Saturday, March 1, 2008

WebTecker

I want to let everyone know. I have a new blog called WebTecker. Check it out.

AddThis Social Bookmark Button

Thursday, January 24, 2008

Send an Email using ASP CDONTS

Sending an Email in ASP is pretty straight forward. The code is below:

Set objEmail = Server.CreateObject("CDONTS.NewMail")
objEmail.to = "to_email@gmail.com"
objEmail.From = "your_email@domainname.com"
objEmail.Subject = "Subject"
objEmail.Body = "Email Body"
objEmail.send
Set objEmail = nothing

There you go thats how you send an email. Now lets break it down!

This creates a NewMail object from the CDONTS library.
Code:
Set objEmail = Server.CreateObject("CDONTS.NewMail")
To Property
The To property lets you specify who the email is to, rather self explanatory! The property has the following form
Code:
objEmail.to = "to_email@gmail.com"
From Property
The From property lets you, guess it, specify who the email is from. and it looks like this;
Code:
objEmail.From = "your_email@domainname.com"
Subject Property
This is getting rather repitive don't you think? The subject property lets you define the subject and looks, and you may have already guessed, like this;
Code:
objMail.Subject = "Subject"
Body Property
Now to the body section. This sets the text of the message, or HTML, which we'll look at soon. And it looks like this;
Code:
objMail.Body = "Email Body"
Almost done we send the email using the Send method.
Code:
objEmail.send
And then we release the resource of the object
Code:
Set objEmail = nothing

Thats it to send an email. If you need any other help please post your comments below

AddThis Social Bookmark Button

Wednesday, September 12, 2007

Classic ASP Application Security

In today’s world security is everything! That’s why I’ll take you through some basic ways to secure your Classic ASP web application.

1. Database Security

The First thing you need to do is secure your Access Database. Since Access databases can be easily downloaded from the Internet it is always smart practice to put the database in the root directory of the website. This way the Access database won’t be able to be downloaded and you will still be able to access to the database. Below is an example of Database Security.



This is a sample of website directory. Now the site Folder holds your entire site. This includes the Home page, images, and various other pages. Now as you see the database is located outside of the actual site. In order to get this to work you need the URL pointed to the site folder. To connect to the database use the following code.


dbconn = "PROVIDER=Microsoft.Jet.OLEDB.4.0;DATA SOURCE="
dbconn = dbconn & Replace(server.mappath("/"),"website","") & "/database.mdb"
set Conn = server.createobject("adodb.connection")
Conn.open dbconn

2. Login Interface Security Permissions

Some applications that you create will require multiple Interfaces. This includes a Manager Interface and Employees Interface. You don’t want the Employees to have the same access as the Manager so you need to create multiple interfaces. I will show you an example below.


The first thing to do is build a database and put it into the root of your website. Following that, open your database and design the tables. Below is the Logins table for this project:


Obviously, the Logins table would require a Username and a Password column, however we also need third column, Status, which would be used to determine the permissions of any particular user. For example, a user with the status of "Manager" would be able to view all information, whereas a user with the status of "Employee" would only be able to see their information.

You now want to create the first page called index.html


<HTML>
<HEAD>
<TITLE>Login</TITLE>
</HEAD>
<BODY>
<FORM ACTION="login.asp" METHOD="post">
<TABLE BORDER="0">
<TR>
<TD VALIGN="Top">Username:</TD>
<TD VALIGN="Top"><INPUT TYPE="text" NAME="txtUsername"></TD>
</TR>
<TR>
<TD VALIGN="Top">Password:</TD>
<TD VALIGN="Top"><INPUT TYPE="password" NAME="txtPassword"></TD>
</TR>
<TR>
<TD VALIGN="Top"></TD>
<TD VALIGN="Top"><INPUT TYPE="submit" VALUE="Login"></TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>

It is very important that you use the POST method to send the login data, not GET, as users would be able to see passwords in the client's browser history, amongst other things that would pose a major security threat.

The next file that needs to be created is login.asp, which will process the login information and set the login state. Here's the code.


<%
‘-------------------------------------------Get Form Fields--------------------------------‘
txtUsername = request.form("txtUsername ")
txtPassword = request.form("txtPassword ")
‘--------------------------------------------Connect to Database-------------------------‘
dbconn = "PROVIDER=Microsoft.Jet.OLEDB.4.0;DATA SOURCE="
dbconn = dbconn & Replace(server.mappath("/"),"website","") &amp;amp;amp;amp;amp;amp; "/database.mdb"
set Conn = server.createobject("adodb.connection")
Conn.open dbconn
‘-------------------------------------------SQL Statement---------------------------------‘
sqlstr = "SELECT Username,Password,Status FROM logins WHERE Username='" & txtUsername &amp;amp;amp;amp;amp;amp; "' AND txtPassword ='" & txtPassword &amp;amp;amp;amp;amp;amp;"'"
set rs = Conn.execute(sqlstr)
‘-----------------------------------------Check if user exists---------------------------------‘
if rs.bof and rs.eof then
response.write "<h2><br>Acces denied,sorry.<br>Return to the login screen and try again.</h2>"
else
‘---------------------------User Exists we will now redirect to Interface-----------------‘
Status = rs("Status")
if Status = "Manager" then
‘--------------------------------------------Manger Interface---------------------------------‘
response.write "<h2>Welcome!<br>Click <a href='manager/index.asp'><u>here</u></a> to enter</h2>"
else
‘----------------------------------------------Employee Interface----------------------------‘
response.write "<h2>Welcome!<br>Click <a href='employee/index.asp'><u>here</u></a> to enter</h2>"
end if
end if
%>

The script is fairly basic and simply opens a database, requests a recordset, checks to see if it's empty or not using the EOF(End of Recordset) property (which is true if the recordset is empty), returns errors if appropriate, and allows the user to click to the next page. The next page will take the user to the appropriate interface.

This is part 1 of creating a Secure Classic ASP Web Application. If you have any questions please post them below.

AddThis Social Bookmark Button

Friday, September 7, 2007

ASP to force HTTPS SSL

There is a couple of different ways of forcing an ASP page to SSL. The first way is to create a custom error page that will redirect the ASP page to an SSL or HTTPS. Another way is to use an include file to redirect every page to an SSL. I will be showing you how to Force an SSL using an ASP include file. This is a very simple and straightforward method and you don’t need to login on the server to configure. Follow the steps below. If you have any questions please leave comments on the bottom of this entry.

  • Copy the code below and paste it into a file named ssl_force.asp

Include File. ssl_force.asp


<%
if Request.ServerVariables("HTTPS") = "off" then
method = Request.ServerVariables("REQUEST_METHOD")
srvname = Request.ServerVariables("SERVER_NAME")
scrname = Request.ServerVariables("SCRIPT_NAME")
sRedirect = "https://" & srvname & scrname
sQString = Request.Querystring
if Len(sQString) > 0 Then
sRedirect = sRedirect & "?" & sQString
end if
if method = "POST" then
Response.Write "<form method=post action=" & sRedirect &amp;amp;amp; " name='f'>"
for x = 1 to Request.Form.Count()
tname = Request.Form.Key(x)
tvalue = Server.HTMLEncode(Request.Form.Item(x))
Response.Write "<input type=hidden name=" & tname & " value=""" & tValue &""">" & vbCrLf
next
Response.Write "<input type=submit value=Go To SSL>"
Response.Write "</form>"
Response.Write "<script>" & vbCrLf
Response.Write "document.f.submit();" & vbCrLf
Response.Write "</script>"
else
Response.Redirect sRedirect
end if
end if
%>

  • For each page that requires SSL, paste the following code at the top of the page to reference the include file from the previous step:

<!--#include file="functions_db.asp"-->


  • When each page is browsed, the ASP code that is contained in the include file detects if HTTPS is used. If HTTP is used, the browser will be redirected to the same page by using HTTPS.

AddThis Social Bookmark Button