Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Results 1 to 9 of 9
  1. #1
    Senior Member
    Join Date
    Mar 2002
    Location
    Alabama sans the damn flag
    Posts
    263
    Member #
    38
    the address bar on the browser reads: (h replaced by x)

    xttp://localhost/CCPD_PatientMainMenu.asp?PID=1078181&submit=submit


    My ASP page reads:

    Code:
    <SCRIPT LANGUAGE = VBScript>
    <!-- #include file="MyInclude.inc" -->
     Option Explicit 
    </SCRIPT> 
    <%
       Dim ID    
       ID = Request.form("PID") 
    %>
       
       
    <HTML>
       <HEAD>
          <TITLE>Single Patient Page</TITLE>
       </HEAD>   
          <BODY>
          
          On This page will be the start of the patient Sequences <P>
    <%    response.write "For Patient ID:  " & ID  & "<<<" %>
          
          
          <P><P><P>
       </Body>
    <HTML>
    The output is:

    On This page will be the start of the patient Sequences
    For Patient ID: <<<

    You'll note the complete abscence of 1078181.

    I'm dying guys. What's going on?
    DerFarm
    I talk to squirrels.
    Squirrels Answer.

  2.  

  3. #2
    Senior Member Kings's Avatar
    Join Date
    Feb 2002
    Posts
    129
    Member #
    19
    Code:
    <SCRIPT LANGUAGE = VBScript>
    <!-- #include file="MyInclude.inc" -->
     Option Explicit 
    </SCRIPT> 
    <%
       Dim ID    
       ID = Request.QueryString("PID") 
    %>
       
       
    <HTML>
       <HEAD>
          <TITLE>Single Patient Page</TITLE>
       </HEAD>   
          <BODY>
          
          On This page will be the start of the patient Sequences <P>
    <%    response.write "For Patient ID:  " & ID  & "<<<" %>
          
          
          <P><P><P>
       </Body>
    <HTML>
    Notice the bolded part...
    K i n g s

    Several handy ASP Resources:
    4guysfromrolla | aspin | ASP101 | AspIt | learnasp

    Several handy ASP.NET resources:
    ASP.NET | .NET Experts | O'Reilly .NET | AspIt | 4guysfromrolla

    Several paid ASP/ASP.NET webhosts:
    Brinkster | Maximum ASP | Clicktech | Nodehosting | Uplinkearth | Webhost4life

  4. #3
    Senior Member
    Join Date
    Mar 2002
    Location
    Alabama sans the damn flag
    Posts
    263
    Member #
    38
    You're right, Kings. I had mistakenly used the "get" method of calling the page.

    After changing it to POST it worked right.

    This is driving me crazy.
    DerFarm
    I talk to squirrels.
    Squirrels Answer.

  5. #4
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    Another thing that you may wish to consider in that piece of code is the naming of your include file. If you have any 500 errors on your site and you submit said site to the search engines, it is possible (by doing a search on any search engine on various Microsoft error codes) for people to find your site's error page and the reference to the include file. They could then use their web browser to reference the include file, download and open up the include file in any text editor and depending on what's in there, some very bad things could happen to you.

    The solution? To rename anything that's *.inc to *.asp. ASP files cannot be directly downloaded in this manner. There are other security holes to watch out for, and you may want to look these up on sites such as http://www.microsoft.com , http://www.asp101.com , and http://www.4guysfromrolla.com (for starters).
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  6. #5
    Senior Member filburt1's Avatar
    Join Date
    Jul 2002
    Location
    Maryland, US
    Posts
    11,774
    Member #
    3
    Liked
    21 times
    That's a very good security tip, TheGAME1264...mind if I make it a tip of the day?
    filburt1, Web Design Forums.net founder
    Site of the Month contest: submit your site or vote for the winner!

  7. #6
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    No sir. I don't mind at all.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  8. #7
    Senior Member
    Join Date
    Mar 2002
    Location
    Alabama sans the damn flag
    Posts
    263
    Member #
    38
    hmmmmmm....yeah, thanks. What if I named it something other than ....inc? like ...xxx or something. Would the same thing apply???
    DerFarm
    I talk to squirrels.
    Squirrels Answer.

  9. #8
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    In about 99.9% of cases, yes, because the user with malicious intent could still visit www.yoursite.com/(Your include file).(your extension) and view it in any text editor. The reason ASP is an exception is because it contains server-side code (it's also a good idea to name it (your file).asp because it's an ASP include file).
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  10. #9
    Senior Member Kings's Avatar
    Join Date
    Feb 2002
    Posts
    129
    Member #
    19
    If you have access to IIS you can change it so .inc (or .whatever) is also parsed for ASP code.
    K i n g s

    Several handy ASP Resources:
    4guysfromrolla | aspin | ASP101 | AspIt | learnasp

    Several handy ASP.NET resources:
    ASP.NET | .NET Experts | O'Reilly .NET | AspIt | 4guysfromrolla

    Several paid ASP/ASP.NET webhosts:
    Brinkster | Maximum ASP | Clicktech | Nodehosting | Uplinkearth | Webhost4life


Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 08:52 AM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com