Classic ASP: Session values fail to pass over to popup window - session

I'm trying to pass values through session from one page to a popup window. But it fail to pass the value. I checked the ISS where Enable Session State is true. I will post the code which I'm working please let me know something I'm missing in it or any other variable settings problem like php.ini
<script language="javascript" type="text/javascript">
function veh(url) {
popupWindow = window.open(url, 'popUpWindow', 'height=300,width=300,left=50,top=10,resizable=yes,scrollbars=yes,toolbar=yes,menubar=no,location=no,directories=no, status=yes');
}
</script>
<%
' Define to hold temporary super session
Dim strManu // Manufacture type
strManu = Session("Manu")
Dim objRS
Dim strSQL
Dim strVeh
Set objRS=Server.CreateObject ("ADODB.Recordset")
strSQL="SELECT vl.* FROM veh_tbl vl where vl.manuID= " & strManu
objRS.Open strSQL,objconn
if not objRS.eof then
strVeh=objRS("veh")
Session("Veh")=strVeh
end if
objRS.Close
Set objRS=Nothing
<a href='http://www.example.com/popup.asp' target='_self'
onclick='veh(this.href);return false'><img border='0'src='images/info.jpg'></a>
Popup window
<%
Dim strVal
strVal = Session("Veh")
%>
<FORM name=MyForm>
<% Response.Write "<label class = 'col-sm-4 col-form-label'>" & strVal & "</label>" %>
</FORM>
%>
I'm getting the value from the DB and I'm able to print the string(strVeh) in the same page. I'm not able to pass the same in pop window. It fails to show any error. Anyone please help me to address the issue.

Things I would check:
First, in href='http://www.example.com/popup.asp' does the domain and subdomain match the source page exactly? For example adding or removing the "www" may make a difference.
Are you positive if not objRS.eof then is resolving true? For example try just putting session("test") = "test" somewhere on the page outside of a conditional statement and see if that variable is available in the popup.

Had this issue recently, if I typed in 'https://www.myweb.com/checksession.asp' it would not load/could not see the session variables.
Type in 'https://myweb.com/checksession.asp' (i.e. remove the www.) and it works fine.
So something to bear in mind if referencing from another page/ajax/loading scripts etc.

Related

ASP.Classic Getting value from input to POST parameter

Please excuse me if this question is dumb.
I need to get an input value and pass it in a POST parameter like follow:
SQL = "[proc_Happy]" & Request.Cookies("UserID")& "," & Request.Form("MYINPUTFIELD")
I have tried hardcoding MYINPUTFIELD with (it worked!):
SQL = "[proc_Happy]" & Request.Cookies("UserID")& "," & 54555152
My input in the asp page looks as follow:
<input type="number" name="MYINPUTFIELD " id="MYINPUTFIELD" value="<%=MYINPUTFIELD%>">
Things I have tried:
Getting the value with JS - failed.
Notes:
MYINPUTFIELD is an int
Is your input field in a form, i.e. is it between <form...> and </form> tags? If no, that's your problem right there. If yes, what does the <form...> tag have in it? Does it say method='get'? If yes, then your inputs are being put in the querystring, not the form object. For Request.Form(...) to work, your form needs to say method='post'.
If you need this code to work with both form methods, you can do something like
dim MyInputField
MyInputField = Request.Querystring("MyInputField")
If MyInputField = "" Then MyInputField = Request.Form("MyInputField")
'make the "OMGSQLINJECTION!!1!" people just go away already
'(note to such people: he's using a frigging stored procedure.)
If Not Isnumeric(MyInputField) Then
MyInputField = 0
End If
SQL = "[proc_Happy]" & Request.Cookies("UserID")& "," & MyInputField

If Not IsNull in ASP Classic

I'm fairly new to asp and I've got a syntax error I would like help on if you can.
I've got an ASP page that shows a table that pulls data from sql. Most of the data hasn't been populated yet so returns a NULL. The data type in question is numeric. I need to FormatNumber the rs when it is not null and not populate if it is.
This is what I have
<%=If Not IsNull(rs("ContractValue")) Then FormatNumber(rs("ContractValue"),0) end if%>
But as mentioned, im getting a syntax error.
What am i doing wrong?
I would recommend not using IsNull() in this scenario, but to answer the question about the syntax error first.
The reason is the <%= %> syntax which is shorthand for
<% Response.Write %>
in Classic ASP.
So what you are actually doing if written without the shorthand approach is;
<% Response.Write If Not IsNull(rs("ContractValue")) Then FormatNumber(rs("ContractValue"),0) End If %>
which is incorrect syntax and will trigger a Syntax Error.
To fix the code remove the = from the <% %> tags, like so;
<% If Not IsNull(rs("ContractValue")) Then Response.Write FormatNumber(rs("ContractValue"),0) End If %>
What about using IsNull?
While this can work it can often give weird results because a DBNull (depending on the database being used) can be different and is often different to the VBScript vbNull variant.
Because of this and the fact VBScript isn't strongly typed I find it useful to use a simple quick cast to string to avoid Nulls then check for valid data.
Example numeric check
Dim contractValue
contractValue = rs("ContractValue") & ""
If Len(contractValue) > 0 And IsNumeric(contractValue) Then contractValue = Clng(contractValue) Else contractValue = 0
You can take this further by writing a reusable piece of code that IIf() function explained in this post.
How to do a single line If statement in VBScript for Classic-ASP? (Mentioned by #TasosK in the comments)
Something like this;
Dim contractValue
contractValue = rs("ContractValue") & ""
contractValue = IIf(Len(contractValue) > 0 And IsNumeric(contractValue), contractValue, 0)
#Paul made a good point about evaluation of parameters, in the original code would potentially break
contractValue = IIf(Len(contractValue) > 0 And IsNumeric(contractValue), Clng(contractValue), 0)
because Clng(contractValue) would be evaluated regardless of whether the outcome was True or False. So any formatting would need to be afterwards or a more complex version of the IIf() function be built.
If Not IsNull(rs("ContractValue")) Then
<%=FormatNumber(rs("ContractValue"),0)%>
end if
Do not be in a hurry with Classic ASP.
I'm sure you want to insert content in between some HTML code which made you bunch up all that code. If that is the case, I suggest you separate VBscript code from HTML like below for example;
<%
Dim valueToOutput
If Not IsNull(rs("ContractValue")) Then
valueToOutput=FormatNumber(rs("ContractValue"),0)
end if
%>
<!-- HTML Code continues below with an inserted VBscript variable -->
There are a total of <%=valueToOutput%> oranges available!
If dealing with too many null fields, the code will be riddled with too many IF-THEN-ELSE statements and that would look really ugly.
Consider using the COALESCE function on the database side, so the field values don't come up as null on the recordset, or alternatively, consider using your own coalesce function in ASP that you can use over and over again.
Function Coalesce(inputValue, replaceWith)
if isnull(X) then
Coalesce = replaceWith
else
Coalesce = inputValue
end if
End Function
Then you can use something like this:
<%=FormatNumber(Coalesce(rs("ContractValue"),0),0)%>

Security Classic ASP

Is this secure enough? I don't have any experience with classic ASP or VBScript.
I have a classic ASP page that takes in form data and sends it to another classic ASP page that makes a connection to the database. I use this for my CSRF token on the form input page:
<%
Dim token
token = CreateGUID()
Function CreateGUID()
Dim tmpTemp
tmpTemp = Right(String(4,48) & Year(Now()),4)
tmpTemp = tmpTemp & Right(String(4,48) & Month(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Day(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Hour(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Minute(Now()),2)
tmpTemp = tmpTemp & Right(String(4,48) & Second(Now()),2)
CreateGUID = tmpTemp
End Function
%>
<input type="hidden" ng-model="user.token" value="<%=token%>">
I'm using an AJAX call (with AngularJS if that matters) in the same page to post the form data to the page that will make a connection to the database.That page looks like this:
<%# LANGUAGE="VBScript" %>
<%If Request.ServerVariables("REQUEST_METHOD") = "POST" Then%>
<%If Request.Form("token") = Session("token") Then %>
'here I make connection to database and and insert rest of form data in database
OK, so let's go over this bit by bit...
You're getting all the fields of the current date and time, and using Right(..., 2) along with String(4,48) to zero-pad them. And then you concatenate them together. This results in... A string that represents the current date and time. For example, running this right now for me produces 20141212131100.
Firstly, it's definitely not a GUID, which is carefully specified to be dependent on time, hardware info and a bit of random. Clearly, as soon as someone sees this token, they will understand how it's made and how to forge it. They only need to be accurate to the nearest minute too! There is absolutely no randomness in this token generator.
So to answer your question, no, it's not secure. If you don't have access to a COM object that can generate real GUIDs or UUIDs, how about just using a long random number instead? It wouldn't be perfect, but it would be far better than what you have right now.
I thought I'd help out a little more by showing you how to generate a true GUID from VBScript.
Function NewGUID()
Dim TypeLib : Set TypeLib = CreateObject("Scriptlet.TypeLib")
NewGUID = CStr(TypeLib.Guid)
End Function
If you use this as your anti-CSRF token then it should be as safe as any other solution out there.

How to retrive form value using execScript in VB6?

Say, this is my code
Dim Address as string
WebBrowser1.Document.parentWindow.execScript("var a =
document.form1.address.text", "JavaScript")
how can i extract the value of document.form1.address.text to my VB6 variable Address?
You can use DOM.
Let us say we have simple HTML form:
<html>
<body>
<form name="form1">
Address: <input type="text" id="address">
</form>
</body>
</html>
After loading it in a WebBrowser control and making sure DOM is ready, we can get text of address field in the following way:
Private Sub cmdGetAddressText_Click()
Dim HTMLElement As Object
Dim Address As String
Set HTMLElement = WebBrowser1.Document.GetElementByID("address")
Address = HTMLElement.Value
MsgBox Address
End Sub
Edit:
It's even simpler than that. You can access field value directly from VB6:
Address = WebBrowser1.Document.Form1.Address.Value
Edit#2
It is also possible to get a value of a JavaScript variable if you wish to do so:
Private Sub cmdJSVar_Click()
Dim Address As String
Call WebBrowser1.Document.parentWindow.execScript("var a=document.form1.address.value; alert(a);")
Address = WebBrowser1.Document.Script.a
MsgBox Address
End Sub
Notice that JS variable name in .Script.a is case-sensitive (i.e. .Script.A won't work). It took some time to figure this out.
You can provide an IDispatch implementation to window.external but this is not easy to do VB6.
Easier would be to use location in JS to navigate to an address that you can capture in Navigate event in VB6 e.g. http://callback?param=value&param2=anothervalue, detect "callback" host, parse the parameters and cancel navigation.

ArcPad - VBscript - Autopopulate attributes

I am using the following script to grab parcel and address information from one layer to fill the attribute table of a newly created feature.
There is no returned error, but the problem I am having is that there seems to be the wrong information stuck in the memory of recordselect function. No matter where I place a point it gives the same parcel # and address. Or maybe it isn’t actually be performing the IF function properly.
Sub Address
Dim rsCurrentXY
Set rsCurrentXY = Map.Layers("Violations").records
rsCurrentXY.movelast
Dim objXYShape
Set objXYShape = rsCurrentXY.Fields.Shape
Dim pControls
Set pControls= Application.Map.selectionlayer.Forms("EDITFORM").Pages(“PAGE1”).Controls
Dim rsGrid
' Find corresponding map page to the valve point
Set rsGrid = Map.Layers("ACPA_parcels").records
rsGrid.movefirst
Do While Not rsGrid.eof
If rsGrid.fields.shape.Ispointin(objXYShape) Then
pControls("txtAddress").value = rsGrid.Fields("ADD1").Value
Exit Do
End If
rsGrid.Movenext
Loop
' Clean Up
Set rsCurrentXY = Nothing
Set objXYShape = Nothing
Set rsGrid = Nothing
End Sub
(I have another subroutine called "PIN" that would do the exact same thing.)
I have them called when their respective edit boxes in the custom form are activated by the inspector.
Thanks for the help,
Robert
Accessing the EDITFORM via Application.Map.selectionlayer.Forms("EDITFORM") will be problematic. Whenever working with controls on an EDITFORM you should using ThisEvent.Object to discover all your objects. For example, if your event handler is Page_OnLoad then ThisEvent.Object will refer to your current page. You should have code like this:
Dim pPage1
Set pPage1 = ThisEvent.Object
Dim pControls
Set pControls = pPage1.Controls

Resources