SQL attack via IIS?

TheMSsForum.com: The Microsoft Software Forum

The MSS Forum ‹ ASP Server
- Archive
  - Biz
  - MCSE
  - CRM
  - Drivers
  - Framework
  - ADO
  - ASP
  - Compact
  - Forms
  - Dotnet
  - C#
  - VB
  - FontpageGen
  - Excel
  - WorkSheet
  - Exchange
  - Setup
  - Fox
  - Fontpage
  - ASP
  - IIS
  - Entourage
  - Money
  - Messanger
  - PocketPC
  - Powerpoint
  - Project
  - Publisher
  - Excel
  - VB
  - Security
  - Portal
  - Services
  - SQLServerDev
  - SVCS
  - SQLServer
  - VB
  - VC
  - MFC
  - ExcelGen

- Previous
  - 1
    - Posting results in new window Currently I have results writing to the browser just fine (using frames). I would like to change it to where the results of a query are written to a new browser window. I have changed my asp code to be form method="post" target="_top". Any thoughts would be appreciated? *** Sent via Developersdex http://www.developersdex.com *** Don't just participate in USENET...get rewarded for it! Tag: SQL attack via IIS? Tag: 282629
  - 2
    - GetLastError Hi all, Win2k IIS5 I am trying to capture some information about 404 errors occurring on our website. I have defined a custom error page in IIS5 using the properties of the site. I am creating a 404 error by mistyping an address. The custom 404 page is called, but there is no data in Server.GetLastError. Code: Dim objError Set objError = Server.GetLastError() strNumber = objError.AspCode strSource = objError.Category strPage = objError.File strDesc = objError.Description What have I missed? TIA, Steve Tag: SQL attack via IIS? Tag: 282626
  - 3
    - send email Hi there, I've got an asp page that uses CDO.Message and CDO.Configuration to send an email. I'm not receiving any of these emails normally (i.e. in Outlook), instead they all end up in this folder : Inetpub/Mailroot/Queue. Could someone please explain what this means? Does this mean the emails have been successfully sent?...or are they waiting to be sent? I'm pretty sure my smtpserver name is correct because i've got the same thing going in .NET and it all works ok there (as in I get an email thru Outlook). Just can't seem to get it going in ASP. Not sure if it this relevant...I'm behind a firewall, so i'm assuming the smtpserver name is for a smart host, which is fine in .NET, but i'm not sure how that'll work out in ASP (eg. what do i set the serverport number to?) Confused! Tag: SQL attack via IIS? Tag: 282625
  - 4
    - Disabling SS Scripting on submit I was hired to make a Content Management System for a computer consulting group, and it is almost done. It allows registered users to submit code that is dynamically inserted into the Live website. It works, BUT! I only want CLIENT-SIDE code to be allowed for submission. Can you give me some ideas as to what I should DIS-allow on submit? First I will parse the submission using Javascript, and then I will re-parse with ASP before I allow stuff to be inserted. Here is my "lack List"so far... Disallow: 1. <% 2. %> 3. HTMLEncode 4. runat Do you have some other ideas? I am sure other Server-Side scripting technologies (like PHP and PERL) must use there own ways of doing stuff, and I bet even in ASP I am forgetting a couple things... Any help is appreciated. Thanks, Holden PS: The "HTMLEncode" is for stuff like this: Server.HTMLEncode( string ) PPS: The "runat" is to disallow stuff like this: <script language="vbscript" runat="server"> Tag: SQL attack via IIS? Tag: 282618
  - 5
    - ASP or ASP.Net Hi! I have been working on samples of ASP site components suchas guest book , forum ... i have downloaded these samples from free sites. I want to know what's the difference between traditional ASP and ASP.Net and whick is more powerful and better? I want to work on asp full time. Which must i turn into? Tag: SQL attack via IIS? Tag: 282616
  - 6
    - Response.WriteFile, explicitly close page ?????????????????????????????????????????????????????????????????????????= ?????????????????????????????????????????????????????????????????????????= ?????????????????????????????????????????????????????????????????????????= ?????????????????????????????????????????????????????????????????????????= ?????????????????????????????????????????????????????????????????????????= ??????????????????????????????????..?????????????????????????????????????= ?????????????????????????????????????????????????????????????????????????= ?????????????????????????? Tag: SQL attack via IIS? Tag: 282615
  - 7
    - Re : Unable to browse website while downloading a file using a component Curt_C [MVP] Wrote: > open the request in a new window That would work fine for me, but I'm writing this script for people who believe that we must assume total and utter user stupidity. Since this trick only seems to work manually using a right click->open in new window and never automatically (using a target attribute or a javascript event), this may be too much of a mind stretch for this priviledged class of users. - Stephane Tag: SQL attack via IIS? Tag: 282613
  - 8
    - Data encryption Hi guys I am sending the user my email getting from previous page through hidden variable, To encrypt is it better to make another Database call instead of hidden variable? thanks Girish Tag: SQL attack via IIS? Tag: 282609
  - 9
    - last question on SQL string (hopefully) thanks for your patience all nearly done on the DB SQL string.. now I need to do once last check...check on an empty field something like :- select from users where field not empty which in any normal world might look like SELECT * FROM users WHERE this_field <> "" but problems here with inverted commas etc.. I've tried a whole bunch of strings but none seem to work, cos I'm just so damn thick!!!! and the solution is...step forward people cleverer (great word) than me.... thanks again VERY VERY frustrating knowing exactly what you want to do but lacking the skills to do it Tag: SQL attack via IIS? Tag: 282599
  - 10
    - Unable to browse website while downloading a file using a component Hello all, I don't know how to get around this one... If anybody can help me with this problem, I would appreciate it very much. I've been trying to send a (large) file to the browser via a download page that uses a file download component. The file downloads fine, except that Internet Explorer refuses to browse to a different page while the file is downloading! I don't understand why it does that and I don't know how to fix this problem. Any idea? I know that MSIE can accept only two download streams at a time, but I can assure you that it's doing only one thing: downloading a file. Here's a working version of the download script: <% Server.ScriptTimeout = 7200 Response.Buffer = False Response.ContentType = "application/x-tar" Response.AddHeader "Content-Disposition", "attachment;FileName=test.tar" Set oDL = Server.CreateObject("SoftArtisans.FileUp") oDL.TransferFile "c:\test.tar" Set oDL = Nothing %> Here's more info: - I'm working under ASP 3.0. - I've tested this script both with aspSmartUpload and AspFileUp components and the problem remains the same. - This problem only seems to occur with Internet Explorer (many versions, different computers) -- mozilla works fine. - Since I need to authentify users **under ASP** before accepting the download, I cannot point directly to the download file instead of using the download component. (I would also prefer not having to copy this file to a temporary location where the users can download it and delete it afterwards.) I hope somebody here can help me with this problem. Thanks in advance! - Stephane Reply here or to askasp@mailinator.com Tag: SQL attack via IIS? Tag: 282596
  - 11
    - BEST EMAIL Object please... we have NT 4.0 server now, will be moving to WIN2K and ASP TO ASP.NET. Right now we have java.jmail. Please recomend the BEST EMAIL OBJECT which suits my requirement thanks Gary Tag: SQL attack via IIS? Tag: 282595
  - 12
    - Building A Web Based Email Client My ISP provides a web based email client, but it is not brandable and the features are not that extensive. I'd like to build my own. Has anyone done this, or is anyone aware of any tools out there to do this? BV. www.iheartmypond.com Tag: SQL attack via IIS? Tag: 282591
  - 13
    - still stuck on query strings I should just get a hat with a big D on it and then everyone would recognise me.. anyway... I have a DB full of people and their details.. I'm trying to perform a query based on age. so I have a form with two values..upperlimit and lowerlimit ( eg aged between 25 and 30, but worked out in years so that upper limit gives a birth year of 1974 and lowerlimit gives a birth year of 1979) my query string looks like strSQL = "SELECT * FROM users where ( (right(dob,4)) =>" & lowerlimit & " AND " & " (right(dob,4)) =<" & upperlimit & ")order by key" so..dob is the DB field for date of birth, I'm just taking the year from this hence the right(dob,4) and looking for entries where the year of dob is more than AND less than the search criteria the error message I get is Syntax error (missing operator) in query expression I must be missing something obvious... on a lighter note...I'm certainly getting there as I've managed to get most of the queries working..just not this one....lol thanks again Tag: SQL attack via IIS? Tag: 282587
  - 14
    - Sevices get stopped unexpectedly Hello friends, I am not sure if i am posting to the correct group but if anyone has an idea about this and the possible solution or the link to that solution then please let me know We have out website running on Windows 2000 - IIS 5.0. Everything was working fine but since last few days my IIS Services get stopped unexpectedly. When i check in even viewer i see the message saying a) "The World Wide Web Service got terminated unexpectedly. It has been done __ time(s)" b) "The ISIS Admin Service got terminated unexpectedly. It has been done __ time(s)" c) "The Simple Mail Transport Protocol got terminated unexpectedly. It has been done __ time(s)" After i restart those services again, everything starts working fine. But then again in a day or two its stops unexpectedly. I have read about this at number of place. At few places it says that the computer is infected with the code Red worm. I installed the patch for Code Red II from the microsoft website last week and after installing i restarted the computer. For 3-4 days i had no problem so i thought that the issue was resolved and that the worm must be causing the problems, but again today the services were stopped. Can anyone give me an idea about what wrong is going on and what should i do to resolve this issue. Thanks Tag: SQL attack via IIS? Tag: 282584
  - 15
    - sessions and SSL I'm trying to use a couple of Session variables within SSL. My form submits to the same page and this is at the top of the page. <% Session("ShipAhead") = Request.Form("ShipAhead") Session("Comments") = Request.Form("Comments") %> The form fields are populated but the Sessions are empty on my next page. Am I missing something? Is there a problem with Sessions and SSL? thanks! Tag: SQL attack via IIS? Tag: 282577
  - 16
    - Cannot insert Large text into Database Memo field I'm trying to insert this text into a memo field: Set cnn = CreateObject("ADODB.Connection") str = Server.MapPath("database/alumni.mdb") strDB = "Provider=MICROSOFT.JET.OLEDB.4.0;Data Source=" & str cnn.Open strDB Set rst = CreateObject("ADODB.Recordset") sql = "INSERT INTO tblMessage (MessageID, UserID, PostTypeID, Subject, DatePosted, MessageText, Active) Values ('" & vMessageID & "','" & vUser & "', " & vPostType & ",'" & vSubject & "','" & vDatePosted & "','" & vMessageText & "',0)" rst.Open sql, cnn, adOpenStatic, adLockOptimistic vMessageText = "This is a test just to see if it will blow up on a large comment. Just testing again. Don't mind me." Can I put this into my database field or is it too much and if not, how do I solve this issue. I need to be able to post messages and input for large fields. Tag: SQL attack via IIS? Tag: 282576
  - 17
    - ASP Email Form and SPAM Filters Hello all, I'm using CDO to send email from an ASP form on my website. This has been working great for the past year or so until last week. On January 2nd we noticed that the majority of the messages coming in were missing a lot of information. After testing it myself I found that it wasn't a user error. I did a response.write on my content string and found that it is populated correctly. I then tried another contact form on another website on our same server to find the same problem. Beginning on January 1 our ISP (also our web host) installed a SPAM filter for our incoming email. Does anyone think that this could be the problem? I'm going to reboot our web server at 10:30am CST and see if that solves anything but I just wanted to see if anyone else has experienced anything similar to this. Thank you for your comments, - J Tag: SQL attack via IIS? Tag: 282573
  - 18
    - How to grant ASPNET user access to task scheduler on Windows 2003? I am writing an ASP.NET application that can add and remove items to the task scheduler. This works fine on Windows XP, but generates an Exception on Windows 2003: System.UnauthorizedAccessException: Access is denied. "ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity" How can I grant the ASPNET local user account permission to add/delete/modify tasks on a Windows 2003 system? Tag: SQL attack via IIS? Tag: 282572
  - 19
    - Problems with Page Objects (it is invalid) I am moving an ASP application from NT to Win2003. I noticed that the "Page Object" DTC is shown in red. When I hover my cursor over the object I get the message "Errors were found in the References property page of this design-time control". Can someone recommend a way to troubleshoot this? Thanks. Tag: SQL attack via IIS? Tag: 282567
  - 20
    - best way of using INESRT statement ?? Hi, I have a form which submits fields to add a new record to my table. I have the following code: __________________________________ vUser = request.form("user") 'PK in table (not autonumber) vPass = request.form("pass") vEmail = request.form("email") uSQL = "INSERT into OrderStatusAccess (UserID, Password, Email, CustomerID) values ('" & vUser & "', '" & vPass & "', '" & vEmail & "', '" & session("customer") & "');" adoDataConn.Execute (uSQL) ______________________________________ The problem: This code just inserts a blank record at the top of my table, so that when I go to view all the records listed for that table, nothing shows, because the first record is blank. UserID is the PK for the table OrderStatusAccess. Any ideas ? David Tag: SQL attack via IIS? Tag: 282557
  - 21
    - form help Totally New at this so please bear with me. Is there any way to email my form and data as a html to make more readable? Thanks Time.asp </form> <FORM method="POST" action="/cgi-bin/sendmail.asp" style="text-align: left; line-height: 100%"> <p><input type="value" name="Job" size="21"> <input type="text" name="Thur" size="5"> <input type="text" name="Fri" size="5"> <input type="text" name="Sat" size="5"> <input type="text" name="Sun" size="5"> <input type="text" name="Mon" size="5"> <input type="text" name="Tue" size="5"> <input type="text" name="Wed" size="5"> </p> <p> </p> <p><input type="submit" value="Submit" name> <input type="reset" value="Reset" name="B2"></p> <p></p> </form> Sendmail.asp <% For Each x In Request.Form message=message & x & ": " & Request.Form(x) & CHR(10) Next set smtp = Server.CreateObject("Bamboo.SMTP") smtp.Server = "mail.xxxxx.net" smtp.Rcpt = "xxxxx@mindspring.com" smtp.From = "xxxxx@mindspring.com" smtp.FromName = Request.ServerVariables("HTTP_REFERER") smtp.Subject = "Your web form - " & Request.ServerVariables("HTTP_REFERER") smtp.Message = message on error resume next smtp.Send if err then response.Write err.Description else response.Write ("Thank you for your submission.... Your message has been delivered successfully.") end if set smtp = Nothing%> Tag: SQL attack via IIS? Tag: 282551
  - 22
    - form help Totally New at this so please bear with me. Is there any way to email the my form and data to make more readable? Thanks Time.asp </form> <FORM method="POST" action="/cgi-bin/sendmail.asp" style="text-align: left; line-height: 100%"> <p><input type="value" name="Job" size="21"> <input type="text" name="Thur" size="5"> <input type="text" name="Fri" size="5"> <input type="text" name="Sat" size="5"> <input type="text" name="Sun" size="5"> <input type="text" name="Mon" size="5"> <input type="text" name="Tue" size="5"> <input type="text" name="Wed" size="5"> </p> <p> </p> <p><input type="submit" value="Submit" name> <input type="reset" value="Reset" name="B2"></p> <p></p> </form> Sendmail.asp <% For Each x In Request.Form message=message & x & ": " & Request.Form(x) & CHR(10) Next set smtp = Server.CreateObject("Bamboo.SMTP") smtp.Server = "mail.xxxxx.net" smtp.Rcpt = "xxxxx@mindspring.com" smtp.From = "xxxxx@mindspring.com" smtp.FromName = Request.ServerVariables("HTTP_REFERER") smtp.Subject = "Your web form - " & Request.ServerVariables("HTTP_REFERER") smtp.Message = message on error resume next smtp.Send if err then response.Write err.Description else response.Write ("Thank you for your submission.... Your message has been delivered successfully.") end if set smtp = Nothing%> Tag: SQL attack via IIS? Tag: 282550
  - 23
    - Creating hyperlinks? I need to format each row being returned in a recordset as a hyperlink. One of the fields being returned is the subject of a message that my hyperlink will show. When the hyperlink is clicked then the ASP page loads further message details of that link. Does anyone know how to do this? Tag: SQL attack via IIS? Tag: 282549
  - 24
    - Stored Procedure "failing" I'm using a SQL Server 2000 stored procedure similar to the one below to upload data to a database. This data is collected from the user on a number of asp pages and stored in session variables (that's the way I inherited the system...). When the user has captured all the info and clicks the submit button the stored procedure is called and it uploads the data to the database. This normally works perfectly except for a few occassions when the stored procedure has "failed" while loading the data onto the last table (TestTable3) - the data in the session variables is not loaded onto the database and the respective fields on the respective tables are blank. The most recent time it happened the user was using IE6.0 on Windows XP. Why is the stored procedure failing to complete? The system uses code similar to the following to pass the information that the user has captured to the stored procedure:  <% sqlstring = "EXEC dbo.InsertData @Test1 = '" & session("Test1") & "', @Test2 = '" & session("Test2") & "', @Test3 = '" & session("Test3") & "', " &_ "@Data1 = '" & session("TestData1") & "', @Data2 = '" & session("TestData2") & "', @Data3 = '" & session("TestData3") & "', " &_ "@SomeData1 = '" & session("Test1") & "', @SomeData2 = '" & session("Test2") & "', @SomeData3 = '" & session("Test3") & "', "'" conn.execute(sqlstring) conn.close Set conn = nothing %> The stored procedure is similar to: CREATE PROCEDURE dbo.InsertData @Test1 NVARCHAR(10), @Test2 NVARCHAR(10), @Test3 NVARCHAR(10), @Data1 NVARCHAR(50), @Data2 NVARCHAR(50), @Data3 NVARCHAR(50), @SomeData1 NVARCHAR(10), @SomeData2 NVARCHAR(10), @SomeData3 NVARCHAR(10), AS BEGIN SET NOCOUNT ON DECLARE @ID INT INSERT TestTable1 (Field1,Field2,Field3) VALUES (@Test1,@Test12,@Test3) SELECT @ID = SCOPE_IDENTITY() SELECT ID = @ID INSERT TestTable2 (ID,FieldAA,FieldBB,FieldCC) VALUES (@ID,@Data1,@Data2,@Data3) INSERT TestTable3 (ID,FieldX1,FieldX2,FieldX3) VALUES (@ID,@SomeData1,@SomeData2,@SomeData3) END GO Tag: SQL attack via IIS? Tag: 282548
  - 25
    - Session.Timeout being ignored I'm using the following code in my global.asa file to set the session.timeout value amongst other things - Sub Session_OnStart Session.Timeout = 40 Session("Authenticated") = 1 End Sub Yet when I print out the value of session.timeout on a page after this event has fired it returns 20 (I get the right value for Session("Authenticated") so my code appears to be working). I checked the default timeout value in IIS (v5) on the server, but this reads 900 seconds, which in my books is 15 minutes. I am therefore very confused as to where this value of 20 is coming from. Could anyone point me in the right direction as I need to set this to 40 minutes and my WROX manual doesn't provide much information on this property. TIA, Colin Tag: SQL attack via IIS? Tag: 282543
- Next
  - 1
    - Add more than 1 record at once ? Hi, Quick question. I have a form on an asp page which is used to add additional users to the DB, i.e. adding a UserID (PK on table), Password & Email. The companies are allowed a max of 3 users. If the company only has the default 1 user and wishes to add another 1 or 2, then the form displays the current user details, not in text boxes as this is not an adit data form. The additional user/s can be entered into 1/2 rows of text boxes, user 2 & 3. If they decide to add 2 new users, how do I add the additional 2 records to my db table on submit ? I am using a MySQL DB. This is the code I have from an update form which can edit the default user. How can I change this code to add the 2 new records ? ___________________________________________ <% vUser = request.form("user") vPass = request.form("pass") vEmail = request.form("email") uSQL = "UPDATE OrderStatusAccess SET " uSQL = uSQL & "UserID= '" & vUser & "'" uSQL = uSQL & ", Password = '" & vPass & "' " uSQL = uSQL & ", Email ='" & vEmail & "'" uSQL = uSQL & " WHERE CustomerID='" & session("customer") & "';" Set RS = adoDataConn.Execute(uSQL) %> __________________________________________________________ Thanks for your help David Tag: SQL attack via IIS? Tag: 282540
  - 2
    - display utf-8 how to display UTF-8 mail content by using CDONTS component?? I have try to add the following code Tag: SQL attack via IIS? Tag: 282533
  - 3
    - Forward Posted Form Data suppose I have the following: -----------BEGIN page1.asp---------- <form method="post" action="page2.asp"> <select name="someData" size="1" class="smallbutton"> <option value="1">Whatever</option> </select> 'and a submit button </form> ----------END page1.asp-------------- -----------BEGIN page2.asp---------- aVariable = Request.Form("someData") <form method="post" action="page3.asp"> <select name="someOtheJjunk" size="1" class="smallbutton"> <option value="1">Whatever</option> </select> 'and a submit button </form> ----------END page2.asp-------------- Is there any kind of way to forward "someData", whch was posted into page 2, to page 3 without making it more form data in page2. I pretty much want to just be able to do something simple in page 3 like this: -----------BEGIN page3.asp---------- anotherVariable = Request.Form("someData") ----------END page3.asp-------------- Thanks in advance. Tag: SQL attack via IIS? Tag: 282532
  - 4
    - checkbox i have a update page the pulles date form a database. and two the these fields have Y or N in them and if the RS("Value") = Y the i want the checkbox to be checked how do i do this?? Tag: SQL attack via IIS? Tag: 282523
  - 5
    - How to process HTML pages on server side with HTML DOM? Hi. I'd like to process HTML documents in an ASP script, i.e. to remove any unwanted elements and extract desired element and attributes. I know how to do it on client side within IE using its HTML DOM. But what I'd like is to do it server-side. Is there a way, for instance, to reuse MSIE technology to retrieve interfaces like IHTMLElement, IHTMLDOMAttribute, aso, or just built-in features that would allow me to do the same? Thanks or any hint/suggestion. Vince C. Tag: SQL attack via IIS? Tag: 282515
  - 6
    - Here is a function for finding age Here is a function where you don't have to worry about the leap year. You will have to still be aware of time differences between you and the server, and correct your data before entering it into the function. And of course time zones, yada yada .... BUT I think that most people using this will just want to say if today is there bday than they are their new age. It first takes the currentYear - birthYear - 1 Then it decides whether it needs to add a year(i.e if they had their bday). First by just making a number out of the month and day ... it makes the day 2 digits by adding a '0' in front of a single digit day. Then puts month and day into one number .. like this feb 2 = 202 july 10 = 710 oct 8 = 1008 dec 20 = 1220 and yes feb 29 = 229 Then if today is 301 it doesn't care ... 228 and 229 are both less than 301. I also added a part to compare ONLY the times ... if the day comparison = 0 ... i.e. today is there bday now, if you don't send a time with your date ... no problem ... it will count today as being their new age Tell me what you think ... I can clean up the code a bit if anyone wants me to <% Function yearsOld(birthDate) Dim currentDate, monthDayComparison, addYear: currentDate = Now() Dim birthDay, currentDay: birthDay = Day(birthDate): currentDay = Day(currentDate) '// Lets take the Date() BS out of the picture!!! '//Compare Days by making a number out of month & day ... feb 29 = 229 while oct 8 = 1008 If Len(birthDay) = 1 Then: birthDay = "0" & birthDay: End If If Len(currentDay) = 1 Then: currentDay = "0" & currentDay: End If monthDayComparison = Int(Int(Month(currentDate) & currentDay)) - Int(Month(birthdate) & birthDay) If monthDayComparison > 0 Then '//had birthday this year addYear = 1 ElseIf monthDayComparison < 0 Then '//haven't had birthday this year addYear = 0 ElseIf monthDayComparison = 0 Then '// birthday today addYear = 1 Dim timeDifference: timeDifference = DateDiff("s", Hour(currentDate) & ":" & Minute(currentDate) & ":" & Second(currentDate), Hour(birthDate) & ":" & Minute(birthDate) & ":" & Second(birthDate)) If timeDifference > 0 Then: addYear = 0: End If End If yearsOld = Year(currentDate) - Year(birthDate) - 1 + addYear End Function %> Tag: SQL attack via IIS? Tag: 282510
  - 7
    - Can't find syntax error in Access query - lost! select event_date, event_name, event_text, event_is_public, event_is_reserved, event_img_path, event_img_alt, event_member_id, event_is_email_notify from event where show_entry = '1' and ((Year(event_date) = #2004# and event_is_reserved = '0') or event_is_reserved = '1' ) produces this error: Microsoft JET Database Engine error '80040e07' Syntax error in date in query expression 'show_entry = '1' and ((Year(event_date) = #2004# and event_is_reserved = '0') or event_is_reserved = '1' )'. /soa/val/event/calendar.asp, line 258 I'm totally lost here and I don't have the original .sql statement to have produced the "event" table schema, so that won't help either. Here is line 258+: sql = "select event_date, event_name, event_text, event_is_public, " &_ " event_is_reserved, event_img_path, event_img_alt, event_member_id, " &_ " event_is_email_notify " &_ "from event " &_ "where show_entry = '1' " &_ " and ((Year(event_date) = #" & DatePart("YYYY", Date) & "# and event_is_reserved = '0') or " &_ " event_is_reserved = '1' " &_ " )" Response.Write(sql) set rs = conn.execute(sql) Guys, I don't know what to do and I'm in a huge deadline to have this fixed by Monday AM and I'm completely stuck. Furthermore, I have no way of accessing the original Access .mb file since it's on www.brinkster.com and they forbid you from directly accessing any .mb file w/o their web-based tool (which cannot tell you what the schema is). My goal is to filter out a list of events from the event table where either the event_is_reserved field is '1' or if both the event_is_reserved field is '0' and the event_date is of the current year (event_date's format is '/mm/dd/yyyy'). Original site breakage at: http://www3.brinkster.com/soa/val/event/calendar.asp Help! Thanx Phil Tag: SQL attack via IIS? Tag: 282505
  - 8
    - FSO Deleting Files Problem Hi i'm using the following code to delete a file but when i execute the script it just freezes until timeout. any idea of the problem?? '///DELETE ORGINAL FILE Dim objFSO Set objFSO = Server.CreateObject("Scripting.FileSystemObject") objFSO.DeleteFile "C:\Documents and Settings\Gav\My Documents\Date\Website\www\user_images\" & filename Set objFSO = Nothing Tag: SQL attack via IIS? Tag: 282489
  - 9
    - file upload problem Dear Sir, I am trying to use do a upload function on my site. I got a upload class from Internet. However, sometimes, it works, sometimes, it give me the following error. Microsoft VBScript runtime error '800a0005' Invalid procedure call or argument /viplogin/include/UploadClass.asp, line 136 Line 136 is following For nIndex = 1 to LenB(FileData) oFile.Write Chr(AscB(MidB(FileData,nIndex,1))) --- Line 136 Next Can someone help me out?? <my upload class> <% '*************************************** ' File: Upload.asp ' Author: Jacob "Beezle" Gilley ' Email: avis7@airmail.net ' Date: 12/07/2000 ' Comments: The code for the Upload, CByteString, ' CWideString subroutines was originally ' written by Philippe Collignon...or so ' he claims. Also, I am not responsible ' for any ill effects this script may ' cause and provide this script "AS IS". ' Enjoy! '**************************************** Class FileUploader Public Files Private mcolFormElem Private Sub Class_Initialize() Set Files = Server.CreateObject("Scripting.Dictionary") Set mcolFormElem = Server.CreateObject("Scripting.Dictionary") End Sub Private Sub Class_Terminate() If IsObject(Files) Then Files.RemoveAll() Set Files = Nothing End If If IsObject(mcolFormElem) Then mcolFormElem.RemoveAll() Set mcolFormElem = Nothing End If End Sub Public Property Get Form(sIndex) Form = "" If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex)) End Property Public Default Sub Upload() Dim biData, sInputName Dim nPosBegin, nPosEnd, nPos, vDataBounds, nDataBoundPos Dim nPosFile, nPosBound biData = Request.BinaryRead(Request.TotalBytes) nPosBegin = 1 nPosEnd = InstrB(nPosBegin, biData, CByteString(Chr(13))) If (nPosEnd-nPosBegin) <= 0 Then Exit Sub vDataBounds = MidB(biData, nPosBegin, nPosEnd-nPosBegin) nDataBoundPos = InstrB(1, biData, vDataBounds) Do Until nDataBoundPos = InstrB(biData, vDataBounds & CByteString("--")) nPos = InstrB(nDataBoundPos, biData, CByteString("Content-Disposition")) nPos = InstrB(nPos, biData, CByteString("name=")) nPosBegin = nPos + 6 nPosEnd = InstrB(nPosBegin, biData, CByteString(Chr(34))) sInputName = CWideString(MidB(biData, nPosBegin, nPosEnd-nPosBegin)) nPosFile = InstrB(nDataBoundPos, biData, CByteString("filename=")) nPosBound = InstrB(nPosEnd, biData, vDataBounds) If nPosFile <> 0 And nPosFile < nPosBound Then Dim oUploadFile, sFileName Set oUploadFile = New UploadedFile nPosBegin = nPosFile + 10 nPosEnd = InstrB(nPosBegin, biData, CByteString(Chr(34))) sFileName = CWideString(MidB(biData, nPosBegin, nPosEnd-nPosBegin)) oUploadFile.FileName = Right(sFileName, Len(sFileName)-InStrRev(sFileName, "\")) nPos = InstrB(nPosEnd, biData, CByteString("Content-Type:")) nPosBegin = nPos + 14 nPosEnd = InstrB(nPosBegin, biData, CByteString(Chr(13))) oUploadFile.ContentType = CWideString(MidB(biData, nPosBegin, nPosEnd-nPosBegin)) nPosBegin = nPosEnd+4 nPosEnd = InstrB(nPosBegin, biData, vDataBounds) - 2 oUploadFile.FileData = MidB(biData, nPosBegin, nPosEnd-nPosBegin) If oUploadFile.FileSize > 0 Then Files.Add LCase(sInputName), oUploadFile Else nPos = InstrB(nPos, biData, CByteString(Chr(13))) nPosBegin = nPos + 4 nPosEnd = InstrB(nPosBegin, biData, vDataBounds) - 2 If Not mcolFormElem.Exists(LCase(sInputName)) Then mcolFormElem.Add LCase(sInputName), CWideString(MidB(biData, nPosBegin, nPosEnd-nPosBegin)) End If nDataBoundPos = InstrB(nDataBoundPos + LenB(vDataBounds), biData, vDataBounds) Loop End Sub 'String to byte string conversion Private Function CByteString(sString) Dim nIndex For nIndex = 1 to Len(sString) CByteString = CByteString & ChrB(AscB(Mid(sString,nIndex,1))) Next End Function 'Byte string to string conversion Private Function CWideString(bsString) Dim nIndex CWideString ="" For nIndex = 1 to LenB(bsString) CWideString = CWideString & Chr(AscB(MidB(bsString,nIndex,1))) Next End Function End Class Class UploadedFile Public ContentType Public FileName Public FileData Public Property Get FileSize() FileSize = LenB(FileData) End Property Public Sub SaveToDisk(sPath) Dim oFS, oFile Dim nIndex If sPath = "" Or FileName = "" Then Exit Sub If Mid(sPath, Len(sPath)) <> "\" Then sPath = sPath & "\" Set oFS = Server.CreateObject("Scripting.FileSystemObject") If Not oFS.FolderExists(sPath) Then Exit Sub Set oFile = oFS.CreateTextFile(sPath & FileName, True) For nIndex = 1 to LenB(FileData) oFile.Write Chr(AscB(MidB(FileData,nIndex,1))) Next oFile.Close End Sub Public Sub SaveToDatabase(ByRef oField) If LenB(FileData) = 0 Then Exit Sub If IsObject(oField) Then oField.AppendChunk FileData End If End Sub End Class -- Met vriendelijke groet, Guoqi Zheng Tel: +31 (0) 23 5343545 http://www.meetholland.com Tag: SQL attack via IIS? Tag: 282473
  - 10
    - Finding Age from Date of Birth I have a database with date of births stored dd/mm/yyyy (english dating system) and =date() returns a date in the same format in my server. how do i find the persons age using these two pieces of date. thanks gavin Tag: SQL attack via IIS? Tag: 282465
  - 11
    - passing a parameter to SQL MIN() function From ASP I run a query using MIN(some_field/parameter) Now I need to pass this parameter to the query from ASP code How do I do that? Syntax like MIN([some_field] / []) does not work Tag: SQL attack via IIS? Tag: 282464
  - 12
    - correct syntax for multiple sql query hello again people... Access2000, IIS6, win XP pro I have a form where users can enter search criteria for various products. now, if this form has 2 fields, colour and size (it wil have more but I'm assuming the the principle for two fields will be the same for ten fields) what would be the correct syntax for performing a query where the user didn't enter a criteria for both fields? the search string would be strSQL = "SELECT * FROM products where colour = " & "'" & request.form("searchstrcolour") & "'" & "AND size =" & "'" request.form("searchstrsize") & "'" & " ORDER by price" so if the user selects blue and large, thats fine but what if the user only selected say blue and didn't bother with the size? is there a wild card that I could use? many thanks Tag: SQL attack via IIS? Tag: 282463
  - 13
    - ms access on multi-user environment good day... im working right now on a project given to me on a short time. i had a slight problem though, but it seems that most of it comes on my database. since theres not enought budget on having a good database like sql server, i just stayed on the access. my problem is, i can run my applications on multi-user enviroment using sql server but not on the access. running my applications simultaneously on a multi-user enviroment using msaccess causes my applications to crash down. is there any way i could turn on the access into a superman??? is there any site in the web that i could see regarding this problem? please help me. thanks anyway. Tag: SQL attack via IIS? Tag: 282462
  - 14
    - How to translate value in URL Hi All, I have a nagging problem. I try to put a value of the autonumber field of a record into a string so it can be read in a new page. In the first form I use in HTML the following: JavaScript:window.open('Weapon_related.asp?<%=myAutoNum%>...... etc When I open the page I get an error and in the properties I read this: http://localhost/Weapon2000/Weapon_related.asp?<%=myAutoNum%> Where it should say: http://localhost/Weapon2000/Weapon_related.asp?26 In ASP code I have written: MyAutoNum = Recordset.Fields("txtWID") ---> where txtWID is the autonum field. for example 26. How do I get the code to return the actual number (26) instead of <%=myAutoNum%> This would help a great deal Marco The Netherlands Tag: SQL attack via IIS? Tag: 282460
  - 15
    - ASP Page problem Hello all. I installed IIS last week and the server works ok. But when try to open the localstart.asp or iisstart.asp=20 page the server returns a 'Server Application Error' page. In the 'Visor de Sucesos'<Event Viewer> the message is=20 this: <<< >>>> Tipo de suceso: Advertencia Origen del suceso: W3SVC Categor=EDa del suceso: Ninguno Id. suceso: 36 Fecha: 04/01/2004 Hora: 12:51:19 a.m. Usuario: No disponible Equipo: N0J3L7 Descripci=F3n: El servidor no pudo cargar la=20 aplicaci=F3n '/LM/W3SVC/1/Root'. Error 'Clase no registrada '.=20 Para recibir informaci=F3n adicional referente a este=20 mensaje, visite el sitio Web de soporte t=E9cnico de=20 Microsoft que se encuentra en:=20 http://www.microsoft.com/contentredirect.asp. Para obtener m=E1s informaci=F3n, vea el Centro de ayuda y=20 soporte t=E9cnico en=20 http://go.microsoft.com/fwlink/events.asp. <<< >>>> Can help me?? Thanx a lot, Juan Pedro Tag: SQL attack via IIS? Tag: 282458
  - 16
    - Avoiding Page numbers & Page URL When we print an HTML page from the browser,the Page Number (at Top right) and page URL (At bottom) is printed. How can we avoide these information so that our page print out look similar to a simple printed page same as word document? JESS Tag: SQL attack via IIS? Tag: 282456
  - 17
    - Calculating field in ASP I have an Access database used to track donor pledges. In it, there is a table that contains three fields for each donor: Gift_Amount, Gift_Per_Year, and Matching_Gift_Ratio. The following formula would calculate the total pledge amount for each donor: (Gift_Amount * Gift_Per_Year) * (Matching_Gift_Ratio + 1). A total Pledge for all donors would just sum up the calculated values. My goal is to create an ASP that would show this total amount pledged. Here is the ASP that I have created so far: *********************************************** <html> <head> <title>Pledge Totals</title> </head> <body bgcolor="white" text="black"> <% 'Dimension variables Dim adoCon 'Holds the Database Connection Object Dim rsGiving 'Holds the recordset for the records in the database Dim strSQL 'Holds the SQL query for the database Dim totalamt 'Holds the Total Pledge amount, a calculated field Dim dollars 'Holds the formated currency amount 'Create an ADO connection odject Set adoCon = Server.CreateObject("ADODB.Connection") 'Set an active connection to the Connection object using a DSN-less connection adoCon.Open "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" & Server.MapPath("Careathon_SP2004.mdb") 'Set an active connection to the Connection object using DSN connection 'adoCon.Open "Careathon_SP2004" 'Create an ADO recordset object Set rsGiving = Server.CreateObject("ADODB.Recordset") 'Initialise the strSQL variable with an SQL statement to query the database strSQL = "SELECT Giving.Gift_Amount, Giving.Gifts_Per_Year, Giving.Matching_Gift_Ratio FROM Giving WHERE Gift_Amount>0 AND Gifts_Per_Year>0" 'Open the recordset with the SQL query rsGiving.Open strSQL, adoCon 'Loop through the recordset Do While not rsGiving.EOF 'Calculate total donor pledge and add to cumulative total - THIS IS WHERE THE CODE STOPS AND THE ERROR OCCURS totalamt = totalamt + ((rsGiving("Gift_Amount") * rsGiving("Gifts_Per_Year")) * (rsGiving("Matching_Gift_Ratio") + 1)) 'Move to the next record in the recordset rsGiving.MoveNext Loop 'Formats the total amount to currency 'set dollars = FormatCurrency(totalamt, 2, -1, 0, 1) 'Write the HTML to display the total pledge amount Response.Write ("<br> $ ") 'Response.Write (dollars) Response.Write (totalamt) Response.Write ("<br>") 'Reset server objects rsGiving.Close Set rsGiving = Nothing Set adoCon = Nothing Set totalamt = Nothing Set dollars = Nothing %> </body> </html> ********************************************** However, when I run this page, I get the following error: Error Type: Microsoft VBScript runtime (0x800A000D) Type mismatch It occurs on the line with the calculations. What do I need to change in order for this page to work correctly? Tag: SQL attack via IIS? Tag: 282446
  - 18
    - Mail via ASP Ik ben nog niet zo op de hoogte op het gebied van ASP, maar laatst heb ik geprobeerd een script te schrijven om een e-mail vanaf een asp-pagina te verzenden. Dit is me echten niet gelukt. Het enige dat er op m'n pagina verscheen was: CDO.Message.1 error '80040220' The "SendUsing" configuration value is invalid. /test.asp, line 13 en er werd dus geen e-mail gestuurd... Ik snap niet wat ik verkeerd heb gedaan, misschien kan iemand mij helpen... De codes die ik gebruikt heb zijn: <% Dim MyMail Set MyMail = Server.CreateObject("CDO.Message") MyMail.From = "info@theSyreens.nl" MyMail.To = "bram.s@planet.nl" MyMail.Cc = "" MyMail.Bcc = "" MyMail.Subject = "Testmail" MyMail.TextBody = "<H1><i>the Syreens</i></h1>Bla Bla Bla" MyMail.AddAttachment "" MyMail.Fields("urn:schemas:httpmail:importance").Value = 1 MyMail.Fields.Update() MyMail.Send() Set MyMail = Nothing %> Tag: SQL attack via IIS? Tag: 282444
  - 19
    - Jmail Professional Hi guys, I'm developing a web site with email capabilities: I have tried the free version of Jmail, now I need Jmail Professional but still don't want to buy it before having the chance to try it. Can someone email it to me please?? I do want to buy it and I will, but after trying it, that's all. Thanks a lot, Paolo Tag: SQL attack via IIS? Tag: 282437
  - 20
    - detecting page name Quick simple question... how do u detect what the current pagename is (i.e. page.asp). also if the command is stored in the include will it return the include file name or the page that the command is included in name? cheers gavin Tag: SQL attack via IIS? Tag: 282432
  - 21
    - how to read value from a textbox in a new form Hi All, I tried to read the value of a textbox in another form. I have a page which contains one record. The textbox "txtWID" contains the autonumber of the record. I want to read this value in a new page so I can set a WHERE for my query: Dim eben session("txtWID")=request("txtWID") eben = request("txtWID") SQL = "SELECT Weapon.WID AS Weapon_WID, Weapon1.name AS Weapon1_name " & _ "FROM (WeaponsPerWeapons INNER JOIN Weapon ON WeaponsPerWeapons.WID = Weapon.WID) INNER JOIN Weapon Weapon1 ON WeaponsPerWeapons.Weapon = Weapon1.WID" CountSQL = "SELECT COUNT(*) " & _ "FROM (WeaponsPerWeapons INNER JOIN Weapon ON WeaponsPerWeapons.WID = Weapon.WID) INNER JOIN Weapon Weapon1 ON WeaponsPerWeapons.Weapon = Weapon1.WID" Where = "Weapon.WID = " & eben Order = "Weapon1.name" session("txtWID") = "" This is however not working because I use an imagelink to go to the new page. There is no way to put the value of the txtWID into the URL of the link image. I tried something like href="weapon_related.asp?<%=.....%>" but that doesn't work. If I write "href=weapon_related.asp?26" then I can translate this for the WHERE clausule but I want to get the value of the autonumber field since it's never the same. This would then work eben = Replace(Request.QueryString,"%20"," ") Where = "Weapon1.WID = " & eben What is my mistake Regards MArco Tag: SQL attack via IIS? Tag: 282430
  - 22
    - Dynamic pages and search engines Not a coding question as such but highly related to asp/dynamic pages issues : has anyone any suggestions on the following ASP sites are generally (always) of a dynamic nature, pages can be built on the contents of querystrings, so search engines can only be directed to your first index.asp page since the search engine is unable to deduce what querystring parameters should/could be used. I have a company listing site and would like each companys listing info to be found by the search engines, so that each can be picked up on their own features. I have seen schemes which attempt to make the site more static by using the error 404 page and dummy urls, which can then be parsed by the 404 page to rebuild the correct dymanic url to redirect user into the correct page. But this can only work (as far as I can see) if your site also contains a lot of seed pages which make reference to those urls for the search engines to crawl down , in which case I might just as well have 'seed' pages containg the normal dynamic url's ( google seems to handle those ok now) and not bother with the 404 lark. However on a company listing site, you have or hope to have a large number of entries, currently I have some 200k listed, now if I genereate 'seed' pages at 100 companies / page thats going to be a heck of a lot of 'seed' pages - no problem to generate them for me, but are they likley to be regarded as an attempt to spam the engine and so be disregarded and so in the end be a waste of time I would be interested in others ideas and thoughts on the subject Tag: SQL attack via IIS? Tag: 282429
  - 23
    - What button do I need to open a new form Hi All, I need a button on my form that opens a new window. I put in a submit button but it always returns to my first page. And then my first page is empty. What button do I need to go to another page (weapon_related)? This is what I use at the moment: 'NewRecord1 Operation Method @3-0C905987 Sub Operation() If NOT ( Visible AND FormSubmitted ) Then Exit Sub If FormSubmitted Then PressedButton = "Button1" If Not IsEmpty(CCGetParam("Button1", Empty)) Then PressedButton = "Button1" End If End If session("txtWID")=request("txtWID") Redirect = "Weapon_related.asp?" & CCGetQueryString("QueryString", Array("ccsForm", "Button1")) If Validate() Then If PressedButton = "Button1" Then If NOT Button1.OnClick() Then Redirect = "Weapon_related.asp?" & CCGetQueryString("QueryString", Array("ccsForm", "Button1")) End If End If Else session("txtWID")=request("txtWID") Redirect = "Weapon_related.asp?" & CCGetQueryString("QueryString", Array("ccsForm", "Button1")) End If End Sub 'End NewRecord1 Operation Method Tnx in advance Marco Tag: SQL attack via IIS? Tag: 282425
  - 24
    - Printing in ASP What are the best approaches to create printer friendly pages in ASP web sites.? Please provide us help or links to useful artciles on this topic. Also can we avoid creating separate printer friendly pages and send the current page output to printer as the PRINT button is clicked? I have seen this functionality when we print our MCP transcript in MS certificastion site? JESS Tag: SQL attack via IIS? Tag: 282424
  - 25
    - Spell Checking in ASP Hi, We need to spell check Text Areas in our ASP pages. We don't want to use MS Word. We are looking for an cost-effective, easy to configure and use, well-known COM-based Spell Checker component. Please advice us information about this kind of products/components and the links also... Thanks JESS Tag: SQL attack via IIS? Tag: 282423

I am seeing log entries that have SQL statements embedded in the actual
forms.

Re: SQL attack via IIS? by Manohar

Manohar
Mon Jan 05 21:44:27 CST 2004

It is a old hack... E.g.

Let us say you have a "dynamic SQL" which goes something like

formID = Request.Form("ID")
sSQL = "SELECT * from myTable WHERE Id=" & formID

conn.Execute(sSQL)

Just imagine someone enters this: "5; DELETE FROM myTable"

the final SQL will be

SELECT * from myTable WHERE Id=5; DELETE FROM myTable

which is a valid SQL statement. The user should still need to know the table
names, but it is possible that the hacker might be able to delete system
tables.

To get around this, use stored procedures when possible, with parameters. At
the least, validate the input. Hope that helps.

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com

"Kevin Hill" <nospam@nospam.com> wrote in message
news:IFmKb.28029$i55.13481@fed1read06...
> I am seeing log entries that have SQL statements embedded in the actual
> forms.
>
>

Top

Re: SQL attack via IIS? by Mike

Mike
Tue Jan 06 07:28:17 CST 2004

>-----Original Message-----
>It is a old hack... E.g.
>
>Let us say you have a "dynamic SQL" which goes something
like
>
>formID = Request.Form("ID")
>sSQL = "SELECT * from myTable WHERE Id=" & formID
>
>conn.Execute(sSQL)
>
>Just imagine someone enters this: "5; DELETE FROM myTable"
>
>the final SQL will be
>
>SELECT * from myTable WHERE Id=5; DELETE FROM myTable
>
>which is a valid SQL statement. The user should still
need to know the table
>names, but it is possible that the hacker might be able
to delete system
>tables.
>
>To get around this, use stored procedures when possible,
with parameters. At
>the least, validate the input. Hope that helps.
>
>--
>Manohar Kamath
>Editor, .netBooks
>www.dotnetbooks.com
>
>
>"Kevin Hill" <nospam@nospam.com> wrote in message
>news:IFmKb.28029$i55.13481@fed1read06...
>> I am seeing log entries that have SQL statements
embedded in the actual
>> forms.
>>
>>
>
>
>.
>

Check this link out
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23

Mike

Top