Good Evening,

I have been trying to log into my site using the protected pages comments you have in support. I have copied the code in the ASPprotect 7 guide.

<%@ LANGUAGE="VBSCRIPT" %>

<!--#INCLUDE FILE="check_user_inc.asp"-->

and pasted it in my page, set the the IIS to open this page and the page will not open it and the page will not open and the error is

Error Type:
Active Server Pages, ASP 0126 (0x80004005)
The include file 'check_user_inc.asp' was not found.
/olem/reldt/introduction.asp, line 3

When I remove the two lines of code everything goes normally.

I have aspprotect in its own directory in the website. I have read the installation several times and I am afraid I am missing something blatently obvious so I really appreciate you thoughts.

I am presently using redirects. I like not haveing to use them as your comments have suggested. I have pulled all that code from the pages I desire to protect during this test.

I have three test users in my database - 1 administrator

Any suggestions?

Thanks and best regards

Great software.

How easy would it be to copy the email address entered at registration directly into the login id field so that the user's email address is automatically used as the login id? 

Also, where in the code can I turn off the random password generator - I'd rather force people to pick something they can remember themselves.

Thanks,

Nick

Microsoft VBScript compilation error '800a0400'

Expected statement

D:\CLIENTS\RKLARMAN\DRSWEISBERG\PASSWORD_ADMIN\../dataconn_i nc.asp, line 18

<%
^

In a way your questions are confusing to me, but here is some information regardless.



Using Active Sever pages you can not protect entire folders. It is simply not possible. ASPProtect is Active Server Pages scripts so it can only protect individual ".asp" files.


If you are concerned about customers downloading the access database..

best practive is to store it in different folder name than it came in
best practive is to give the database .mdb file itself a different name
best practive is to change the password on the access database
best practice is to store it in a directory that is not part of your web if possible.. many of the better hosting companies have it set up so you actually can do that

the more of these things you can do the better..

And if you are really worried about security you should use a SQL Server database which nobody can download from your website under any conditions because your data lives in the sql server and unless they get the username/password to it they can not access it.

I am also getting the "Unspecified Error" message.  I just transferred my site to IIS 5.0 and I get that error now.  However it does not happen everytime.  I can click on a page and it opens fine and then I hit refresh in the browser and I get the "Unspecified Error" message.  What could be causing this?

yes, admins have access to absolutely anything...

as for the other question what you should do is only show links to people logged in that they have access to.. then they wont get logged out when they go to a page they do not have access to

for example if someone doesn't have access to a level 4 page dont give them a link to go there... you can do that by checking the session variables and creating your hyperlink html code accordingly .. using simple if-else logic... you could even make a hyperlink non-clickable and add some text to it like (no access)

it's all about taking the time to intelligently designing the different areas of your web site. It takes a bit of time and work to really make a system flow the way you want it to.

other than that it becomes extremely complicated to not grant them access when they go to a page they dont have access to but also keep them logged in. It is just not designed to flow that way. If someone goes to a page they do have access to they get logged out. It sort of has to be that way because of the ways things flow.

more info on accessing user info after login so you can do that
http://support.cjwsoft.com/code/moreinfo198-1.htm

another good thing to check out is the provided examples for mutliple access levels. You can see that if you log into the default page for that that it only shows you links to pages you have access to. Done with simple if-else logic around the html links. It is using groups but you can do the same sort of concept using groups.

like I said... you would have to modify the code
(and really I dont think it is possible, how could it be when images uploaded are of all shapes and sizes)

How are pictures of various shapes and size going to resized to a fixed width and height without distortion on either a horizontal or vertical level ? Uness the image uploaded matches the fixed thumbnail ratio you have set there is going to be distortion.

There is no component that is going to make it any easier. You are already using an image resizing component.

I give you two options the way the code ships.

fixed width and height for thumbnails

or

fixed width / dynamic height for thumbnails

The only other possible option would be

fixed height / dynamic width for thumbnails

and that you would have to code on your own because that option is not there

The last thing I will say is this. Sorry, but I do not support custimizations to the code. It's just not easy to explain. Its a lot of code work. Its a lot of time.

import/export feature WARNING !!

I just want to warn everyone that the built in import/export feature can be a little dangerous.
The reason being is when you import users they get new "Users_ID"s in the database.

The "User_ID" field is an autonumber field and that is why and there is nothing you can do about it.

So, if you are using a user's current "User_ID" to keep track up something important NEVER export the users and re-import them. Because their "User_ID" will change and you will be in trouble.

The PayPal signup features of ASPProtect actually use the "User_ID" like this and that is the main reason this warning is here.

now, that being said

If you are importing new users into ASPProtect

or

simply exporting existing users to another system

then this is nothing to worry about.


Basically, the moral of this story is dont think of the built in Import/Export feature as backup system because it is not. It is not a substistute for backing up your database.

It is a just a tool that can come in handy for various things.

Can ASPClassifieds display the ads by city?

I have a web directory that lists websites and companies by city.  Is it possible to have specific ads shown to the user depending on what city they click on?  For example, only ads in New York would be shown to users that have already clicked on that city in my directory.

thanks,

Is there a way to upload photos to individual user directories? I don't want all the picture files in a single directory.

Thanks,

Steve

Thanks.

Nick

Yeah, its a win2k server.

Im up and running now (my guess is ASP wasnt installed, but he did not say), but am not having luck with any of the email.  I contacted my host to see what is available and have yet to hear back.  Do you generally recommend people to run CDOSYS?

Ive been reading through the docs, and the users and protection seems to be pretty straightforward.   Nice!

The only other real question I have (and cant find in the docs) is how to remove the self registration option all togehter.  My client wants to add its users manually, and not give the option for them to sign up themselves.  Do I just find any remove any code that references it?

Below is the email I received when testing the self-registration. Does anyone know what setting I configured incorrectly?

I received the email to confirm the registration but the link to activate is invalied.

Thanks!

Your registration still has to be validated.
Go to
?u=bubbaj&v=4579
to verify your registration.

so use the connection string the readme.txt in the sql installation folder file tells you to... it has the correct username.. I just posted that info above

or change the username in the connection string so its rigfht

or go into sql and give any user you want access to the database and use them

Any connection strings that come in the datacon_inc.asp file the way it ships are examples. We fully expect people to edit them.

Also.. the SQL scripts primarly goal is give you a properly set up database with correct files and table settings. Users and permissions often need a little extra attention from the installer as that part doesn't always get set right by the scripts It really all depends on what sql user you are when you execute the scripts. Many times the user someone logs in with doesn't have permission to make users and set permissions.

how about translating the error to english..

Looks to me off hand that it would have something to do with the SQL server itself not being run in an english lcid/format and causing some sort of date issue.

I would also suggest you start off with a brand new blank SQL ASPBanner database and make sure that works before you attemp t to import any data into it.

the menu file.. "menu.asp" or something... just follow the logic of the code to find things like that. Look for server side include files and what not in the source code.

This is a good article on figuring out what pages to edit as well as other things.
http://www.powerasp.com/content/hintstips/common_sense.asp

If it was working and you changed code you could have possible messed up how all of that works... you may need to revert back and be really careful as you make changes testing every step of the way.

How do I change the character length for the description field?

http://gibsoncity.info/guestbook/default.asp

Reports 65-messages, however after the first 10 are displayed and you click on the More Messages button, I get the Page cannot be found error.

Regarding installation in a subfolder

Though this should be common sense and ASP.NET 101 "so to speak" One thing not mentioned in the docs..


If you do not install ASPProtect.NET in the true root of a web there a key in the web config you must adjust.

it looks like this

<forms name=".aspprotect~net" loginUrl="/aspprotectlogin.aspx" protection="All" timeout="60" path="/" />

The way it comes it is valid for a root installation..

lets say you installed the application in folder called.
"aspprotectnet"

the key would change to this

<forms name=".aspprotect~net" loginUrl="/aspprotectnet/aspprotectlogin.aspx" protection="All" timeout="60" path="/" />

Disallowed Parent Path

The Include file '../dataconn_inc.asp' cannot contain '..' to indicate the parent directory. 

When you get an error like this it is because parent paths are disabled on the web server. This is a setting in the IIS console for your website.

If it is not enabled on you server you will have to ask your host to enable parent paths for your website.

This is what the settings screen looks like on an XP Machine

Additional Information:

It is enabled by default on IIS4-IIS5 but in IIS6 it is disabled by default.
It is a minor security risk to have enabled and some hosts can be difficult about setting it.

Truth is, if your hosting ASP for customers you need to enable this setting if the customer requests it. Especially since 90% of the ASP applications out there require the setting.

Hosting companies should if they are serious about hosting ASP.


If they won't your only option is to go through all the code and convert the file includes to virtual includes.

http://www.powerasp.com/content/code-snippets/includes.asp

The trouble with virtual includes is they are different depending on the layout of your website. (that's why web application developers generally don't use them)

Basically if you are in a sub domain the path for the virtual include is going to be different then if you were in the root.. etc etc

Also.. someone developing on a local machine would need totally different virtual includes on the development server than they would on the live server. Server Side includes are processed before ASP so there is no way to make them SMART, so to speak. Server Side includes are hardcoded and that's that.

In my opinion virtual includes are pretty useless for commercial web based applications...  Since you don't know where the customers plan to install the apps.
And YES there are some tricks when designing the applications that make it less of an issue but they are not perfect solutions.

For example...

The virtual include below would work if the application or code was installed in the root
<!--#include virtual = /somefile.asp"-->

But if the application or code was installed in a directory called "somedirectory" the virtual include directive would need to look like this

<!--#include virtual = "/somedirectory/somefile.asp"-->

well, so far one other guy found one..

his, was some sort of weird character that was causing a line break or something though in my testing I just couldnt figure out what was going on

now for me to reproduce any error someone find with a password I need to know the key used and the password used

which make it real hard to troubleshoot

Does emailing work under the simplest scenario ? (directly from the users screen)

Thats the way to test it..

All that error means is whatever reason the settings you have chosen are not working. It could be the server. It could be what you chosen. (and yes I realize your pop info from outlook should probably work with the settings you chose)

Whenever I do installs I often have to try 3-5 different emailing scenarios before I come across one that works.

Each time making some changes and sending out test emails from the users screen until I get somewhere. Often time getting a working example of how your Hosting Company wants you to send email from ASP is the info to get your hands on. (what method and settings)

In this case they may have blocked the usee of a remote server and want you to use some other settings for sending email from asp. A lot of times they put that info in their help system.

If I were you I would start by trying the other two CDOSYS options for starters, and then try the remote server option again but using "localhost" as the server, if none of those work consult your host for example code and settings to send email from asp. If you still have no luck I can help for sure.

Realize too when testing the emails may take a bit to arrive. A delay of sorts. Best to type in a quick note about which method you are trying in the email text. That way when you finally get one delivered you'll know which method worked.

If you would like me to, I also have no problem going into your machine real quick via remote access and setting permissions / putting the right connecting string in there for you.

I need to go in as an administator though to set the permissions.

I have been working on this. 2Checkout is like the most confusing and worst payment processing company on the planet. There are things about that page I just don not understand as many times as I read through it.

Doesn't seem like this stuff is mandatory just yet. (I asked)

I should have something soon.

Some users have reported an error during the registration process.
Here is what I believe is happening.

When you register you get sent a validation email that has a link in it that looks something like this.

http://support.cjwsoft.com/forum//activate.asp?ID=testAD3AD2 97BC

That link can only be clicked on once which will activate your account.

If you somehow run that link more than once you will get a message telling you there was an error.


I think some people are double clicking on the link they get sent and running it more than once.... or clicking on it again after registration is complete. It probably happens very fast so they never see the success screen.

Either way, if you can login to the forum nothing is wrong and you are already activated.

Hi, I haven't heard anything from you.

Has this issue been resolved ?

Thanks

I will actually explain how to set access_levels and/or groups...

in "users/add_new_account.asp"

This is what "John Evans" of CJWSoft has to say on the matter...

"I think that’s pretty much impossible. If the server sees a .JPG or .JPEG extension why in the world would it go and try to read it or do anything with it.

I believe there may have been some issues with Outlook and Outlook express that made it look like a vbs script sent as an attachment was actually a JPG because someone found an exploit in those programs and it would appear as if double extension files were one thing when in fact they were not.

Having a real time virus scanner on the server (which any good host will) should also catch anything infected being built on the server drives as the file uploads. Always worked for me and I had a lot of people uploading ZIP files on winxptheme.com at one point. Many had viruses in them although I suspect it was totally innocent on the end users part. Some people didn’t even know they had a virus on their rig. 

Fact is anything is possible but I think chances of getting a virus or being hacked in some way from this sort of upload are really slim."

The company that hosts our business web site has been impossible to deal with in assisting me in getting asp protect to work. Getting the rights set correctly took 6 days and then getting parent paths enabled has been impossible. There last response was simply this:

The includes were changed so that if your server does not support "parent paths"
' and the "../" that you could easily change a few files like this and make the
' includes virtual includes instead of file includes. We didnt make them virtual
' includes by default because depending on where in your site you put the application
' the virtual include path would be different. They are also much different on a local
' development server than they would be on your real server
'
' Here are some examples of what you might change these includes to
'
' If you put the aspprotect folder in the root of your domain at your server
' example: www.mydomain.com/aspprotect
' then you would probably use
'
' #INCLUDE VIRTUAL="/aspprotect/dataconn_inc.asp"
' #INCLUDE VIRTUAL="/aspprotect/config_inc.asp"
' #INCLUDE VIRTUAL="/aspprotect/scripts/emailing_subs_inc.asp"
'
' Or if you didnt use the aspprotect folder and just put the contents of it in the root
' of your domain
' then you would probably use
'
' #INCLUDE VIRTUAL="/dataconn_inc.asp"
' #INCLUDE VIRTUAL="/config_inc.asp"
' #INCLUDE VIRTUAL="/scripts/emailing_subs_inc.asp"
'
' It really all depends on what works for your situation
' If you want more information on server side includes read this article at PowerASP
'
' http://www.powerasp.com/content/code-snippets/includes.asp

I am assuming that they will not enable parent paths and I need to modify some code. I do not know asp. WHere do I modify the code for a server that will not enable parent paths?

Thanks,

D

no, its part the concurrent login checking system.

currently when that is on logging off does not come into play..
(pretty much because it is such a complex system I wasnt able to make it quite that intelligent this time around)

when concurrent login checking is enabled the only way to log in again at another system with the same username and with a different IP is to wait till that time period is over

sorry

as you may recall it was rush feature at the last moment before I got version 7 finished. Hopefully I can improve on the feature in the next version but I dont really see it as being a big issue at the moment. Sometimes when you want maximum security you have to make some tradeoffs and that is why the feature is optional.