Hi,

I am using the upload_post_VBSCRIPT.asp to upload the pictures. My concern is the security of this. For instance I've seen some sites get hacked by a user uploading a file (going through the same process) and ending up crashing the entire server.

I tried adding .jpeg to the end of a text file (filename.vbs.jpeg) and then uploading it, and the file was actually uploaded. Is this a potential problem?

Thanks

S

in that file "upload_post.asp"

change

<%
If Session("Admin") <> "True"
 Response.End
End If
%>

to

<%
If Session("Admin") <> "True" Then
 Response.End
End If
%>

again.. more custom code work would be required to handle it

Humm, Did you make any changes to the code ?
Solid Black is not the default so it must have changed at least once.

Otherwise it might be some sort of application variable problem.
I would make sure the web is and "application" in the IIS console.

Redirecting is not something ASPProtect does because you can
do that sort of thing using simple ASP redirects.

In all of these examples you are going to want to protect the pages you send these users to accordingly.
So that if they know the url they just cant go their directly without loging in.

Redirecting example..
This page will redirect admins or level 4 users to a certain page  and anyone else to
another page.
 
 
<%@ LANGUAGE="VBSCRIPT" %>
<!--#INCLUDE FILE="check_user_inc.asp"-->
 
<%
If Session("Admin") = "True" or Session("Access_Level") = "4"  Then
    Response.Redirect("sompage.asp")
Else
    Response.Redirect("someotherpage.asp")
End If
%>

Redirecting example..
This page will redirect level 1 users to a certain page. level 2 users to certain page, and anyone else to
another page.
 
 
<%@ LANGUAGE="VBSCRIPT" %>
<!--#INCLUDE FILE="check_user_inc.asp"-->
 
<%
If Session("Access_Level") = "1"  Then
    Response.Redirect("level1.asp")
ElseIf Session("Access_Level") = "2" Then
    Response.Redirect("level2.asp")
Else
    Response.Redirect("allothers.asp")
End If
%>

Redirecting example..
This page will redirect user "PistolPete" to a certain page.

 
<%@ LANGUAGE="VBSCRIPT" %>
<!--#INCLUDE FILE="check_user_inc.asp"-->
 
<%
If Session("Username") = "PistolPete" Then
    Response.Redirect("somedirectory/somepage.asp")
End If
%>

 
then just make sure the page you send the user to to also checks to see if the user is the right user.... to make sure others users can't access each others pages
 
<%
If Session("Username") <> "PistolPete" Then
    Response.Write("You do not have access to this page.")
    Response.End
End If
%>

etc etc etc.... these code snippets should point you in the right direction...

My ISP uses ASPSmartMail. The email confirmation works except when I try to register an AOL user the server returns an error 500.

as far as sql goes if you follow the instructions with give for setting up a new database you shouldnt have any issues and permissions should be already set. because we handle that in the sql script we give you.. "its a good thing to look at and it is pretty easy to understand what is going on""

however using another account could cause permissions issues.."yes, even sa"     basically the username your using needs datareader and datawriter permissions to all tables used by the photo gallery system and you probably have to go specifically set them usin ght e security tab for your database in enterprise manager. This is more of SQL server 101 than anything to do with the Photo Gallery Code so I am not going to get into it too deeply, but that is definetly the issue.  Permissions...

Chris,

Yesterday when I would access the get_me_in page with the password key, I was then taken to the default login page.  It did not give me the option to create a user. 

Today, when I entered the password key into the get_me_in page, I was taken right to the create user page.  So, yes the problem has been resolved.  I have no idea why though.

I just told you a lot of different things to try... and I doubt you have tried them in the time since I mentioned them

ok, I just sent you a private message with download information.

replace you existing

"check_user_inc.asp"

"admin/check_admin_inc.asp"

"admin/email_user.asp"

with the new versions in the download

Do some testing to make sure that HANNAH password works ok for you.

Hopefully this cures the issue...
If it works ok for you for a while I will offer the fixes to everyone and start using this code from now on

BTW:
"admin/email_user.asp" had an unrelated bug in it that only happened if its error handling got triggered... it was posting back to the wrong page when that happened and causing an error

Christopher,

Thanks for the reply. I think I've found my problem, but can't test until later in the evening as it is on a live site.

Darrell

Hi, its just not something i can suppport as I do not support custmizations to the code epecially when dealing with an image component that is not supported by the application.

Sorry, its something you have to figure out. Bascially I would suggest looking at the existing asp image resizing code and using that as a guide.

Have you considered just buying a license of ASPImage and asking the host if they will install it after you purchase it. It sounds like it may save you a lot of time.

If you are ever looking for a good host for ASP. www.alentus.com is one of the best. There 9.95 plan gives you access to 3000.00 of commercial quaility asp components also which is nice.

all that docmunetation is online as well right here so you dont really need the chm file
http://support.cjwsoft.com/code/info24.htm

the chm format is a windows format that can only be viewed on windows pcs. I do not know why you can not see it. I would do reseach on viewing CHM files on whatever operating system and version you are running because perhaps you are using a mac or linux operating system which can not natively view chm files ?

upgrade pricing is here
http://www.aspbanner.com/purchase_unlimited_v8.1_classic_upg rade.asp

what is different
http://www.aspbanner.com/v8_notes.asp

the changes to make it work with MySQL were vast to say the least
more on that from an old thread
http://support.cjwsoft.com/code/code_info.asp?TID=37&PN= 1&TPN=1

just please remember use of MySQL is just not supported
http://www.aspbanner.com/mysql.htm

I can assure you it works well as I have people using it

Yeah, its working great witht he Access database. Now I just need to get it all set up. I like how the config file is set up with all the comments, it really helped allieviate the 40k thumbnails, .

Is there a way to set various members to upload a limit of photos. So, one member can only upload 5 photos in 1 album and another can upload 30 photos in 2 albums. Even if you just set a permission for the number of uploads for each member.

Thank you

I have been able to successfully edit some text colors, but there seems to be one page that wont change the text color. Inside the users/ folder, the login.asp page, i cant seem to change the text color from ffffff to 000000 so it can be read on my background color. Every page in the script is correct but this one.

Thanks.

I am testing this now and there is something wrong.

PayPal is hitting the ipn.asp but the database is not being updated.

I will figure it out shortly though and post the anwer here.

I really do not know for sure, but I imagine there are customers using their windows hosting. Usually I do not know what hosting company a customer uses and I am usualy the only one that responds to forum questions.

Why not download the current Free lite version and try it out ?

CJW

Hi there,

Well, that is why we added the PayPal subscription pack where all of that is taken care of and customers get put under a recurring billing cycle.
The more people you get to pay that way the less you have to do.

We also have routines for the two other supported payment methods so people can look up their account and add time to it whether it is active/expired or not.

Other than that, yes it is something you need to sort out on your own based on how you want to run your system. You have the source code and the sky is the limit on how you want handle all of that.  You send out an email to users about to expire. Whether they come back to the site/look up their account and add more time to it is up to them. I really just do not see any way ASPProtect could handle that whole process automatically.

As for batch changing to users in the database. We give you the source code and we also use an open database structure. You can run any query you want on the database whether with ASP code or directly in your database using the tools that come with it, You can write any code you like to do whatever you like to the database. You can even tie other systems and code into the database via OBDC and manipulate data. The sky is the limit like I said. I also don't really see how batch changes to the database relates to individual users paying again for access or not especially since we include payment  pages were a users can look up their accounts and pay for and add more time to it automatically ? At least not regarding the payment routine we provide support for.

ASPProtect can not handle everything every person would need to do. It is meant as a solid starting point for any project, but there are going to be times when more functionality will need to be added by the customer based on their specific needs.

I assume that if I am using this product, search engines such as Google cannot access and index my content. Can somebody confirm that; I want to be 100% sure.

In case it matters, I am using a basic, cheap ISP setup where my site is on a shared server.

Thanks in advance.

Banners no longer show up on my site ?

If banners were working fine and now they are just not showing up.
1st check to see that you are calling a valid zone with live banners in it.
If you are then most likely this it what hapened.

The web server must have crashed or lost power and now the application variables are in limbo/not working.

I have seen this happen 3 times. Twice on my own server when the power went out for 2 hours and once on a customers server.

Basically the application variable system gets all messed up because it was not shut down properlly.

The ways to possibly cure it are as follows.

Edit and save a banner in the system. Hopefully that gets things going again.
If not... keep reading for the more drastic cures..


Go to the command prompt on the server and type "iisreset"
Sometimes that is enough.

Reboot the server.
Sometimes that is enough.

Stop the web in the IIS console.
Sometimes that is enough.

Stop the individual processes for each web in iis
"you must really know what you doing and be very careful about doing this"

Remove and recreate new applications in IIS for the web in question.


And sometimes it just takes a combination of the things listed above and a few reboots. I don't know the best way to cure it but I do know why it happens and the steps listed above can get things back on track.

Again, this is because the server lost power or crashed as far as I know.
It was not allowed to shut down properly which sometimes happens.

You'll know things are ok again when you see your banners show up on your site.

the reason being is because when I do installs I do not touch any of your existing content. I only install the base application and make sure everything in it working correctly and also that the example protected pages are working. I do not integrate it with your existing site or edit any of your existing web content. That is up to you

sorry about that, but it would be way too time consuming and editing people's existing pages is a good way to cause a lot of headaches for me and the customer if something goes wrong. Not only that but everyone uses the system differently and it wouldnt make sense for me to be the one doing that based on access levels, groups.. etc etc  which will all be custom to how you want things set up.

more on installation policies here.
http://www.cjwsoft.com/installation_service.asp

Dear Christofer

I already have send you the details you asked me for. Please let me know if you have received

We would like to use some of the variables from the user account in our web pages after they log in (something like, 'hello <user>"), but for professional printout reports using company name and user.

Could you offer some help as to what variable string we use to print that information on logged in pages?

By the way,  the program is working great!!!

... in addition it is a virtual include not a file.  I just tried to use file instead of virtual and then the ../ includes worked on the asp pages.

This is strange because they used to work like that on the 2000 server I had these sites running on.

maybe this is the issue...

do you realize that the descriptive name you give a group is not always going to be the same ID in the database ? The two are not related.

Perhaps what you named Group 1 is really group ID 3

You can tell for sure by generating protection code for group 1 and see what ID it tells you to use..



You also need to remember that you are testing this with different users and it is really easy to get confused so you need specifically log off using the log off page to ensure session info from the previous login doesn't show up and cause confusion when you log in with a different user... etc etc

in addition to logging off that way you may also want clear the session and application info via the code at the bottom of my article
http://www.powerasp.com/content/new/displaying-session-and-a pplication-variables.asp

and do that in between any user you log in as