Recently moved a classic ASP application from windows 2003 to windows 2008 R2. After a lot of work, everything is functioning the same except for one thing. On the search results and category pages, I get the following error when trying to go to the next page of results:
Microsoft VBScript runtime error '800a0005'
Invalid procedure call or argument: 'Left'
/incpages/SearchResults.asp, line 1372
The code relative to this is here:
<form method="POST" name="MainForm" id="MainForm" action="/SearchResults.asp">
Page <input type="text" value="<%=ThisPageNum%>" size="3" name="Page" id="Page_SR" maxlength="4"> of <%=TotalPagesNum%>
<% Dim pageURL
pageURL = Request.ServerVariables("HTTP_X_ORIGINAL_URL")
%>
<%If ((InStr(LCase(Request.ServerVariables("HTTP_X_ORIGINAL_URL")),"/searchresults.asp")) > 0) Then%>
<%If ThisPageNum <> TotalPagesNum Then %>
<%If (ThisPageNum = "1") Then %>
<input type="image" border="0" name="btnNextPage" src="<%=SEOImage(Config_ImagesFolder & "/buttons/btn_nextpage.gif")%>" onClick="document.getElementById('Page_SR').value=<%=(ThisPageNum + 1)%>">
<%Else%>
<img src="<%=SEOImage(Config_ImagesFolder & "/buttons/btn_nextpage.gif")%>" border="0" name="btnNextPage" />
<%End If %>
<%End If %>
</form>
So when I go here: /SearchResults.asp?cat=80&page=1 the results show up fine. If I go here: /SearchResults.asp?cat=80&page=2 or any other page within TotalPagesNum, I get that error.
I haven't been able to figure out why it stopped working after the switch
Related
I have to show a link(Products) in the header after user login to the application. It fail to display the link at first but if I refresh the page the link appears and it logout from the application. The problem is, initially the session variable(LoginID) were I'm using to check in the condition is null, after I refresh the page the appropriate value sets in the same. The three separate page are link in the header page, the form in login page and the codebehind in the Login.asp page. Please suggest me what I'm missing here.
header.asp
Dim qcVisible, LoginID
LoginID=Session("LoginID")
if Session("LoginID")="invaliduser" or Session("LoginID")="" Then
qcVisible = "none"
else
qcVisible = "block"
end if
<div class="menu">
<ul class="clearfix">
<li class="active">Home</li>
<li>Products</li>
<li>Contact</li>
</ul>
</div>
Mylogin.asp(Form)
<!--#include file="header.asp"-->
Session("LoginID")="validuser"
<form name="MyForm" method="post" action="Login.asp" id="loginform">
<fieldset>
<div class="field">
<input type="text" name="LoginID" placeholder="User ID" id="LoginID" />
</div>
<div class="field">
<input type="password" name="PWD" placeholder="Password" id="PWD" />
</div>
<div class="field">
<button class="field_bt" type="submit" form="loginform" name="submit1">Sign In</button>
</div>
</fieldset>
</form>
Login.asp
Login(Request.Form("LoginID"),Request.Form("PWD"))
Function Login(LoginID,Password)
Dim objRS,strSQL
Set objRS=Server.CreateObject ("ADODB.Recordset")
`strSQL = Query
objRS.Open strSQL,objconn
If not objRs.Eof and not objRS.Bof then
dim muser
muser = Mid(objRS("user_password"),1,3)
dim mpass
mpass = Mid(Password,1,3)
If trim(muser)= trim(mpass) Then
Login=True
Session("LoginID")=LoginID
Session("Password")=Password
Else
Login=False
End If
End If
objRS.Close
Exit Function
End Function
<div class="maincontent">
<object id="obj" data="Mylogin.asp" type="text/html"></object>
</div>
Before Login
After login and refresh the page, its logout and the link shows.
Any help would be appreciated. Thanks.
Edited
Based on the member suggestion I tried the following
'If Request.Form.Count > 0 Then(Another Way)
If Request.ServerVariables("REQUEST_METHOD") = "POST" Then
if Session("LoginID")="invaliduser" or Session("LoginID")="" Then
qcVisible = "none"
else
qcVisible = "block"
end if
End If
There are a couple things wrong with your approach:
Session("LoginID") should either have no value (logged out) or a value (logged in).
You are tasking the clientside of hiding the link which can be defeated by looking in the browser's DevTools or source code.
To solve these issues:
#1: Only set Session("LoginID") when a log in is successful.
#2: Your Product-check should look like this to only generate the HTML if the user is logged in (remeber that the session should ONLY have a value if logged in):
<% If Session("LoginID") <> "" Then %><li>Products</li><% End If %>
in your code you set the visible to none if the loginID is empty string when you first load the page what do you think it is??:
if Session("LoginID")="invaliduser" or Session("LoginID")="" Then
qcVisible = "none"
Then later on you go:
<li>Products</li>
it is equilvalent to going:
<li>Products</li>
Before you actually refresh the page or login....
Instead you might want to try:
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
//Do your styles in here
}else{
qcVisible = "block";
}
Usually when you load a webpage a GET request is sent, and if you refresh it or click submit the request you specified on your form will be sent in your case POST, so when the user did not enter anything you want to display product hence it will be in the else statement..... Otherwise you want to check if it is valid or not... :)
I only see an icon, and not the real image (also on the index page).
제목:<%= #food.title %> <br> <br>
<img src="<%= #food.image %>"><br> <br>
내용:<%= #food.content %> <br> <br>
<form action="/food/edit/<%= #food.id %>"> <input type="submit" value="수정"></form>
<form action="/food/destroy/<%= #food.id %>"> <input type="submit" value="삭제"></form>
I don't understand how an image can be saved in the database. I found a method that saves a url, but I upload the image file usually. I made an input tag that has the file type. How can I save the image? I have installed carrierwave.
What is #food.image? Is it a url, or the image itself? If it is a url, <img src="<%= #food.image %>"> should work. If it is the image itself, perhaps uploaded by carrierwave, you should use <%= image_tag(#food.image) %>.
I'm not sure what your Food model looks like, but try this (since you are using CarrierWave, add .url):
<img src="<%= #food.image.url %>"><br> <br>
or:
<%= image_tag #food.image.url %>
The icon you are seeing is the default icon shown by the browser if the image path is not found.
Reference: CarrierWave ActiveRecord
I'm using sinatra as my web framework and right now I have
<p><%= #sentence %></p>
<form action='/' method='POST'>
<button type='submit'>Save Story</button>
</form>
in my erb file. The variable at #sentence changes at refresh. When I hit the save Story button I want it to create a param in the post method that is equal to #sentence so that I can save #sentence to the main page. Is there anyway to do this without javascript?
ANSWERED
I used
`<div class="row">
<form action='/' method='POST'>
<input id="sentence" type="hidden" name="sentence" value= "<%= #sentence %>" >
<button type='submit'>Save Story</button>
</form>
</div>`
its still only taking the first word on one of the 4 pages but there must be something else going on there.
You need to create a hidden input field with the value set to w.e #sentence is
<p><%= #sentence %></p>
<form action='/' method='POST'>
<input type="hidden" name="sentence" value="<%= #sentence %>" />
<button type='submit'>Save Story</button>
</form>
This will give the form something to pass that you can grab with post elsewhere, hope that helps, just put your variable where the ... is and be sure to tell it the language, here is a php example on how to add a varaible to a value.
value="<?php echo $state; ?>"
Here I'm basically telling the browser to echo(print) the state variable between the " and " using php start and end to initiate the language and end it, The hidden type input field is invisible to users and they cannot edit it, its a background trick you can use to pass information, it acts as a text field.
Information on hidden fields:
http://www.blooberry.com/indexdot/html/tagpages/i/inputhidden.htm
When you select an answer, please edit your main post to display ANSWERED and the updated code so users can see what you decide to use.
In sinatra you can do this:
<p><%= #sentence %></p>
<form action='/' method='POST'>
<input type="hidden" name="sentence" value="<%= #sentence %>" />
<button type='submit'>Save Story</button>
</form>
I am attempting to make a quiz in my rails application and I have looked around and the only gem out there that looked like it did what I want was Survey, but that is not ready for rails 4. Anyway I borrowed the structure that Survey gem creates. So I have Attempts, Surveys, Questions, and Answers
My problem is when I try to pass back which answers were picked to the attempt controller and I am not sure. I am still new to rails so it could be something I am doing / not doing.
The View looks like this
<% provide(:title, 'Quiz') %>
<h1>Quiz</h1>
<%= form_for(Attempt.new) do |f| %>
<% #survey = Survey.find(1) %>
<h3><%= #survey.description %></h3>
<br/>
<% #survey.questions.each do |question| %>
<h4><%= question.text %></h4>
<br/>
<% question.answers.each do |answer| %>
<h5><%= f.radio_button question, answer.correct?, :checked => false %> <%=answer.text%></h5>
<br/>
<% end %>
<% end %>
<div class="actions">
<%= f.submit %>
</div>
<% end %>
The Params currently being returned are
{"utf8"=>"✓", "authenticity_token"=>"yCp4rsZfgZDTYK32FYgXTyZSQRQ4DcTWfokbrhImI1Q=", "attempt"=>{}, "commit"=>"Create Attempt", "action"=>"create", "controller"=>"attempts"}
This is my model structure (Grouped together to make it easier to read)
Attempt has many Surveys
Survey belongs to Attempts
Survey has many Questions
Question belongs to Surveys
Question has many Answers
Answer belongs to Questions
Edited: Added in form html
<form accept-charset="UTF-8" action="/attempts" class="new_attempt" id="new_attempt" method="post"><div style="margin:0;padding:0;display:inline"><input name="utf8" type="hidden" value="✓"><input name="authenticity_token" type="hidden" value="jOQCSERK6LKWwKwIprv0fhn62W+9T13WSXss8oswyFo="></div>
<h3>Tests if I can register individuals</h3>
<br>
<h4>Paul's Favorite Color</h4>
<br>
<h5><input id="attempt_#<Question:0x007f41704d11e8>_false" name="attempt[#<Question:0x007f41704d11e8>]" type="radio" value="false"> Green</h5>
<br>
<h5><input id="attempt_#<Question:0x007f41704d11e8>_false" name="attempt[#<Question:0x007f41704d11e8>]" type="radio" value="false"> Blue</h5>
<br>
<h5><input id="attempt_#<Question:0x007f41704d11e8>_true" name="attempt[#<Question:0x007f41704d11e8>]" type="radio" value="true"> Teal</h5>
<br>
<h4>Paul's Age</h4>
<br>
<h5><input id="attempt_#<Question:0x007f41704d0b80>_false" name="attempt[#<Question:0x007f41704d0b80>]" type="radio" value="false"> 20</h5>
<br>
<h5><input id="attempt_#<Question:0x007f41704d0b80>_true" name="attempt[#<Question:0x007f41704d0b80>]" type="radio" value="true"> 21</h5>
<br>
<h5><input id="attempt_#<Question:0x007f41704d0b80>_false" name="attempt[#<Question:0x007f41704d0b80>]" type="radio" value="false"> 22</h5>
<br>
<div class="actions">
<input name="commit" type="submit" value="Create Attempt">
</div>
</form>
Create an Attempt instance variable in AttemptsConroller on creation:
def new
#attempt = Attempt.new
end
In your view use the instance just created:
<%= form_for(#attempt) do |f| %>
That should do the trick if I did not completely miss the problem at hand.
The HTML you posted really makes it clear that something "un-railsish" is going on here. If you call the form_for-helper method in the way you did it it will create a FormBuilder object which will build the actual form, so we have to check the parameters of the radio_button in the FormBuilder class (in Rubyspeak that might also be FormBuilder#radio_button). There we find
radio_button(method, tag_value, options = {})
so the three parameters of the method rails expects are the name of the method of the object the form should operate on (which in your case would be your Attempt.new object). The most usual thing to pass at this point is a symbol with the method name, but as you provided a Question-object rails is trying to be forgiving and converts whatever it is passed into a String (probably using the to_s method). As you do not seem to have implemented to_s in your Question class the default implementation of Object will kick in to provide a "description" of your object with a class name and an address in angular brackets. As the angular brackets would confuse the HTML-parser these are gently escaped for you and you end up with messed up id and name attributes of your input elements. This will most certainly confuse the rails params parser when the HTTP POST-request is passed back and you end up with what you posted.
It is not really obvious how to fix this without knowing more about your Model classes, but most probably you want to use a nested form to solve this in the right way. This is not something I can do from the top of my head, but you can check out this RailsCast for more info.
I have a multipart form written in Classic ASP that is based on the code below. I use stored procedures and parameters to write to the sql DB, I use Server.HTMLEncode before it is submitted also. I have javascript based validation (jquery validation plugin) as well as server side ASP validation for all the fields. I am not worried about injection but the page is vulnerable to XSS code listed below.
My question is: How do I prevent this type of cross site scripting on a classic ASP page like the one below?
Basically, all the data is collected then on the last "page" after submit is hit I run it through the server side validation. But I need to know how to prevent XSS before the user gets to the submission point.
XSS CODE:
';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
CODE:
<%
Const NUMBER_OF_PAGES = 3
Dim intPreviousPage
Dim intCurrentPage
Dim strItem
' What page did we come from?
intPreviousPage = Request.Form("page")
' What page are we on?
Select Case Request.Form("navigate")
Case "< Back"
intCurrentPage = intPreviousPage - 1
Case "Next >"
intCurrentPage = intPreviousPage + 1
Case Else
' Either it's our first run of the page and we're on page 1 or
' the form is complete and pages are unimportant because we're
' about to process our data!
intCurrentPage = 1
End Select
' If we're not finished then display the form.
If Request.Form("navigate") <> "Finish" Then %>
<form action="<%= Request.ServerVariables("URL") %>" method="post">
<input type="hidden" name="page" value="<%= intCurrentPage %>">
<%
' Take data and store it in hidden form fields. All our fields are
' prefixed with numbers so that we know what page it belongs to.
For Each strItem In Request.Form
' Ignore the "page" and "navigate" button form fields.
If strItem <> "page" And strItem <> "navigate" Then
' If the data is from the current page we don't need
' the hidden field since the data will show in the visible
' form fields.
If CInt(Left(strItem, 1)) <> intCurrentPage Then
Response.Write("<input type=""hidden"" name=""" & strItem & """" _
& " value=""" & Request.Form(strItem) & """>" & vbCrLf)
End If
End If
Next
' Display current page fields. The fields are all named with
' numerical prefix that tells us which page they belong to.
' We need a Case for each page.
Select Case intCurrentPage
Case 1
%>
<table>
<tr>
<td><strong>Name:</strong></td>
<td><input type="text" name="1_name" value="<%= Request.Form("1_name") %>"></td>
</tr><tr>
<td><strong>Email:</strong></td>
<td><input type="text" name="1_email" value="<%= Request.Form("1_email") %>"></td>
</tr>
</table>
<%
Case 2
%>
<table>
<tr>
<td><strong>Address:</strong></td>
<td><input type="text" name="2_address" value="<%= Request.Form("2_address") %>"></td>
</tr><tr>
<td><strong>City:</strong></td>
<td><input type="text" name="2_city" value="<%= Request.Form("2_city") %>"></td>
</tr><tr>
<td><strong>State:</strong></td>
<td><input type="text" name="2_state" value="<%= Request.Form("2_state") %>"></td>
</tr><tr>
<td><strong>Zip:</strong></td>
<td><input type="text" name="2_zip" value="<%= Request.Form("2_zip") %>"></td>
</tr>
</table>
<%
Case 3
' Notice that you can do other types of form fields too.
%>
<table>
<tr>
<td><strong>Sex:</strong></td>
<td>
<input type="radio" name="3_sex" value="male" <% If Request.Form("3_sex") = "male" Then Response.Write("checked=""checked""") %>>Male
<input type="radio" name="3_sex" value="female" <% If Request.Form("3_sex") = "female" Then Response.Write("checked=""checked""") %>>Female
</td>
</tr><tr>
<td><strong>Age:</strong></td>
<td>
<select name="3_age">
<option></option>
<option<% If Request.Form("3_age") = "< 20" Then Response.Write(" selected=""selected""") %>>< 20</option>
<option<% If Request.Form("3_age") = "20 - 29" Then Response.Write(" selected=""selected""") %>>20 - 29</option>
<option<% If Request.Form("3_age") = "30 - 39" Then Response.Write(" selected=""selected""") %>>30 - 39</option>
<option<% If Request.Form("3_age") = "40 - 49" Then Response.Write(" selected=""selected""") %>>40 - 49</option>
<option<% If Request.Form("3_age") = "50 - 59" Then Response.Write(" selected=""selected""") %>>50 - 59</option>
<option<% If Request.Form("3_age") = "60 - 69" Then Response.Write(" selected=""selected""") %>>60 - 69</option>
<option<% If Request.Form("3_age") = "70 - 79" Then Response.Write(" selected=""selected""") %>>70 - 79</option>
<option<% If Request.Form("3_age") = "80 +" Then Response.Write(" selected=""selected""") %>>80 +</option>
</select>
</td>
</tr>
</table>
<%
Case Else
' You shouldn't see this error unless something goes wrong.
Response.Write("Error: Bad Page Number!")
End Select
%>
<br />
<!-- Display form navigation buttons. -->
<% If intCurrentPage > 1 Then %>
<input type="submit" name="navigate" value="< Back">
<% End If %>
<% If intCurrentPage < NUMBER_OF_PAGES Then %>
<input type="submit" name="navigate" value="Next >">
<% Else %>
<input type="submit" name="navigate" value="Finish">
<% End If %>
</form>
<%
Else
' This is where we process our data when the user submits the final page.
' I just display the data, but you're free to store the data in a
' database, send it via email, or do whatever you want with it.
'For Each strItem In Request.Form
' Response.Write(strItem & ": " & Request.Form(strItem) & "<br />" & vbCrLf)
'Next
%>
<p><strong>
Here's what you entered:
</strong></p>
<pre>
<strong>Name:</strong> <%= Request.Form("1_name") %>
<strong>Email:</strong> <%= Request.Form("1_email") %>
<strong>Address:</strong> <%= Request.Form("2_address") %>
<strong>City:</strong> <%= Request.Form("2_city") %>
<strong>State:</strong> <%= Request.Form("2_state") %>
<strong>Zip:</strong> <%= Request.Form("2_zip") %>
<strong>Sex:</strong> <%= Request.Form("3_sex") %>
<strong>Age:</strong> <%= Request.Form("3_age") %>
</pre>
<p>
Start Again
</p>
<%
End If
%>
You should use Server.HTMLEncode before writing the user input to the page, not before writing to the DB. In fact, it's better to store non encoded values in the DB to avoid double encoding.
Fixed code:
Case 1
%>
<table>
<tr>
<td><strong>Name:</strong></td>
<td><input type="text"
name="1_name"
value="<%= Server.HTMLEncode(Request.Form("1_name")) %>"></td>
</tr>
<tr>
<td><strong>Email:</strong></td>
<td><input type="text"
name="1_email"
value="<%= Server.HTMLEncode(Request.Form("1_email")) %>"></td>
</tr>
</table>
<%
Also, make sure that Request.Form("page") is a number
intPreviousPage = TryCLng(Request.Form("page"))
Internal function of mine
function TryCLng( NumeroEnTexto )
if isNumeric( NumeroEnTexto ) then
TryCLng = clng(NumeroEnTexto)
else
TryCLng = 0
end if
end function