Error when leaving input blank in ASP - asp-classic

I am developing a script to allow users to write to Active Directory. The problem is that, when I leave a field blank, it results in an error. When, however, I put a value in, even a space, it seems happy. I have the following code:
<%#LANGUAGE="VBScript">
%>
<%
if isEmpty(request.form("subval")) then
response.write("You did not submit the form, please <a href='ldap.asp'>go back</a>")
else
'If the subval field is empty, we know the form has been submitted OK
dim firstname, lastname, email, telephonenumber, mobile, description
ADUser = "LDAP://OU=Staff,OU=Users,DC=example,DC=internal"
' Make AD connection and run query
subval = request.querystring("account_name")
'This value held the CN earlier, it is now overwriten here
Set objCon = Server.CreateObject("ADODB.Connection")
objCon.provider ="ADsDSOObject"
objCon.Properties("User ID") = "EXAMPLE\Exampe"
objCon.Properties("Password") = "TestPassword"
objCon.Properties("Encrypt Password") = TRUE
objCon.open "Active Directory Provider"
Set objCom = CreateObject("ADODB.Command")
Set objCom.ActiveConnection = objCon
objCom.CommandText ="select sAMAccountName, distinguishedName FROM '"+ ADUser +"' where sAMAccountname='"& subval &"'"
Set objRS = objCom.Execute
distinguishedName = objRS.Fields("distinguishedName")
objRS.Close
objCon.Close
Set objRS = Nothing
Set objCom = Nothing
'We select the distinguishedName from AD
firstname = request.form("firstname")
lastname = request.form("lastname")
email = request.form("email")
telephonenumber = request.form("telephonenumber")
mobile = request.form("mobile")
description = request.form("description")
Const ADS_PROPERTY_UPDATE = 2
Set objUser = GetObject _ ("LDAP://" & distinguishedName)
if (IsNull(firstname)) Then
firstname = " "
end if
if (IsNull(lastname)) Then
lastname = " "
end if
if (IsNull(email)) Then
email = " "
end if
if (IsNull(telephonenumber)) Then
telephonenumber = " "
end if
if (IsNull(mobile)) Then
mobile = " "
end if
if (IsNull(description)) Then
description = " "
end if
objUser.Put "givenName", firstname
objUser.Put "mail", email
objUser.Put "sn", lastname
objUser.Put "mobile", mobile
objUser.Put "description", description
objUser.Put "telephoneNumber", telephonenumber
objUser.SetInfo
Response.Write("User data for "& subval &" has been modified")
end if
%>
The error I get whenever I leave a field blank is why I am trying to inject spaces into the variables since that seems to work in my form.
The error I get is on the SetInfo line
error '8007200b'
/updateldap.asp, line 68
I'm not sure what I can try since I've done all the stuff I can think of

8007200b = LDAP_INVALID_SYNTAX (The attribute syntax specified to the directory service is invalid)
I would say that you have worked out what the issue is. LDAP attributes cannot be NULL. You probably don't even need to have spaces, an empty string might work as well.
e.g.
if (IsNull(firstname)) Then
firstname = ""
end if

Related

Classic ASP: General access denied error

I have a system, written in Classic ASP, which reads data from a form and updates AD. I am, however, getting the following error when I try and update my own information:
Active Directory error '80070005'
General access denied error
/activedirectory/index.asp, line 99
Line 99 is
objUser.SetInfo
and the entire code block is as follows:
<%
uname = request.querystring("account_name")
ADUser = "LDAP://OU=Staff,OU=Users,DC=example,DC=internal"
Set objCon = Server.CreateObject("ADODB.Connection")
objCon.provider ="ADsDSOObject"
objCon.Properties("User ID") = "NETWORK\example"
objCon.Properties("Password") = "PaSsWoRd"
objCon.Properties("Encrypt Password") = TRUE
objCon.open "Active Directory Provider"
Set objCom = CreateObject("ADODB.Command")
Set objCom.ActiveConnection = objCon
objCom.CommandText ="select distinguishedName FROM '"+ ADUser +"' where sAMAccountname='"& uname &"'"
Set objRS = objCom.Execute
distinguishedName = objRS.Fields("distinguishedName")
'Const ADS_PROPERTY_UPDATE = 2
Set objUser = GetObject _
("LDAP://" & distinguishedName)
objUser.Put "givenName", firstname
objUser.Put "mail", email
objUser.Put "sn", lastname
objUser.Put "mobile", mobile
objUser.Put "description", description
objUser.Put "telephoneNumber", telephonenumber
objUser.Put "department", department
objUser.Put "title", title
objUser.Put "company", company
objUser.SetInfo
Response.Write("User data for "& uname &" has been modified. Click <a href='/'>here</a> to go home")
%>
I have gone through the troubleshooting steps that I can think of, ensuring the password I am using is correct, making sure the account has delegated write permissions, etc. Some pointers would be much appreciated

Classic ASP: Type mismatch: 'GroupCheck'

I have a function named GroupCheck, which is designed to get the logged in users group from AD. It is, however, giving me the following error:
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'GroupCheck'
/ldap.asp, line 67
Line 67 is where I call the function, passing in the Request.ServerVariables("AUTH_USER")
The following function is stored in a file which is included at the top of the page:
<%
function GroupCheck(user)
dim user, ADUser, objCom, objCon, objRS, membership
ADUser = "LDAP://OU=Staff,OU=Users,DC=example,DC=internal"
' Make AD connection and run query'
Set objCon = Server.CreateObject("ADODB.Connection")
objCon.provider ="ADsDSOObject"
objCon.Properties("User ID") = "EXAMPLE\user"
objCon.Properties("Password") = "Test"
objCon.Properties("Encrypt Password") = TRUE
objCon.open "Active Directory Provider"
Set objCom = CreateObject("ADODB.Command")
Set objCom.ActiveConnection = objCon
objCom.CommandText = "SELECT memberOf FROM '" + ADUser + "' where sAMAccountName='*" + 'user + "*' AND UserAccountControl <> 514"
Set objRS = objCom.Execute
Do While Not objRS.EOF Or objRS.BOF
if isNull(objRS.Fields("memberOf").value) then
membership = ""
else
for each item in objRS.Fields("memberOf").value
membership = item + "<br>"
next
end if
if inStr(membership, "UserGroup") then
GroupCheck = 1
else
GroupCheck = 0
end if
objRS.MoveNext
Response.Flush
Loop
'Clean up'
objRS.Close
objCon.Close
Set objRS = Nothing
Set objCon = Nothing
Set objCom = Nothing
end function
%>
I really don't know what the problem is, because /ldap.asp, line 67 is :
Set getMembership(username)
EDIT: My code for ldap.asp is:
getMembership = GroupCheck(Request.ServerVariables("AUTH_USER"))
'This should fetch all the accounts that appears in the "Contact Centre" group
if getMembership = 1 then
'Response.Write "<td><a href='entry.asp?account_name=" & objRS("sAMAccountName") & "'>Edit</a></td>"
elseif objRS("sAMAccountName") = session("username") then
Response.Write "<td><a href='entry.asp?account_name=" & objRs("sAMAccountName") + "'>Edit</a></td>"
else Response.Write "<td></td>"
end if
Response.Write "</tr>" + vbCrL
objRS.MoveNext
Response.Flush
Loop
Response.Write "</table>"
' Clean up
objRS.Close
objCon.Close
Set objRS = Nothing
Set objCon = Nothing
Set objCom = Nothing
%>
So what exactly is in line 67?
Set getMembership(username)
or
[unknown variable] = GroupCheck(Request.ServerVariables("AUTH_USER"))
?
In any case, this is probably the cause of the problem:
objCom.CommandText = "SELECT memberOf FROM '" + ADUser + "' where sAMAccountName='*" + 'user + "*' AND UserAccountControl <> 514"
In VBScript, the + operator is for arithmetic addition. "SELECT memberOf From '" cannot be converted into a number; hence the type mismatch. Probably. (I can't be sure because I don't know how you're calling or including the function.)
Instead, use the proper VBScript concatenation operator, &.
objCom.CommandText = "SELECT memberOf FROM '" & ADUser & "' where sAMAccountName='*" & user & "*' AND UserAccountControl <> 514"
Also, you're potentially shooting yourself in the foot by dimming a variable with the same name as the function argument:
function GroupCheck(user)
dim user, ADUser, objCom, objCon, objRS, membership
'^^^^
It may still work if you do that, but it's just not a good idea.

Updating Password in sql database using text-box

using ASP.NET & VB.NET i trying to update the user password, where it is equals to the sessionID
Database using is SQL Local.
here is the vb .net code
Dim pass As String
pass = tboxConFirmPass.Text
Dim connce As SqlCeConnection = New SqlCeConnection(ConfigurationManager.ConnectionStrings("ConnectionString").ToString())
connce.Open() 'make the connection to DB
Dim sqlCommand As String = "UPDATE [tbCustomer] SET [Password] = ('" _
+ tboxConFirmPass.Text + "', '" + "WHERE [CustomerID] = #CustomerID" + "')"
Dim cmd As SqlCeCommand = New SqlCeCommand(sqlCommand, connce)
cmd.ExecuteNonQuery()
connce.Close()
MsgBox("Your Password has been chaged.")
End Sub
here is the SqlDataSource
UpdateCommand="UPDATE [tbCustomer] SET [Password] = #Password WHERE [CustomerID] = #CustomerID">
Error = There was an error parsing the query. [ Token line number = 1,Token line offset = 42,Token in error = , ]
Right, your query needs to be changed thus:
Dim sqlCommand As String = "UPDATE [tbCustomer] SET [Password] = '" _
& Replace(tboxConFirmPass.Text, "'", "''") & "' WHERE [CustomerID] = #CustomerID"
I've sorted your brackets and quotes mismatches out, changed the string concatenation operator to & and put an escape in to reduce the possibility of SQL injection vulnerability (if someone puts a single quote in their password, your query will no longer fall over, or worse).
To set a value for #CustomerID you need to add a SQL Parameter to the command object. If you don't give it a value you'll get the error mentioned in your comment. Alternatively you can concatenate the value like you do with the password:
Dim sqlCommand As String = "UPDATE [tbCustomer] SET [Password] = '" _
& Replace(tboxConFirmPass.Text, "'", "''") & "' WHERE [CustomerID] = " & CustomerID
Note that you will need to use a variable that is initialised with the ID of the customer whose password is being changed.

Send Password if user forgets

I'm working on a project with asp and i have a section of where a user forgets his or her password she enters her email and if it's valid it sends the password. Now the problem is, its able to check if the email is in the database alright and sends the mail, but can't send the password along.
<%
'Check if the form has been processed
If Request.Form("process")="true" Then
'Check the recordset for a valid record
If Not rs_user.Eof Then
'Valid record, so proceed with the email
Call sSendReminder (rs_user("email"), rs_user("password"))
Response.Write "Your password has been sent to your inbox. If you don't find it in your mail box, check your junk mail folder"
dim sName, sEmail, sMessage
dim oCdoMail, oCdoConf, sConfURL
sEmail = Request.Form("email")
Set oCdoMail = Server.CreateObject("CDO.Message")
Set oCdoConf = Server.CreateObject("CDO.Configuration")
sConfURL = "http://schemas.microsoft.com/cdo/configuration/"
with oCdoConf
.Fields.Item(sConfURL & "sendusing") = 2
.Fields.Item(sConfURL & "smtpserver") = "smptserveraddress.com"
.Fields.Item(sConfURL & "smtpserverport") = 25
.Fields.Update
end with
with oCdoMail
.From = "noreply#sample.com"
.To = sEmail
.Subject = "Password Recovery from samplesite"
.TextBody = "Your password is: " & password
.HTMLBody = "Your password is: " & password
.Configuration = oCdoConf
.Send
end with
Set oCdoConf = Nothing
Set oCdoMail = Nothing
Else
'Not a valid record
Response.Write "Sorry, no email was found."
End If
End If
Sub sSendReminder(email, password)
End Sub
%>
Is the above code the exact code you are running?
If so, you need to move the
Sub sSendReminder(email, password)
above
dim sName, sEmail, sMessage
You also need to move those "end if" statements outside the sub.
Your code runs (I think) because it is technically correct, but it doesn't run like you think it should because your sub is actually blank.
Correct code would look like this:
<%
'Check if the form has been processed
If Request.Form("process")="true" Then
'Check the recordset for a valid record
If Not rs_user.Eof Then
'Valid record, so proceed with the email
Call sSendReminder (rs_user("email"), rs_user("password"))
Response.Write "Your password has been sent to your inbox. If you don't find it in your mail box, check your junk mail folder"
Else
'Not a valid record
Response.Write "Sorry, no email was found."
End If
End If
Sub sSendReminder(email, password)
dim sName, sEmail, sMessage
dim oCdoMail, oCdoConf, sConfURL
sEmail = Request.Form("email")
Set oCdoMail = Server.CreateObject("CDO.Message")
Set oCdoConf = Server.CreateObject("CDO.Configuration")
sConfURL = "http://schemas.microsoft.com/cdo/configuration/"
with oCdoConf
.Fields.Item(sConfURL & "sendusing") = 2
.Fields.Item(sConfURL & "smtpserver") = "smptserveraddress.com"
.Fields.Item(sConfURL & "smtpserverport") = 25
.Fields.Update
end with
with oCdoMail
.From = "noreply#sample.com"
.To = sEmail
.Subject = "Password Recovery from samplesite"
.TextBody = "Your password is: " & password
.HTMLBody = "Your password is: " & password
.Configuration = oCdoConf
.Send
end with
Set oCdoConf = Nothing
Set oCdoMail = Nothing
End Sub %>

Automatically Logging In User After Custom Membership Creation (not using Wizard)

I'm using the following code to create a user account on my vb.net website. The code is in a button click. It works fine as far creating the membership but when the user is redirected to the next page they are not logged in. Apparently "newUser.IsApproved = True" is not working. Any thoughts on what I'm doing wrong. I want the user to be automatically logged in after the membership is created.
Dim createStatus As MembershipCreateStatus
Try
Dim newUser As System.Web.Security.MembershipUser = Membership.CreateUser(txtinput_Email.Value, txtinput_Password.Value, txtinput_Email.Value)
newUser.IsApproved = True
Catch ex As Exception
LabelCreateAccountResults.Text = ex.Message
' MessageBox.Show("There's an error: " & vbCrLf & ex.ToString)
Response.Write("<script language='javascript'>alert('" & ex.Message & "')</script>")
Exit Sub
End Try
Select Case createStatus
Case MembershipCreateStatus.Success
LabelCreateAccountResults.Text = "The user account was successfully created!"
Response.Redirect("yo-delivery.aspx")
Case MembershipCreateStatus.DuplicateUserName
LabelCreateAccountResults.Text = "That username already exists."
Case MembershipCreateStatus.DuplicateEmail
LabelCreateAccountResults.Text = "A user with that Email address already exists."
Case MembershipCreateStatus.InvalidEmail
LabelCreateAccountResults.Text = "PLease enter a VALID email address."
Case MembershipCreateStatus.InvalidPassword
LabelCreateAccountResults.Text = "The password entered is invalid. Please enter a passoword with at least 4 characters."
Case Else
LabelCreateAccountResults.Text = "Unknown Error: Account NOT created."
End Select
OK perhaps look into something along these lines
Dim username__1 As String = Username.Text
Dim password__2 As String = Password.Text
If Membership.ValidateUser(username__1, password__2) Then
Dim ticket As New FormsAuthenticationTicket(1, username__1, DateTime.Now, DateTime.Now.AddMinutes(20), False, String.Empty, _
FormsAuthentication.FormsCookiePath)
Response.Cookies.Add(New HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(ticket)) With { _
Key .Expires = ticket.Expiration, _
Key .Path = FormsAuthentication.FormsCookiePath _
})
If Not String.IsNullOrEmpty(Request.QueryString("returnurl")) Then
Response.Redirect(Request.QueryString("returnurl"))
End If
Response.Redirect("~/Home")
End If

Resources