Blog Entry: 3/25/2006 1:46:57 PM
also.. every once in a while I get some nervous person concerned about security... and the pros and cons of having parent paths enabled.
etc etc etc
so let me add this bit of info..
I don’t know what your hosting company will say because it is an iffy topic and those that understand it have a hard time explaining it to someone who doesn't. Also usually the hosting company doesn't have a clue except they heard it was a security risk.
Here is the low down from someone that really understands it...
(well, at least I think I do)
The only real security risks are from YOU and possibly other people hosting on the same server if they have parent paths enabled that is.
Meaning your site visitors can't possibly do anything with it unless of course you let them upload and run their own asp files to the server.
Anyway.. if YOU run malicious asp scripts you could potentially attack other sites on the server and look at things you shouldn't. As could other sites on the same server do to you I suppose.
So, unless you plan on doing that or some other site admin on the server does it to you its not really a concern. Just an advantage in coding abilities.
If you attack someone elses site on the server or lurk where you shouldnt then you are probably violating your hosting agreement.
99% of the time everyone gets all nervous over nothing.. half the people nervous about this have sites nobody would ever want to hack anyway.
Many people with a really important/busy sites are going to have a dedicated server somewhere so the setting is not relevant..
The hosting companies of course have to warn you.
This setting was enabled by default for years on IIS4-IIS5. I never once heard one single real story about anyone attacking anything because of this setting. That doesn't mean it doesn't happen but I am just telling you what I know.
This is all my opinion so take it for what it is...
If you are a Hosting Company your better off turning it on at the customers request, giving them a warning about it, and in turn having happy customers.
The big hosting companies like Alentus and MaximumASP do it...
There are far worse things than this to let people do after all.
Beleive it or not I have actually been in servers where they gave the anonymous webserver acount modify permissions EVERYWHERE yet they disabled parent paths ???? cwilliams38391.6024189815, Access Database Password
By default all of the Access Databases we give out have a default password of "temp"
The Default username that and Access database uses is "Admin" but you should not be concerned with that except in your connection strings.
The default password for the Access Database can only be changed using Microsoft Access to do so. If you have security concerns it would make sense to change the password. The help system built into Microsoft Access best explains how to do that. cwilliams38403.6820833333,
Glad your getting the hang of it.
no difference as far as that goes. It is just different ways to reference the server side include file and it's location on the server cwilliams38457.6019675926, yup. that is correct... they can't log in so they can't see any pages you protect
its the nature of forms based authetication , If logfiles do not get created it is most likely one of 3 things
- invalid physical path specified
- permisssions
- filesystem object is disabled on the server
that path doesn't look correct to me for a live professionally set up server but only you or your server admins can know that for sure
you will not get any errors when things arent perfect.. just no physical logs
RecentActiveUsers and RecentPageRequrests are not related to the stored logfile feature.. Recent Activity is a different thing , If things are not perfect there will be no log files and no errors.. it can only be one of these things really
http://support.cjwsoft.com/code/moreinfo313-2.htm
You may also want to make your the filesystem on the server is working and not disabled by norton script blocking or anything random like that. Testing the filesystem object is best done by writing a simple text file to a folder. Plenty of examples of doing that can be found at www.aspin.com
Recent activity is temporary and admin activity in the admin area is not tracked. If your application in IIS has reset or there has been no activity in the users area or in pages you protected there will be nothing there. The busier your site the more chance something will be there. For example usually our online demo has something there except right after 4am when my server does an iisreset. , thx, thats a known error I forgot about.
I just updated the zip archive so the error is gone but if you bought ASPBanner Unlimited Version 7.3 Before April/06/2004 you can optionally apply the fix.
To fix it (only if you want to use the option explicit method of calling banners and not even a really necessary fix as this is just an error in the generated code your supposed to use)
Just edit aspbanner/zones.asp with a text editor.
Where you see the double dim carefully remove one of the "dim" s and save the file. cwilliams38209.9251851852, I would like to delete the SQL tables and set them up from scratch using enterprise manager and sql query manager and see what happens
If that is ok with you let me know.
Something is wrong like I said... almost seems like the database is caching old password info from the field., Yeah sorry you are right. It works for me
http://www.rottys.net/gallery/default.asp?CatLevel=2&Cat 1_ID=5
, actually, looks like its 8.95 a month now for a pretty slick plan
http://www.alentus.com/hosting/valueplan.asp, I'lll try to look at it this weekend. I have to leave the office now.
There must be something wrong with the last build of the code. I dont think that upload export file thing is a feature too many people use or I would have heard of this sooner.
For now just upload you export files to the export folder manually using ftp or frontpage explorer and you can accomplish the same thing. , ok, how about some more in fo on the setup ?
What version of MSSQl ?
Exactly how did you create the sql database ?
Is it possible banners.asp got edited ?
Did you create all your banners via the admin interface and do all all banners have a zone assigned as that is important ? Sometimes customers will add banner info directly to the database and leave out vital field info that the application requires. Based on that error it is starting to look like that page is coming across a banner with no zone ID and thus the error. , Thank you! I thought that is what had to be done, just didn't want to miss out on a short cut if there was one. Thanks again, I have been able to successfully edit some text colors, but there seems to be one page that wont change the text color. Inside the users/ folder, the login.asp page, i cant seem to change the text color from ffffff to 000000 so it can be read on my background color. Every page in the script is correct but this one.
Thanks. , We want to insert a hyperlink i the mesage area when we e-mail users from the Password Admin area. Is ther an easy way to insert the hyperlink so when the user gets the e-mail, they can just click on it and go the the page we want them to?
Thanks,
Andy cwilliams38456.0983101852, If you would like me to, I also have no problem going into your machine real quick via remote access and setting permissions / putting the right connecting string in there for you.
I need to go in as an administator though to set the permissions.
, Thanks, I figured that out!
I managed to get the gallery running, minimally, on the test server, so now on to the real thing.
Thank you!
- Jason , Hi all,
I have the photo gallery set up at www.kashabowieoutposts.com/gallery
It's great - love to work with it.
But I've never been able to get those with just User permissions to be able to upload... Only an administrator is successful in uploading. This was no problem in the past, but now this client would like to give their guests a means to share their pictures on their site - so now I have to figure out the bug...
... this is the error I keep getting...
Your upload did not succeed, most likely because your browser does not support Upload via this mechanism.
Your browser must support a standard called RFC 1867. Please check with your browser vendor for support of this standard.
------- anyone else experienced this?
Many thanks all!!
Doug , Looks great. I can't wait until this will be released. Will there also be an easy way to migrate my current version ?
Hans , Ok...thanks., 1st. Please understand you have to purchase two licenses to do such a thing as each installation will need a valid license purchased.
Moving on:
ASPProtect using a industry standard concept called "Forms Based Authentication"
This primarily relies on session variables keeping track of login status.
Each installation must be in it's own unique "IIS Application" so it will have it's own set of application and session variables.
That is often not possible with shared hosting plans as the server admins may not be willing to set a folder in your web as a separate IIS application. You would need to ask. It is going to depend on the quality of your hosting plan whether they do it or not.
technically it takes about 1 minute to open up the "IIS Console" and set up a folder in your web as a separate "application"
Based on what you are telling me that you want to do I think it would make a lot more sense to have one installation and one user database and customize your sites so ASPProtect users that are part of certain "groups" have access to things others do not or see things on pages other users would not. That is after all the entire point of Dynamic web sites and also why ASPProtect has "groups".
Then as far as the registration differences go you would make a copy of the users area folder area and manual customize it to register users in an alternate fashion than the main "users" folder. And then send people there if that is how you want them to register.
I don't support customizations but that is the gist of it. It's really not difficult work, but you have to be good with ASP., New Version 8.1 Released
Whats new..
http://www.aspbanner.com/v8_notes.asp
Upgrade Instructions...
Upgrade at your own risk. Though we try new versions are not always perfect due to minor bugs we may miss.
Back up your old setup so you can revert back if necessary..!!!
Save your data connection string info in a text file so you have it.
You can get that by viewing the system info page in the admin area.
Carefully copy all the ".asp" files from the new version to the old.
Your going to want all the .asp files in the aspbanner folder.
Your going to want all the .asp files in the aspbanner/scripts folder
Copy the aspbanner/images folder because there are some new images
Be sure to also copy the "data/config" folder files.folders as well as a lot of that is new including the actual config file. If you dont get the new config file copied in there you will have problems later on with some of the new features.
Be sure to create a new folder in the "data" folder called "tempstats"
Make sure it has proper permissions if you plan on using the delayed stats feature as the stats gets temporarily stored there.
Go back to the area where you originally setup the data connection and do that again...
From the web browser run the following URL
http://yoursite/data/config/aspbanner_unlimited.asp
Replace "yoursite" with the proper url info relevant to your web site location.
When run via the web server that page will ask for a password. By default it is "temp". You should change it later on for security reasons. That page tells you how.
Now... moving on..
There were no changes to the database except for SQL Server users so you can use your existing database.
SQL Server users that want to use the new stored procedures feature (it's optional) will need to update their SQL database with the stored procedures.
Scripts to do that are provided.
ALSO: I have been running this new version using SQL Server Stored Procedure mode for a 1 week on a special banner server that serves banners to many of my own sites. I have also been using the new Delayed Stats feature.
All I can say is it is running like a champ and the SQL server is using less memory than it ever did before.
cwilliams38291.7372800926, I am using v7 with other software written in ASP.NET. When I include the the "checkfor" and include file, I'm receiving a compliation error.
Here is the include I have on the .aspx file:
<% CHECKFOR = "4" %>
<!--#INCLUDE FILE="../../ASPProtect/check_user_inc.asp"-->
Here is the error:
Compilation Error
Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source code appropriately.
Compiler Error Message: BC30689: Statement cannot appear outside of a method body.
Source Error:
Line 15: <%
Line 16: ' This is part of the too many login attempts lockdown code which sets a cookie to block login attempts for a certain amount of time
Line 17: If LoginLockDown Then
Line 18: If Request.Cookies("PASSWORDSYSTEMCOOKIETRIAL")("LoginTries") <> "" Then
Line 19: If Cint(Request.Cookies("PASSWORDSYSTEMCOOKIETRIAL")("L oginTries")) = Cint(LoginLockDownAttempts) Then
Source File:
D:\Sites\resadmin\NetOptions\testsite.com\www\ASPProtect\che ck_user_inc.asp Line: 17
, What about browser caching ? It can happen easily especially if you update pictures over one another.
emtpy out the temp files of ie (take a while usually).. close all ie windows and go back..
Otherwise I need detailed info on the problem. What you told me is not enough to troubleshoot. There are so many factors like what image image rezie component you are using, the size of the pictures before conversion, server resources, what your doing regarding 3 albums.... etc etc
I have imported 100 pics at a time into an album on a fast server with no issues. Thats using any of the image resizing components.
If an album is new what your describing should never happen. Again, it think what your seeing is browser caching playing tricks on you. We have anticaching things in place so thumbnails never do that but not for the large images. cwilliams38235.5737615741, Seems as though changing the mail settings to "remote email server" did the trick.
,
|
These Settings:
Picture upload feature settings. |
| Use_Picture_Upload |
< = value=True name=Use_Picture_Upload> Check this if you will be using the picture uploading feature. |
| UploadDirectory |
< size=60 value=C:\Inetpub\virtuals\aspphotogallery.com\Web\demo\pictu res name=UploadDirectory>
Example: "C:\Inetpub\wwwroot\ASPPhotoGallery\pictures"
Ask your server admin if you are not sure.
This directory needs proper permissions for the SAFILEUP component or the VBSCRIPT solution to work correctly. It basically needs to same permissions as the database directory would need when using Microsoft Access. |
| PictureURL |
< size=60 value=http://www.aspphotogallery.com/demo/pictures name=PictureURL>
Example: "http://p600laptop/ASPPhotoGallery/pictures"
This is the web URL of the the upload directory specified above. |
| Use_SAFILEUP_Upload |
< = value=SAUP name=Upload_Solution>
This option will enable file uploads using a component called SAFILEUP which is high end upload component available from www.softartisans.com. It is far superior in performance and reliability compared to the VBSCRIPT file upload solution.It is highly recommended for a busy site. If you enable this component and do not have it installed on your web server you will cause an error. |
| Use_ASPUPLOAD_Upload |
< = value=ASPUPLOAD name=Upload_Solution>
This option will enable file uploads using a component called ASPUPLOAD which is high end upload component available from www.persits.com. It is also far superior in performance and reliability compared to the VBSCRIPT file upload solution.It is highly recommended for a busy site. If you enable this component and do not have it installed on your web server you will cause an error. |
| Use_DUNDAS_Upload |
< = value=DUNDAS name=Upload_Solution>
This option will enable file uploads using a (FREE) component called DUNDAS UPLOAD which is a high end upload component available from www.dundas.com. It is also far superior in performance and reliability compared to the VBSCRIPT file upload solution.It is highly recommended for a busy site. If you enable this component and do not have it installed on your web server you will cause an error. |
| Use_VBSCRIPT_Upload |
< = value= name=Upload_Solution>
This option will enable file uploads using a pure VBSCRIPT solution. It requires VBSCRIPT version 5 or higher to be installed on the server. The solution usually works fine, but has been reported to cause memory leaks on XP machines. | , I have an asp page that includes other asp pages via an include. for example:
snippet code: file name: collaboration.asp
<table bgcolor="#bed1e4" border="0" cellspacing="0" cellpadding="10" marginwidth="0" marginheight="0" leftmargin="0" topmargin="0">
<tr>
<td>
<!--#include file="../../../filetransfer/directory_listing2.asp" -->
<BR><BR>
<!--#include file="../../../filetransfer/upload.asp" -->
</td></tr>
</table>
I can add the code below to collaboration.asp and it seems to work,but I cant seem to figure out how to protect the other files such as upload.asp at the same time. -- can you help? - Note: as soon as I add the code below (and adjust the path) - I cant bring up the page.
This is the protection code I am using.
<!--#INCLUDE FILE="../../../../aspprotect/check_user_inc.asp"-->
Shirely , Chris, that fixed it. Found 2-references to guestbook2 in the file show_messages_inc.asp located in the \guestbook\ directory.
Suggestion for future release. Create an option to email the admin when a message is posted. If this code already exists please advise.
Thanks, Lance , Okay Chris, I wold like to get rid of the encryption then if it's not too much trouble.
I have no option of running the production server against an ms access db, since the db needs to be online and accessible from another system. , Terribly sorry, but we are not software-technical. So can you please tell us exactly which folder the database would be in.
Thanks in advance. , Chris, and all who read this post.
Don't run away!
I believe that perhaps I gave Chris good cause for this post to be created . But dont fear .
When it comes to most languages I am a newbie, let alone ASP.NET. I did not choose to have an application for my site to be built in ASP.NET. However it was and I had paid for that program and it needed protecting!
Now I did have a few problems, however NONE were with ASPProtect.NET. It is brilliant. NONE were with Chris and the support he provides. I believe he must work 24/7 judging by the speed of replies and the timezone differences.
In the end all the problems were down to MY typos and a web host who insisted that any problem was a conflict and not their server set-up.(which it was!)
Having eliminated the typo and changed web provider to a less arrogant company. ASPProtect.NET installed and ran out of the box. Truely impressive.
As a newbie it is not something I would like to do again. But with help from Chris and from a friend with ASP.NET knowledge any issues were very quickly resolved.
An A+ recommendation for CJWSoft. I love it!
, Hello -
Believe it or not I finally can access the photogallery. You were right Chris regarding the unzipping of the files.
Now onto the next challenge! I have set up three categories and proceeded to create a test album. I uploaded a couple of pictures (yeah that worked!!!) but the album does not show up on the default.asp page under the category.
Please advise -
Rhona (rookie)  , I have seen that happen before though it usually just happens once and then after that it doesn;t show up. It's the asphttp component doing it. The ASPBanner system is not doing it. I would try using banner calling method such as the xml parser method. It's usually installed by default on 200 and 2003 servers. cwilliams38248.6400115741, I think I've found the problem..
The password "abcdefgh" works
The password "abcdefghi" does not
(username "ace45")
Passwords can obviously only contain up to and including 8 characters... By some coincidence I only used short passwords with MS Access.
, I have run into the same problem with streaming pdfs to the browser
using the stream_download.asp example, but only when selecting the
option to open the file directly into the browser (after it's streamed
back) as opposed to saving it and then opening it (which works fine in
Firefox and IE). Then I ran across this Microsoft support article
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q2 97822
It got me thinking that maybe a header needs to be included in
stream_download.asp that tells the browser to specifically cache the
file. Adding this suddenly got everything working
Response.CacheControl = "Public"
right after this line in the code
Response.ContentType = "application/octet-stream"
My asp is limited, but this seems to work at least for pdf
documents. Can someone confirm this? The other question I
have is if this is a solution, should the CacheControl be set to public
or private. Not sure on what the implications are.
Firefox by the way seems to open or save and open the file without
this, so you are right that the implementation between the browsers is
certainly different.
Tom
, Is there anyway to limit the number of Albums each user can make? , No luck...this is the message
Return To Import / Export Screen.
Active Server Pages error 'ASP 0113'
Script timed out
/members/aspprotect/password_admin/upload_post.asp
The maximum amount of time for a script to execute was exceeded. You can change this limit by specifying a new value for the property Server.ScriptTimeout or by changing the value in the IIS administration tools. , How to set a new users expiration date.
You'll need to edit the "users/add_new_account.asp" with a text editor.
Find this section..
<%
CmdAddUser.Fields("ValidateEmailCode") = ValidateEmailCode
CmdAddUser.Fields("Access_Level") = "4"
' PUT YOUR CODE HERE
CmdAdduser.Update
ID = CmdAdduser("ID")
CmdAdduser.Close
Set CmdAdduser = Nothing
ConnPasswords.Close
Set ConnPasswords = Nothing
%>
You'll want to add code like this right between the Acccess_Level and Updates section
CmdAddUser.Fields("Expiration_Date") = Date + 60
That will give take todays date and add 60 days to it.
You can of course do whatever you want here.
Actually, any database value for the user can be set during registration.
You can also change the default Access_Level to whatever you like.
cwilliams38088.4986689815, When I designed the system I never really intended people to type in long descriptions for pictures
and if they did I assumed they would use the enter key once in while..
but I guess people dont do that
This thread is along the same lines and shows what someone else did about this..
http://support.cjwsoft.com/code/moreinfo99-1.htm
though they are talking about a different page its the same issue , I had never noticed this before, but a customer sent me email to say that they had set up their aspclassifieds profile such that they be contacted by email and not by phone.
However, in their ad, their phone number still appears. The lines in view_ad.asp that check for True values for the Contact_Via_Email and Contact_Via_Phone before displaying that information seem to always evaluate to True, regardless of their setting in the database.
I'm using an Access2000 DB for this. When I open the DB in access, I see the checkboxes correctly unchecked for phone and checked for email. However, if I do a quick test to display the retrieved values in the view_ad.asp (<%=contact_via_phone%> <%=contact_via_email%> they both display True.
What gives? I have had nightmares with Access and its weird handling of true/false 0/1 yes/no fields, but this is driving me nuts.
,
Timecard Entry: 3/25/2006 1:46:57 PM
WENT TO WALMART AND KMART TO CHECK PRICES AND GET MINIBLINDS.., read asp book, Fairly quiet, just normal problems., food break, Times - School Stats basketball input form validations., inventory and recieving of new equipement, installation of grounding cables on switching equipement, Helping Randy install CiSCO router. Watching Randy install and configure it. , teched calls , worked on Canadian/US map for GiSCO home page, Telephone conference with Hiscock & Barclay, filling out last weeks time cards!, Project Status Tracker, to Albany 225 Miles, claytonchamber- statstracker info, Stop by watertown office and then come back to Clayton, Not too bad... answered phones. Tried to call a woman for Linda 3 times, no luck. No serious things happened., finalized and submitted staples order, answered phones, signups, cancellations, acct changes, filed customer paperwork, Charity Event at Clayton Fire Hall, Install Relay Racks, Ladder Rack, worked to decipher what W/O's were open and which were closed, radlog and callbacks, Staff, NorthCountryNow.Com - Trying to figure out why banner ad images on home page are shifting outside of table width when in 640x480 graphic mode. Problem fixed., Creating an admin area and user login for Timberview, go over with darrell and see the t1 test equipment of the beeper places... goto the city building and square away the manhole issue, Batching, answering phone., Meet with Fisher cast, imail ran out of disk space....cleaning out old files in the spool directory....imail is working again with 130 megs space, put in work orders for new web customers, registered domain names, setup the wine sellar and Matt Militello with domain names, frontpage and ftp access and sent to billing, phone calls concerning web hosting access and etc, updates to web databse, callbacks from voicemail, checked emails, taking sign ups, answering phone, cc report with Mary, cancellation of inovices, incident report. quality checked sign ups. ,
| 
