Develop Reference

How to pass value parameter in url that cannot excecute directly in url?

So i have this program that sending notification value to other page and show the notification, but the problem is you can edit the value in the url,
If lngErrNo <> 0 Then
response.write "Error while update Product."
response.end
Else
v_strMsg = "Edit Kelipatan Jumlah Pesanan Berhasil!"
Response.Redirect "global_notification.asp?strMsg=" & v_strMsg
End If
the problem is you can edit v_strMsg in url for the example abc.com/global_notification.asp?strMsg= "anything you can edit the value here", and the display page is look like this
<body>
<table class="1" width=70% cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" background="images/bgtable.gif"><div align="left" class="fontwhiteheader13">
ATTENTION!!</div>
</td>
</tr>
<tr>
<td valign="top"><table width=100% height="360" cellpadding="2" cellspacing="2" bgcolor="white">
<tr>
<td align=center class="fontblueheader13"><%=Request.QueryString("strMsg")%>
</td>
</tr>
</table></td></tr></table>
</body>
any possible way to sending the value without changing it to POST metod? i try htmlEncode but v_strMsg still can be edited in url, any suggestion?

You need a signed URL.
A signed URL includes a digital signature that proves the request was generated by the server.
The first thing you need to do is create a secret key:
' Generate your own key from:
' https://www.allkeysgenerator.com/Random/Security-Encryption-Key-Generator.aspx
Const secret_key = "G+KbPeShVmYq3s6v9y$B&E)H#McQfTjW"
In this example it's a 256 bit key.
You also need a hashing function:
hash.asp
<%
' Might as well store the secret key constant in this file:
Const secret_key = "G+KbPeShVmYq3s6v9y$B&E)H#McQfTjW"
Function Hash(ByVal Input, HashAlgorithm)
' Select the System.Security.Cryptography value.
Select Case uCase(HashAlgorithm)
Case "MD5"
HashAlgorithm = "MD5CryptoServiceProvider"
Case "SHA1"
HashAlgorithm = "SHA1CryptoServiceProvider"
Case "SHA2","SHA256"
HashAlgorithm = "SHA256Managed"
Case "SHA384"
HashAlgorithm = "SHA384Managed"
Case "SHA5","SHA512"
HashAlgorithm = "SHA512Managed"
Case Else
HashAlgorithm = "SHA1CryptoServiceProvider"
End Select
' Convert the input to bytes if not already.
If NOT VarType(Input) = 8209 Then
Dim utf8 : Set utf8 = Server.CreateObject("System.Text.UTF8Encoding")
Input = utf8.GetBytes_4(Input)
Set utf8 = Nothing
End If
' Perform the hash.
Dim hAlg : Set hAlg = Server.CreateObject("System.Security.Cryptography." & HashAlgorithm)
Dim hEnc : Set hEnc = Server.CreateObject("MSXML2.DomDocument").CreateElement("encode")
hEnc.dataType = "bin.hex"
hEnc.nodeTypedValue = hAlg.ComputeHash_2((Input))
Hash = hEnc.Text
Set hEnc = Nothing
Set hAlg = Nothing
End Function
%>
Now you're ready to sign your URL with a digital signature.
' Be sure to include "hash.asp"
' Your message:
v_strMsg = "Edit Kelipatan Jumlah Pesanan Berhasil!"
' A unix timestamp:
v_uts = DateDiff("s","1970-01-01 00:00:00",Now())
' NOTE: Your servers timezone should be set to UTC to generate a true unix timestamp,
' but it doesn't really matter, as long as "global_notification.asp" is on the same
' server, or a server set to the same timezone as the page you're generating the
' signature from.
' Now we create the signature as so:
v_signature = Hash(v_strMsg & v_uts & secret_key,"SHA256")
' Finally, redirect to "global_notification.asp"
Response.Redirect "global_notification.asp?strMsg=" & Server.URLEncode(v_strMsg) & "&ts=" & v_uts & "&signature=" & v_signature
Example redirect:
global_notification.asp?strMsg=Edit+Kelipatan+Jumlah+Pesanan+Berhasil%21&ts=1612794802&signature=61016c0a0460902cc4a19f092dcbb4fd818aa9c88d2631e087868253e73983da
Now to validate the signature on global_notification.asp:
<!--#include file = "hash.asp" -->
<%
Dim v_strMsg, v_uts, v_signature, v_uts_now
v_strMsg = Request.QueryString("strMsg")
v_uts = Request.QueryString("ts")
v_signature = Request.QueryString("signature")
' Do some basic validation first.
If v_signature = "" Then
Response.Write "Missing Signature"
Response.End()
ElseIf v_uts = "" Then
Response.Write "Missing Timestamp"
Response.End()
ElseIf NOT Len(v_signature) = 64 Then
Response.Write "Invalid Signature"
Response.End()
ElseIf NOT (IsNumeric(v_uts) AND Len(v_uts) = 10) Then
Response.Write "Invalid Timestamp"
Response.End()
End If
' Validate the signature. To do this, we simply recreate what we're expecting the signature
' to be, and compare it to the one being passed.
If NOT Hash(v_strMsg & v_uts & secret_key,"SHA256") = v_signature Then
Response.Write "Invalid Signature"
Response.End()
End If
' Now let's set an expiration period for the link, say 30 seconds? (or 86400 seconds for a day, 604800 for a week etc).
v_uts = Int(v_uts) + 30
v_uts_now = DateDiff("s","1970-01-01 00:00:00",Now())
If v_uts_now >= v_uts Then
Response.Write "Expired Link"
Response.End()
End If
' At this point, everything is good.
' Go ahead and display the message:
%>
<body>
<table class="1" width="70%" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" background="images/bgtable.gif"><div align="left" class="fontwhiteheader13"> ATTENTION!!</div></td>
</tr>
<tr>
<td valign="top"><table width="100%" height="360" cellpadding="2" cellspacing="2" bgcolor="white">
<tr>
<td align=center class="fontblueheader13"><%=v_strMsg%></td>
</tr>
</table></td>
</tr>
</table>
</body>
Now if you try and change the message (or the timestamp) you'll get an Invalid Signature error. The only way to generate a valid working link is to know the secret key, which of course is hidden.

need to implement recaptcha in .asp page

anyone please know how to add recaptcha in .asp , i am having public and privte keys
<TD align="middle">Security Code: </TD>
<TD align="middle">
<script type="text/javascript"
src="http://www.google.com/recaptcha/api/challenge?k=01M2eMS32Xs6oGtCaBu3AkHQ==">
</script>
<noscript>
<iframe src="http://www.google.com/recaptcha/api/noscript?k=01M2eMS32Xs6oGtCaBu3AkHQ=="
height="300" width="500" frameborder="0"></iframe><br>
<textarea name="recaptcha_challenge_field" rows="3" cols="40">
</textarea>
<input type="hidden" name="recaptcha_response_field"
value="manual_challenge">
</noscript>
</TD>

Using reCAPTCHA with Classic ASP
The reCAPTCHA ASP guide provides a simple way to place a CAPTCHA on your ASP page, helping you stop bots from abusing it. The code below wraps the reCAPTCHA API.
After you've signed up for your API keys, you can add reCAPTCHA to your classic ASP site by pasting the code below at the top of your ASP page:
<%
recaptcha_challenge_field = Request("recaptcha_challenge_field")
recaptcha_response_field = Request("recaptcha_response_field")
recaptcha_public_key = "your_public_key" ' your public key
recaptcha_private_key = "your_private_key" ' your private key
' returns the HTML for the widget
function recaptcha_challenge_writer()
recaptcha_challenge_writer = _
"<script type=""text/javascript"">" & _
"var RecaptchaOptions = {" & _
" theme : 'red'," & _
" tabindex : 0" & _
"};" & _
"</script>" & _
"<script type=""text/javascript"" src=""http://www.google.com/recaptcha/api/challenge?k=" & recaptcha_public_key & """></script>" & _
"<noscript>" & _
"<iframe src=""http://www.google.com/recaptcha/api/noscript?k=" & recaptcha_public_key & """ frameborder=""1""></iframe><>" & _
"<textarea name=""recaptcha_challenge_field"" rows=""3"" cols=""40""></textarea>" & _
"<input type=""hidden"" name=""recaptcha_response_field""value=""manual_challenge"">" & _
"</noscript>"
end function
' returns "" if correct, otherwise it returns the error response
function recaptcha_confirm(rechallenge,reresponse)
Dim VarString
VarString = _
"privatekey=" & recaptcha_private_key & _
"&remoteip=" & Request.ServerVariables("REMOTE_ADDR") & _
"&challenge=" & rechallenge & _
"&response=" & reresponse
Dim objXmlHttp
Set objXmlHttp = Server.CreateObject("Msxml2.ServerXMLHTTP")
objXmlHttp.open "POST", "http://www.google.com/recaptcha/api/verify", False
objXmlHttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXmlHttp.send VarString
Dim ResponseString
ResponseString = split(objXmlHttp.responseText, vblf)
Set objXmlHttp = Nothing
if ResponseString(0) = "true" then
'They answered correctly
recaptcha_confirm = ""
else
'They answered incorrectly
recaptcha_confirm = ResponseString(1)
end if
end function
server_response = ""
newCaptcha = True
if (recaptcha_challenge_field <> "" or recaptcha_response_field <> "") then
server_response = recaptcha_confirm(recaptcha_challenge_field, recaptcha_response_field)
newCaptcha = False
end if
%>
What happens here is the variables server_response and newCaptcha are set whenever the page is loaded, allowing you to determine the state of your page.
You can use the following HTML as a skeleton:
<html>
<body>
<% if server_response <> "" or newCaptcha then %>
<% if newCaptcha = False then %>
<!-- An error occurred -->
Wrong!
<% end if %>
<!-- Generating the form -->
<form action="recaptcha.asp" method="post">
<%=recaptcha_challenge_writer()%>
</form>
<% else %>
<!-- The solution was correct -->
Correct!
<%end if%>
</body>
</html>
As shown here:
http://developers.google.com/recaptcha/docs/asp

ASP Classsic - Insert into Excel .XLS columns or Create a Real Excel Format File

I would like to add my MS SQL data into the Excel .XLS file below.
I tried the following:
<%
Response.Clear
Response.Buffer = False
Response.ContentType = "application/vnd.ms-excel"
Response.AddHeader "Content-Disposition", "attachment;filename=example.xls"
' --OPEN MS SQL DATABASE CODE--
' --OPEN RECORDSET CODE--
%>
<table>
<tr>
<th>DEBNAME</th>
<th>INV_ID</th>
<th>INV_DATE</th>
<th>PO_NO</th>
<th>INVAMT</th>
</tr>
<% 'START OF: ROW LOOP
Do Until objRS.EOF
%>
<tr>
<td><%=objRS("DEBNAME")%></td>
<td><%=objRS("INV_ID")%></td>
<td><%=objRS("INV_DATE")%></td>
<td><%=objRS("PO_NO")%></td>
<td><%=objRS("INVAMT")%></td>
</tr>
<%
objRS.MoveNext
Loop
objRS.Close
'END OF: ROW LOOP
%>
</table>
THEN WHEN I TRY TO OPEN IT, IT GIVES ME THIS ERROR:
I think this is because the file only has HTML code inside it (I opened it via Notepad to check it out)
If I click on Yes the data will show but I would like to generate a real .xls file or use an empty.xls file, clone it, and then insert the data into it.
THANKS FOR ANY HELP!
This is how my empty.xls file looks

Using an empty file that ready to fill is the most painless method.
After filling the sheet(s) via related data providers, you can serve the static excel file or stream it.
Here's the demo : http://aspfiddle.com/ymuikl0id4/test.asp (will be deleted a few days later)
Make sure that you have permission to create new files.
Hope it helps.
<%#Language=VBScript CodePage=65001%>
<%
If Request.Form.Count Then 'form handling
Dim Fso
Set Fso = Server.CreateObject("Scripting.FileSystemObject")
Dim emptyXlsFileName
emptyXlsFileName = Server.Mappath("test.xls") 'empty original file path
Dim filledXlsFileName
filledXlsFileName = Replace(Fso.GetTempName, ".tmp", ".xls") 'temp file will be created and filled
Fso.CopyFile emptyXlsFileName, Server.Mappath(filledXlsFileName)
Dim Connection
Set Connection = Server.CreateObject("Adodb.Connection")
Connection.Open "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.Mappath(filledXlsFileName) & ";Extended Properties=""Excel 8.0;HDR=Yes;IMEX=0"";"
'Since Jet.OLEDB.4.0 is a 32-Bit only provider
'if you need to run this application in a 64-bit environment
'you have to install 64-bit version of Access Database Engine (http://www.microsoft.com/en-us/download/details.aspx?id=13255) to the server
'then use the following connection string instead
'Connection.Open "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" & Server.Mappath(filledXlsFileName) & ";Extended Properties=""Excel 8.0;HDR=YES;IMEX=0"";"
Dim Recordset
Set Recordset = Server.CreateObject("Adodb.Recordset")
Recordset.Open "[Sheet1$]", Connection, , 3
Recordset.Addnew
Recordset("DEBNAME").Value = Request.Form("DEBNAME")
Recordset("INV_ID").Value = Request.Form("INV_ID")
Recordset("INV_DATE").Value = Request.Form("INV_DATE")
Recordset("PO_NO").Value = Request.Form("PO_NO")
Recordset("INVAMT").Value = Request.Form("INVAMT")
Recordset.Update
Recordset.Close
Set Recordset = Nothing
Connection.Close
Set Connection = Nothing
Const BufferSize = 8192
Response.ContentType = "application/vnd.ms-excel"
Response.AddHeader "Content-Disposition", "attachment;filename=example.xls"
Dim Stm
Set Stm = Server.CreateObject("Adodb.Stream")
Stm.Type = 1 'adTypeBinary
Stm.Open
Stm.LoadFromFile Server.Mappath(filledXlsFileName)
Do While Not Stm.EOS
Response.BinaryWrite Stm.Read(BufferSize)
Response.Flush
If Not Response.IsClientConnected Then Exit Do
Loop
Stm.Close
Set Stm = Nothing
Fso.DeleteFile Server.Mappath(filledXlsFileName)
Response.End
Set Fso = Nothing
End If
%><!doctype html>
<html lang="en">
<head>
<title>Insert Into Excel File</title>
<meta charset="utf-8">
</head>
<body>
<form method="post" target="_blank">
<table>
<tr><td>DEBNAME</td><td><input type="text" name="DEBNAME" value="John Doe" /></td></tr>
<tr><td>INV_ID</td><td><input type="text" name="INV_ID" value="123" /></td></tr>
<tr><td>INV_DATE</td><td><input type="text" name="INV_DATE" value="24 Jun, 2014" /></td></tr>
<tr><td>PO_NO</td><td><input type="text" name="PO_NO" value="321" /></td></tr>
<tr><td>INVAMT</td><td><input type="text" name="INVAMT" value="etc" /></td></tr>
<tr><td> </td><td><input type="submit" value="Add & Download" /></td></tr>
</table>
</form>
</body>
</html>

This will only be a partial/hack answer, because for everything from Excel 2007 on, I don't know that you can bypass that warning (unless you use a third-party library, and I don't know of any for ASP classic -- plenty of choices for ASP.NET). Here is a MS article on this subject, and it leads to the hack:
http://blogs.msdn.com/b/vsofficedeveloper/archive/2008/03/11/excel-2007-extension-warning.aspx
What you can do is alter your code slightly and deliver the data in CSV format. This will still download and open directly in Excel, but you won't get the warning. So here's the guts of it:
<%
Response.Clear
Response.Buffer = False
Response.ContentType = "application/vnd.ms-excel"
Response.AddHeader "Content-Disposition", "attachment;filename=example.csv"
Response.Write "DEBNAME, INV_ID, INV_DATE, PO_NO, INVAMT" & vbCRLF
Do Until objRS.EOF
Response.Write objRS("DEBNAME") & ", " & objRS("INV_ID") & ", " & objRS("INV_DATE") & ", " & objRS("PO_NO") & ", " & objRS("INVAMT") & vbCRLF
objRS.MoveNext
Loop
objRS.Close
%>

ADODB.Connection error

I am trying to learn asp.net, and have hit a problem early on.
I am attempting to connect to a database that I have create on Net Registry's Cloud Hosting.
I just receive a 500 error when i try to access the page.
(I am on a Mac as well if this matters at all.)
Here is my code:
<% # Language="VBScript" %>
<head>
<title>Form to database</title>
</head>
<body>
<%
Dim page: page = Request.ServerVariables("SCRIPT_NAME")
If Request.Form <> "" Then
Dim name: name= Request.Form("name")
Dim email: email = Request.Form("email")
Dim comments: comments = Request.Form("comments")
Dim sql: sql = "INSERT INTO users_tbl " & _
"([name], email, comments) " & _
"VALUES ('" & name & "','" & email & "','" & comments & "')"
Dim conn: Set conn = Server.CreateObject("ADODB.Connection")
Dim str: str = "SERVER=MYSQL-5.idealinsurance.com.au;
DATABASE=ideal_idealinsurance_com_au; UID=XXXXXXXXXX;PASSWORD=XXXXXXXX; OPTION=3"
conn.Open(str)
conn.Execute(sql)
conn.Close
Set conn = Nothing
Dim message: message = "The form information was inserted successfully."
End If
%>
<form action="<%=page%>" method="post">
name:<input name="name"><br>
email:<input name="email"><br>
comments: <textarea name="comments"></textarea><br>
<input name="submit" type="submit" value="Submit">
</form>
<p>
<%=message%>
</body>
</html>

I would like to get this code to upload pictures to 2 different folders

We are trying to use persits upload code to upload pictures to 2 different folders. It works when uploading to just one folder but not 2 folders.
Essentially, we have two folders, one is called img and the other is a subdirectory of img called small.
We grab 1 picture and upload same picture into both img and small folders.
So far, the picture gets uploaded to small folder but not to img folder.
Below is the relevant code followed by a link where I got my sample code from.
'Upload.asp
<form name="form" action="process.asp" method="post" ENCTYPE="multipart/form-data">
<Table>
<tr>
<td class="body1" div align="right">Attach for IMG folder:</div></td>
<td><INPUT NAME="file1" TYPE="FILE" value="" SIZE=30></td>
</tr>
<tr>
<td class="body1" div align="right">Attach for SMALL folder:</div></td>
<td><INPUT NAME="file2" TYPE="FILE" value="" SIZE=30></td>
</tr>
</table>
</td>
</tr>
</table>
<hr color="silver">
<table width="100%" border="0" cellspacing="4" cellpadding="4">
<tr>
<td><div align="center">
<input type="image" name="submit" id="submit2" title="submit to db." border="0" src="images/submitbutton.jpg" width="142" height="47" alt="Submit Button">
</div></td>
</tr>
</table>
</form>
'Process.asp
<%
Set Upload = Server.CreateObject("Persits.Upload")
' Limit file size to 5000000 bytes, throw an exception if file is larger
Upload.SetMaxSize 5000000, True
' Save to memory. Path parameter is omitted
Count = Upload.Save
' Two images must be selected
If Count <> 2 Then
Response.Write "You must select 2 jpeg files."
Response.End
End If
' Intercept all exceptions to display user-friendly error
On Error Resume Next
' Create two folders, ignore "already exists" error
Upload.CreateDirectory Server.MapPath("/img"), True
Upload.CreateDirectory Server.MapPath("img/small"), True
' Obtain File objects
Set File1 = Upload.Files("file1")
Set File2 = Upload.Files("file2")
' Build name from session ID
'Name = Session.SessionID
' Save
'File1.SaveAs (Server.MapPath("/img/" & File1.Ext))
'File2.SaveAs (Server.MapPath("/img/small/" & File2.Ext))
' Copy file 1 to img folder
File1.Copy (Server.MapPath("/img/" & File1.Ext))
' Delete from temp folder
File1.Delete
' Copy file 2 to small folder
File1.Copy (Server.MapPath("/small/" & File1.Ext))
' Delete from temp folder
File2.Delete
For Each File in Upload.Files
If File.ImageType <> "JPG" Then
Response.Write "The image type you are uploading is not a JPGE image."
File.Delete
Response.End
End If
Next
Dim objConn,connectstr,objRS,prodset,specialset,bncatset,featureset
connectstr = "Provider=sqloledb; Data Source=scartmil.db.8911524.hostedresource.com; Initial Catalog=scartmil; User ID=999999; Password=8888;"
Set objConn = Server.CreateObject("ADODB.Connection")
objConn.Open connectstr
catdescription = Upload.Form(trim("catdescription"))
pcode = Upload.Form("pcode")
pname = Upload.Form(trim("pname"))
pdescription = Upload.Form(trim("pdescription"))
pPhoto = Upload.Form("pPhoto")
cstock = Upload.Form("cstock")
cprice = Upload.Form("UnitPrice")
'sanitize to avoid sql injection
catdescription = replace(catdescription,"'","''",1,-1,1)
pcode = replace(pcode,"'","''",1,-1,1)
pname = replace(pname,"'","''",1,-1,1)
pdescription = replace(pdescription,"'","''",1,-1,1)
pPhoto = replace(pPhoto,"'","''",1,-1,1)
cstock = replace(cstock,"'","''",1,-1,1)
cprice = replace(cprice,"'","''",1,-1,1)
'response.write cprice
'response.end
sql = "INSERT INTO products (ccategory, " & _
"ccode, " & _
"cname, " & _
"cdescription, " & _
"cimageurl, " & _
"cstock, " & _
"cprice) " & _
"VALUES (" & _
""&catdescription&", " & _
"'"&pcode&"', " & _
"'"&pname&"', " & _
"'"&pdescription&"', " & _
"'"&pPhoto&"', " & _
""&cstock&", " & _
""&cprice&")"
'response.write sql
'response.end
set rs = objConn.Execute(sql)
'ok record in, now retrieve the primary key
sql = "SELECT products.catalogID FROM products ORDER BY products.catalogID DESC"
'response.write sql
'response.end
set prodset = objConn.execute(sql)
if not prodset.EOF then
bCatalog = prodset("CatalogID")
end if
sql= "INSERT INTO bndCategoryProduct (bCategoryId, " & _
"bCatalogId) " & _
"VALUES (" & _
""&catdescription&", " & _
""&bCatalog&")"
'response.write sql
'response.end
set bncatset = objConn.execute(sql)
objConn.Close
Set objConn=Nothing
%>
Here is the persits link:
http://www.aspupload.com/manual_memory.html
Please don't pay attention to the insert code; it works fine.
Thanks in advance

Are you sure you have the same write permissions to both folders? also, did you notice your folders are different. If you do have the permissions set correctly, the other issue I see is your folders. You have /img and img/small Those could potentially be two different img folders.
Upload.CreateDirectory Server.MapPath("/img"), True
Upload.CreateDirectory Server.MapPath("img/small"), True
The next potential problem I see is in the code below. Just under ' Copy file 2 to small folder you have File1.copy. Shouldn't that be File2.Copy.
'# Copy file 1 to img folder
File1.Copy (Server.MapPath("/img/" & File1.Ext))
'# Delete from temp folder
File1.Delete
'# Copy file 2 to small folder
File1.Copy (Server.MapPath("/small/" & File1.Ext))
'# Delete from temp folder
File2.Delete

A few things I see:
Both copy commands use file1
They also don't specify the name, only extension.
Why not use the saveas method?
Comment out 'on error resume next' and wrap folder creation code in if/then and check if folder exists. Then you can see your errors