC sAddress, sName
end if
End Sub
Public Sub AddBCC(sAddress, sName)
sAddress = trim(sAddress)
if mMail.ValidateAddress(sAddress)= 0 Then
mMail.AddBCC sAddress, sName
end if
End Sub
Public Sub AddAttachment(sFile)
mMail.AddAttachment sFile
End Sub
Public function Send()
On Error Resume Next
mReturn = True
mMail.Send
if Err<>0 Then
mReturn = false
end if
Set mMail = Nothing
send = mReturn
End Function
End Class
%>
I recently got helped to fix my ASP EMAIL script but now I get this compiling error when trying to send email from the CONTACT FORM .. The script is below the ERROR MESSAGE
Server Error in '/' Application.
Compilation Error
Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.
Compiler Error Message: BC30807: 'Let' and 'Set' assignment statements are no longer supported.
Source Error:
Line 10: if Request("Send") <> "" Then
Line 11:
Line 12: Set objMail = Server.CreateObject("Persits.MailSender")
Line 13:
Line 14: objMail.Host = strHost
Source File: E:\HostingSpaces\dma\myuniversalcare.com\wwwroot\contact-us\Default.aspx Line: 12
Here is the script:
<%
Session.CodePage = 65001
Dim strHost, objMail, strToAddress, txtMsg
' Change this to your own SMTP server
strHost = "localhost"
if Request("Send") <> "" Then
Set objMail = Server.CreateObject("Persits.MailSender")
objMail.Host = strHost
objMail.From = "info#persits.com" ' From address
objMail.FromName = "AspEmail Live Demo" ' optional
strToAddress = Trim(Request("txtTo"))
' To prevent header injection attack
strToAddress = Replace( strToAddress, " ", "" )
strToAddress = Replace( strToAddress, chr(13), "" )
strToAddress = Replace( strToAddress, chr(10), "" )
' To address, 2nd argument omitted.
objMail.AddAddress strToAddress
' Message subject
objMail.Subject = objMail.EncodeHeader( Request("txtSubject"), "UTF-8" )
' Enable Unicode
objMail.ContentTransferEncoding = "Quoted-Printable"
objMail.CharSet = "UTF-8"
' Message body
objMail.Body = Request("txtBody")
' Include a disclaimer
objMail.Body = objMail.Body & chr(13) & chr(10) & chr(13) & chr(10) & "-----------------------------------" & chr(13) & chr(10) & chr(13) & chr(10) & "This message was generated by the AspEmail live demo on-line application. Persits Software, Inc. is not responsible for its content."
On Error Resume Next
objMail.Send ' Send message
If Err = 0 then
txtMsg = "<font color=green>Success! Message sent to " & strToAddress + ".</font>"
Else
txtMsg = "<font color=red>Error occurred: " + err.Description + "</font>"
End If
End If
%>
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" content="text/html; charset=utf-8">
<TITLE>AspEmail Live Demo: Unicode-enabled Message Sending</TITLE>
</HEAD>
<BODY style="font-family: arial narrow; font-size: 10pt">
<h2>AspEmail Live Demo: Unicode-enabled Message Sending</h2>
<P>
<FORM METHOD="POST" ACTION="demo_simple.asp">
<TABLE CELLSPACING=2 CELLPADDING=2 BGCOLOR="#E0E0E0" style="border: 1pt black solid; border-collapse: collapse">
<TR>
<TD>To:</TD>
<TD><INPUT TYPE="TEXT" size="40" NAME="txtTo" VALUE="<% = Server.HtmlEncode(Request("txtTo")) %>"></TD>
</TR>
<TR>
<TD>Subject:</TD>
<TD><INPUT TYPE="TEXT" size="40" NAME="txtSubject" VALUE="<% = Server.HtmlEncode(Request("txtSubject")) %>"></TD>
</TR>
<TR>
<TD valign="top">Body:</TD>
<TD><TEXTAREA NAME="txtBody" Rows="10" Cols="40"><% = Server.HtmlEncode(Request("txtBody")) %></TEXTAREA></TD>
</TR>
<TR>
<TD COLSPAN=2><INPUT TYPE="SUBMIT" NAME="Send" VALUE="Send Message"></TD>
</TR>
</TABLE>
<P>
<% = txtMsg %>
</FORM>
</BODY>
</HTML>
If you are using aspx you can not use set . You are having a ASP code in to aspx page .
This site has been very useful in helping resolved many unknowns. Thank you. Now I have one unknown that I have not been able to locate an answer to.
The error is:
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
I’m using:
ASP Classic
MS SQL Server 2000
In ASP there is a <textarea> within a “form” to insert notes, when notes are inserted and the submit button is pushed the stored procedure insert the note into the note table datetimestamp it and add the logon user. That is doing exactly what it is to do. Additionally in ASP there is a <table> that populates with the note, datetimestamp and logon user with the other previous entries. That also is doing exactly what it is to do.
The above mentioned error occurs when the submit button is pressed, by hitting the browsers back button when the error page shows up, then refreshing the page the <textarea> is cleared and note, datetimetime, and logon user display in the <table>
ASP Classic page:
Dim rsAccountNote
<form name="Accountnote" method="post" action="/admin/xt_Accountnote.asp">
<td>
<b>Add Note:</b><br />
<textarea type="text" name="notes" value="" rows="7" cols="43" style="resize: none;"></textarea><br />
<input type="submit" value="Add new note"/>
</td>
<table>
<tr>
<td>
<b>Read Notes:</b>
</td>
</tr>
<%
set rsAccountNote = DBConn.Execute("SELECT AccountNotes, LogonUser_Id, dtAccountNotedatetime FROM AccountNotes WHERE AccountId = " & rsAccount("AccountId"))
rsAccountNote.Sort="dtAccountNotedatetime DESC"
Do While Not rsAccountNote.EOF
%>
<tr>
<td>
Added <%=rsAccountNote("dtAccountNotedatetime")%> by <%=rsAccountNote("LogonUser_Id")%>
</td>
</tr>
<tr>
<td>
<b>Note: </b> <%=rsAccountNote("AccountNotes")%>
</td>
</tr>
<%
rsAccountNote.MoveNext
Loop
Set rsAccountNote = Nothing
%>
</tr>
</td>
</tr>
</table>
</form>
ASP Classic xt_page:
<%
Dim rsAccount
Dim iAccount
Dim LogonUser_id
Dim AccountNotes
sSQL = "exec spApp_UpdateAccountNotes " & _
"#iAccount = " & Trim(Request("Account_id")) & ", " & _
"#AccountNotes = " & prepString(Request("AccountNotes")) & ", " & _
"#LogonUser_id = " & prepString(Request("Logon_User"))
Call resultQuery(DBConn, rsAccount, sSQL, "", true)
Response.Redirect("/Account_admin/accountinfo.asp?account_id=" & Trim(Request("account_id")))
%>
Stored procedure:
CREATE PROCEDURE spApp_UpdateAccountNotes
(
#iAccount int,
#LogonUser_id varchar (50),
#AccountNotes varchar(5000)
)
AS
SET NOCOUNT ON
insert AccountNotes
(
AccountId,
LogonUser_Id,
AccountNotes
)
values
(
#iAccount,
#LogonUser_Id,
#AccountNotes
)
GO
Try using a Command object to execute the SP as parameterised query. This solves the more serious problem of your code being open to a SQL Injection attack.
In fact your first page is also open to attack, you should use a command object there also.
Possibly the real source of your problem is that resultQuery tries to generate and do something with a recordset from the SP which doesn't return a result set, its only an insert. Perhaps resultQuery just isn't the thing to call in this case. An ADODB Command object and Execute would be all that is needed.
I have one folder in which my images get stored, now I want to create a slideshow such as the one here.
I tried the following code (but it displays just single image on page refresh):
<%#LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<html>
<head>
<%
Function RandomImage(strPath,strDefault)
On Error Resume Next
'response.Write("HI")
Randomize Timer
' declare all variables
Dim objFSO, objFolder, objFiles, objFile
Dim strFiles, strImages, strPhysical, strFile
' this constant has the names of valid image file name
' extensions and can be modified for more image types
Const strValid = ".gif.jpg.png"
' make sure we have a trailing slash in the path
If Right(strPath,1) <> Chr(47) Then strPath = strPath & Chr(47)
' get the physical path of the folder
strPhysical = Server.MapPath(strPath)
' get a File System Object
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
' create a folder object
Set objFolder = objFSO.GetFolder(strPhysical)
' get the files collection
Set objFiles = objFolder.Files
' enumerate the files collection looking for images
For Each objFile in objFiles
strFile = LCase(objFile.Name)
If Instr(strValid,Right(strFile,4)) Then
' add vaild images to a string of image names
strFiles = strFiles & strFile & vbTab
End If
Next
' split the image names into an array
strImages = Split(strFiles,vbTab)
' if we have an array...
If UBound(strImages) > 1 Then
' get a random name
RandomImage = strPath & strImages(Int(Rnd(1)*UBound(strImages)))
Else
' otherwise return the default
RandomImage = strDefault
End If
End Function
%>
<%
strImg = RandomImage("./retailers/","./retailers/A1-Supplements.jpg")
strsplit = split(strImg,"/")
' Response.Write(strsplit(2))
' Response.Write("rahul =" &strImg)
' d_desc = Split(Request.Form("strImg"),"/")
' Name of text file to search:
strFileName = "saveimagename.txt"
' Text to search for:
strSearchText = strsplit(2)
'response.Write(strSearchText)&"<br/>"
'response.end()
' Create an instance of the the File System Object
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
' Open the file
Set objTextFile = objFSO.OpenTextFile(Server.MapPath(strFileName))
URLString = ""
Do While Not objTextFile.AtEndOfStream
strReadLineText = objTextFile.ReadLine
'response.Write(strReadLineText & "<br>")
If strReadLineText<>"" then
If Instr(strReadLineText,",")>0 then
strReadLineTextArr=split(strReadLineText,",")
URLString=strReadLineTextArr(1)
end if
end if
If InStr(lcase(strReadLineText), lcase(strSearchText)) > 0 Then
Exit Do
End If
Loop
strSearchText=""
' Close and release file references
objTextFile.Close
Set objTextFile = Nothing
Set objFSO = Nothing
'Response.Write URLString
'Response.End()
%>
</head>
<body>
<div align="center" style="width:800px; float:left;">
<center>
<table border="0" width="800px">
<tr>
<td>
</td>
<td bgcolor="#000" align="center" style="border:none;">
<img src="<%=strImg%>" onClick="<%=URLString%>" border="0">
</td>
<td>
</td>
</tr>
</table>
</center>
</div>
</body>
</html>
Please help me.
Try to accomplish this from the server-side is very difficult. You can only assign the images once and the only way to change them is for your user to refresh the page.
What you need to do is create your slideshow on the client-side with JavaScript. Fortunately, there are lots of libraries that can help you. Search for slideshows and jquery and you should be able to find what you need. Here's one such link.
You definitely want to do this on the client side using jQuery. It will be more efficient for your end users and less server interaction.
Here are a few good slideshows with tutorials on how to implement them:
http://speckyboy.com/2009/06/03/15-amazing-jquery-image-galleryslideshow-plugins-and-tutorials/
I need to find several hrefs in html like this:
<table>
<tr><td>link1</td>
<td><img src="image.jpg" /></td>
</tr>
</table>
Once found I need to add (replace) to each href something like this:
?ID=1
therefore the html should turn out like this:
<table>
<tr><td>link1</td>
<td><img src="image.jpg" /></td>
</tr>
</table>
Any help would be appreciated, thanks, Mike.
Here's the new code:
Shared Function AdjustURL(ByVal psInput As String, ByVal psAppend As String) As String
Dim sOrig As String = " " & psInput 'Prepending a space (browser will ignore) in case the first character is a link.
Dim sOutput As String = ""
Dim iEnd As Integer = -1, iQuestion As Integer = -1
While sOrig.Length > 0
sOutput &= sOrig.Substring(0, 1)
sOrig = sOrig.Substring(1)
iEnd = -1
If sOrig.StartsWith("<a href=") Then 'Is this a safe assumption, what if it's not an <a> or href isn't next after only one space?
If sOrig.StartsWith("<a href=""") Then
iEnd = InStr(10, sOrig, """") 'URL ends with a Quote
Else
iEnd = InStr(9, sOrig, " ") 'URL ends with a Space - are there other possibilities?
End If
iQuestion = InStr(sOrig, "?")
If iQuestion > iEnd Then iQuestion = -1
sOutput &= sOrig.Substring(0, iEnd - 1) & IIf(iQuestion > -1, "?", "&") & psAppend
sOrig = sOrig.Substring(iEnd - 1)
End If
End While
Return sOutput
End Function
Call:
Dim sHTML As String = "<table> <tr><td>link1</td> <td><img src=""image.jpg"" /></td> </tr> </table>"
Response.Write(Class1.AdjustURL(sHTML, "ID=1"))
Result:
<table> <tr><td>link1</td> <td><img src="image.jpg" /></td> </tr> </table>
I'm sure there will be other replacements you will discover over time as users enter things. I'd definitely recommend replacing <script with something like <span style=display:none to avoid javascript injection. You'll also want to be sure to avoid SQL injection before writing this to your database.