Blog Entry: 3/25/2006 1:41:53 PM
also.. every once in a while I get some nervous person concerned about security... and the pros and cons of having parent paths enabled.
etc etc etc
so let me add this bit of info..
I don’t know what your hosting company will say because it is an iffy topic and those that understand it have a hard time explaining it to someone who doesn't. Also usually the hosting company doesn't have a clue except they heard it was a security risk.
Here is the low down from someone that really understands it...
(well, at least I think I do)
The only real security risks are from YOU and possibly other people hosting on the same server if they have parent paths enabled that is.
Meaning your site visitors can't possibly do anything with it unless of course you let them upload and run their own asp files to the server.
Anyway.. if YOU run malicious asp scripts you could potentially attack other sites on the server and look at things you shouldn't. As could other sites on the same server do to you I suppose.
So, unless you plan on doing that or some other site admin on the server does it to you its not really a concern. Just an advantage in coding abilities.
If you attack someone elses site on the server or lurk where you shouldnt then you are probably violating your hosting agreement.
99% of the time everyone gets all nervous over nothing.. half the people nervous about this have sites nobody would ever want to hack anyway.
Many people with a really important/busy sites are going to have a dedicated server somewhere so the setting is not relevant..
The hosting companies of course have to warn you.
This setting was enabled by default for years on IIS4-IIS5. I never once heard one single real story about anyone attacking anything because of this setting. That doesn't mean it doesn't happen but I am just telling you what I know.
This is all my opinion so take it for what it is...
If you are a Hosting Company your better off turning it on at the customers request, giving them a warning about it, and in turn having happy customers.
The big hosting companies like Alentus and MaximumASP do it...
There are far worse things than this to let people do after all.
Beleive it or not I have actually been in servers where they gave the anonymous webserver acount modify permissions EVERYWHERE yet they disabled parent paths ???? cwilliams38391.6024189815, How can I make so it goes to certain webpages if user enters valid username and password??
I suppose user enters its information on check_user_inc.asp page, and username and password are stored on SQL database.
Thanks
,
[QUOTE=cwilliams]
Is that a real term or just something you named it cause they have like a zillion people using that SQL server?[/QUOTE]
yeah thats it, you buy into a part of the sql server so it's an sql server hotel... , It seems that if a user attempts to access a page that is not in their access level or they do not have the group permission they are redirected to the login page. Re entering their ID generates an eror and they cannot go back to the pages they are alowed to access. Is there a way for them to simply be blocked and return to the previous page or to a defined page so they can continue using the site?
thankyou , Chris,
2Checkout.com has added to their required cart parameters:
https://www.2checkout.com/documentation/newparameters.html
Do you have a version of 2checkout2.asp that will support these?
Thanks,
Nick , Great software.
How easy would it be to copy the email address entered at registration directly into the login id field so that the user's email address is automatically used as the login id?
Also, where in the code can I turn off the random password generator - I'd rather force people to pick something they can remember themselves.
Thanks,
Nick , Thanks.
clark
, I would say that it isn't all that difficult using mySQL for the backend....the main thing is to make sure you set the primary keys for auto-incrementing in your database. Alos need to make sure that any DELETE SQL statements are formatted like this
DELETE FROM tblName WHERE tblField=SomeValue
and not
DELETE * FROM tblName WHERE tblField=SomeValue
The same holds true for using MSSQL , also.. the log out page shouldnt really need this
but you can try adding this to it where all the other ones are set to nothing..
<% Session("Groups") = "" %> cwilliams38341.7215046296, on that particular page check the session variables manually (not using the include)
that way you are keeping the login access checking to an absolute minimum, elminating any form processing from the login procedure, and keeping the upload script happy
like so
<%
If Not InStr(Session("Groups"),"*1*") Then
' do whatever
End If
%>
you could response.write something followed by a response.end
or you might even want to response.redirect them to some other page that using the "check_user_inc.asp" where they can log in
And if you are going to be using a free asp upload script use this one as it is probably the best pure code upload solution available as far as performance goes.
http://www.freeaspupload.net
, Message :
I purchased the V8 of the software yesterday. It is running on a 2000 Server with a MSSQL database. It is installed and I get the successful connection to database screen but when I click to enter the admin. console I continually get:
"Connection string not saved in (data/config/aspbanner_unlimited_config.asp) file.
Most likey the data folder does not have proper permissions set on it.
That folder and all of the folders within it need (R,W,X,D) Permissions set for the anonymous webserver account.
These permissions can generally only be set by your hosting company."
I can save the string manually by hitting the button and I have checked that I have granted the proper access permissions. Any suggestions?
Ken, Well my hosting company has finally gotten back with me, so I'm having them troubleshoot the webserver to see what might be eating up those resources. So I'm in a holding pattern on this for right now., First pass through, I don't see anything changed in the groups section of the check_user asp file. the logoff asp wasn't touched.
I noticed the demo online (on this site) only has pages protected with access levels; you say it works fine with groups also? , For some odd reason, the the export path has two backslashes (\\) at the end, thus generating an error each time I try to export. For example
C:\path\website\protect\data\export\\
This appears toward the bottom of the import_export_manager.asp page and is called by =ExportDirectory.
I checked under settings tab, no path ends with a "\". Any idea where else I need to look?
Nick
, Still not ready... I have no time to finsih it at the moment..
release date is unknown...
,
Ok, set up a new web.config in root, with just the suggested code.
that worked to get this....
Configuration Error
Description: An
error occurred during the processing of a configuration file required
to service this request. Please review the specific error details below
and modify your configuration file appropriately.
Parser Error Message: It
is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level. This
error can be caused by a virtual directory not being configured as an
application in IIS.
Source Error:
Line 409:
Line 410:
Line 411: <authentication mode="Forms">
Line 412:
Line 413: <!-- DO NOT CHANGE UNLESS INSTRUCTED TO DO SO -->
|
Source File: D:\hshome~aspnetprotect\web.config Line: 411
any ideas?
Andy
, Did you do what that thread said so you see a more detailed error ?
Can I see the site and look around.. ?
I just am not sure what is going on from what you are explaining ?
If so private message me with the admin account details and tell me what to do to reproduce the error. , I'm getting this error when I try to login:
Active Server Pages error 'ASP 0131'
Disallowed Parent Path
/gallery/users/login.asp, line 19
The Include file '..dataconn_inc.asp' cannot contain '..' to indicate the parent directory. , so use the connection string the readme.txt in the sql installation folder file tells you to... it has the correct username.. I just posted that info above
or change the username in the connection string so its rigfht
or go into sql and give any user you want access to the database and use them
Any connection strings that come in the datacon_inc.asp file the way it ships are examples. We fully expect people to edit them.
Also.. the SQL scripts primarly goal is give you a properly set up database with correct files and table settings. Users and permissions often need a little extra attention from the installer as that part doesn't always get set right by the scripts It really all depends on what sql user you are when you execute the scripts. Many times the user someone logs in with doesn't have permission to make users and set permissions.
cwilliams38325.9116898148, Oh big deal !!... John mentioned some site and you feel like you proved some sort of point. Aren't you special ?
Look, I am telling for the 3rd time you can't do what you are talking about with ASPProtect.NET. Are you braindead cause I really am beginning to think you are and I for one am done trying to be somewhat nice to you ??????
I am also willing to bet you had no idea what viewstate even was until I mentioned it and then you probably went and read up about it so quit trying to pretend like you know what is going on! If you knew what was going on you would not be asking more questions about ASPProtect.NET than any customer in the history of selling the application.
As a matter of fact you should send me like 400.00 just for all my time you have taken up because you are totally frigin clueless !!!!!
I should have cut you off the instant you offered me illegal software from p2p right in a forum post., I just upgraded from 6.0 to 7.0 primarily because we were limited in the choices of email systems we could use to send an email validation message.
Previously, with 6.0, we were using CDONTS to send an email validation message to new registrants. Unfortunately, AOL email addressee's were not receiving the vaildation email from us. I received a reply to another post I made on this forum that the problem was due to the fact that aCDONTS generated email has no MX record and AOL blocks non-MX record containing emails.
Well, I upgraded to 7.0, switched to CDOSYS (Using SMTP Virtual Server) with SMTP Authentication and it appears that AOL is still blocking the validation email.
Any suggestions, comments?
, Thanks for that.
I have tried InStr("*2*",>"0") in the query design window but it does not return any members.
I have orded a Access Bible to help me in furture , Really awesome, thanks..
If possible please be sure to respond to the email they send so the review ends up authenticated
, Have tried doing that but same error...
, Hi Chris,
Thank you for your prompt response.
Our current project requires alot of customization.
Yes, the error is probably a data problem and not due to your code, because we needed to make modifications to the database. But that's why debugging would be helpful.
Basically our intent to modify the asp protect code stems from the fact that our client doesn’t want certain fields to be recorded or to appear: address, city, state, zip etc…
We are happy to be able to modify the HTML, but we also want to modify some other default behavior, such as which page opens when the "cancel" button is hit in the editaccountinfo.aspx page.
, I'm using Groups and would like to assign all new users to a particular group. How is this done? cwilliams38298.5087384259, Hi,
We use ASP Protect to password protect the pages in the member area ( http://www.pti.org/members.asp )
Of late Once or twice every month our whole site goes down and it gives us a "Microsoft VBScript runtime error 800a006 Overflow: Clnt //global.asa line 33 " error message (with the friendly message turned off). When we reboot the web server things are up as normal.
But this is happening too frequently and creates a bad impression.
Any suggestions on how we could prevent this would be greatly appreciated. , sure, there are reasons AOL would block the email.. it might think it is spam or it might not like the fact that fact that a cdonts generated email has no MX records because it can not..
for more on MX records read my CDOSYS article
http://www.powerasp.com/content/new/sending_email_cdosys.asp
as far as the emails not being sent because notifications are off. I was not aware of that and will try to look into it.. Version 6 is no longer worked on but if I can find the time I will check that out
, Your customer should set up a special page that you send banner clicks to. That page is the page that should record the ip and whatever other info needed.
I suppose you could make a page on your end that records that info and finally redirects them to the intended url as well.
All using simple asp. It's really not that dificult to do, but it is a loit easier if you do it this way and keep it seperate from the banner system.
Here is some interesting information not totally related to answering your question.
The banner system does not track IPs on individual clicks because if it did.. 100 clicks on a paricular banner in one day would result in 100 rows in the stats database instead of just 1 row. That may not seem like a lot, but imagine 30 banners all doing the same thing mulipled by 30 days. Your talking 90000 rows in the database instead of 900. It all comes down to what ASPBanner was designed for which is performance and low resource use.
Some banner systems out there even keep track of individual IP's per banner display. Try to imagine how much that effects performance and how much extra space is used in the database for stats. It's crazy and also the reason that the more little features a banner system offers the slower and slower it begins to run.
I am sure I lose sales all the time because I offer less features, but the truth is I know those features will eventually defeat the purpose of why I created this banner system in the 1st place and that i just not something I want to do.
The banner systems with every little feature are just not well suited to very busy sites no matter how well they are designed.cwilliams38324.8386689815, remeber too.. you might have to edit code you used on your existing pages in your site so they still call the "check_user_inc.asp" correctly.. though it may very well work out so it works the way it is at the new site
any redirection code you might have done may need the redirection urls changed if you used full domain urls..
things like that... etc etc etc, Humm, its hard to explain but I am not sure that is a good way to be testing that. I hear what you are saying but I am not sure that really means anything. Whatever is going on its some sort of client side issue with the browser and the meta refreshing over a very long period of time during which there really is no user doing anything at the site. , Please be aware folks..
This file is not provided by CJWSoft. Though this may work very well use of it is not supported in any way. We have not tested it.
This user is not using the option pack so this file will not be compatible with anyone using that because it does not have support for groups and some of the other new features.
Regardless..we appretiate users sharing ideas and solutions that they have come up with. cwilliams38313.499837963, i took another look at the file, and realized that when i was looking at the data structure i had confused "banner_image_URL" with "banner_link_URL". i lengthened the latter, and now all is good.
sorry for the false alarm, and thanks for a very-to-work-with product.
, It just sits there indefinitely without an error being returned. The only clue I have is that it seems to be connecting to the database when I try to log-in. I know this because I decided to erase the files and start again, but I could not delete the database because it was "in use". After I rebooted to clear that connection and erased the database, then re-did the install, the same condition exists after entering the key on the get_me_in.asp page. It just sits there indefinitely., When I add a user, I can not activat it.
It sends me back to log on and will now allow me to log in as admin???
I can restart the APP and log in as Admin, but the user I added
is still not activated??
My system will also not allow me to set the Stay Loged in FLag.
It just ignores it....
, If it stopped working it has nothing to do with the ASP code. YIf could have stopped for any number of reasons as hosts often change email server requirements and info. You need to go over the email settings. Of course make sure you and the person you are sending to have valid email addresses and try different methods/settings until you get emailing to work again.
Testing it by sending emails off from the users screen.. in each email type in what you are trying at that time so you know what worked if emails make it through. Also, be sure to check junk filters when testing to make sure the emails are not being put in any of those.
That's what I would do. CDOSYS is always your best bet for sending emails as it has so many options and all new server support it. , OK, thanks.
Nick , Also, I found this page which specifically talks about hidden IPN form values to change currencies
https://www.paypal.com/us/cgi-bin/webscr?cmd=p/acc/ipn-info
| mc_currency |
For payment IPNs, this is the currency of the payment. For non-payment subscription IPNs, this is the currency of the subscription. |
| "USD" |
The currency of the payment is U.S. Dollars. |
| "CAD" |
The currency of the payment is Canadian Dollars. |
| "GBP" |
The currency of the payment is Pounds Sterling. |
| "EUR" |
The currency of the payment is Euros. |
| "JPY" |
The currency of the payment is Yen. | cwilliams38459.9616087963, Can I have the logon be in a top frame while having the protected pages displayed in a main frame?
Also, how will it behave if a user moves in between a protected page to a public page and back to the protected page again?, Ya, you must have tried to upgrade from a really really old version like you said which wouldnt really work out because those instructions are specifically for upgrading a version 6 database to version 7.
That line error you had was looking for the User_ID field and I bet the version you had was so old that you didnt have a field named that as a few years ago the field "ID" got renamed to "User_ID"
As for all the cool stuff... yup there is a lot of cool stuff in this version... glad ya like it so far cwilliams38418.8164930556,
Timecard Entry: 3/25/2006 1:41:53 PM
Answered phones again. Same problems, different customer., Fixing 686-4911, finding out which modems needed to be busied out and busying them out., Tasks, Team meeting, Working with servers. Gathering as much information on the hardware as possible. Learning about the software running on them as well., assorted NOC duty - receiving, web site creatino, email creation, database design for Howard's project, switchboards calls , researching crystal reports stuff, Busy morning. Quality checked sign ups, cancellations, answering phone, and taking sign ups. and checked emails. , MLS Convention, review w/o's for week/start on end of week reports/work on job close ouit hours, General tech duties., Working on web servers. Working with web customers. Cleaning up servers. Researching router statistics., Emails, Checked expired accounts and called a few but other than that it was caught up, examining perl scripts for wwti samba upload scheme, Did a bunch of cleaning... then did some more cleaning. Swept a little bit, practiced my green thumb with the weeds, and cleaned up a little more., Posted accounts and did a detail of check and cash for bank deposit.. Ans. phone, coupon referrlal, credit card authoiization, and customer inquiries., Lunch, Emails, time sheets Nortel Quote, Paid bills and called to report payments, trip to the post office, Telephone conference with Tim Badour & Carrie McNally re Allen employment agreement , syracuse computer, Posted accounts and did a detail of checks and cash for a deposit. Customer inquiries, cc authorizations, and coupon referrals. Ans phone. , Breakfast meetings with WSTARMLS, readied money for Clayton, answered phones, sign-ups, cancellations, acct changes. Filed customer paperwork., calmed down a little bit.. couple new users, working on building a Red Hat Linux Server with one of the DEC 3000 boxes., Mary Langer/Suimall.com: answer questions re: site templates, phones, on line and rad log. phone were steady,
|
