Every journey starts with a first step:
Build Your First ASP Application in MS Active Server Pages
July 05, 2002
HTMEncode
You might ask, what the heck is that and what does it do? Well, for this next quickie I will show you a simple way to prevent visitors from entering javascript or most any other code into you forms that have malicious intent. Most of this code is placed by people who want to see how well your forms hold up under simple "hacking" techniques. Others are ligitimately trying to bring down your Web server and create undue work for the administrators. Either way. HTMLEncode is a server-side function in ASP that prevents this from happening.
Let's examine a simple guestbook form theoretically, and what might happen if you do not HTMLEncode the input values:
Your basic guestbook usually contains several fields or text input areas for visitors to insert their name, email addy, homepage, and a brief rant/rave about your web site. Once the visitor enters this information they will click on submit or send to have it inserted into a database (we will be talking databases here but this can apply to XML or other flat files). The visitors information is then returned via the database back to the browser so everyone can see their information. This is all done via ASP or some other server-side scripting language (we will be talking about ASP here).
Now malicious Joe Schmoe has entered a javascript into the message part of the guestbook and has submitted it to the database. This script tells the browser to endlessly create new popup windows in the visitors browser. Every time a new visitor comes to look at your guestbook the script is ran client side as javascript. Very annoying :( So what can you do? First, you can clean the database out manually so the entry is no longer there and hope he doesn't come back... or you can recode your application to make sure that any characters submitted via the ASP page is HTMLEncoded. HTMLEncode means that each text value entered into the form is encoded server-side before entering into the database. For example, the HTMLEncode version of the "&" symbol is &#amp; many HTML coders know this already and can understand what the encoding does. It takes non-text/extended characters such as the "<", ">", "&", and encodes them to HTML. The "<" becomes &#lt;, the ">" becomes &#gt;, etc. The browser knows to display them in a recognizable form for the viewer.
Now for how it is done on the ASP page:
Let's assume that there are 3 fields you are asking folks to fill out:
Name, Email, and Message.
USER_NAME = Server.HTMLEncode(request.Form ("USER_NAME"))
USER_MAIL = Server.HTMLEncode(request.Form ("USER_MAIL"))
USER_MESSAGE = Server.HTMLEncode(request.Form ("USER_MESSAGE"))
The ASP script, just before INSERTing the values into a database, should have the Server.HTMLEncode before the request.form function. This will encode the values from the Form. At this point you can INSERT them anywhere (just keep that to yourself) and they will be safe for displaying at a later time.
Some reference links for using HTMLEncode:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q259352
http://www.w3schools.com/asp/met_htmlencode.asp
You might ask, what the heck is that and what does it do? Well, for this next quickie I will show you a simple way to prevent visitors from entering javascript or most any other code into you forms that have malicious intent. Most of this code is placed by people who want to see how well your forms hold up under simple "hacking" techniques. Others are ligitimately trying to bring down your Web server and create undue work for the administrators. Either way. HTMLEncode is a server-side function in ASP that prevents this from happening.
Let's examine a simple guestbook form theoretically, and what might happen if you do not HTMLEncode the input values:
Your basic guestbook usually contains several fields or text input areas for visitors to insert their name, email addy, homepage, and a brief rant/rave about your web site. Once the visitor enters this information they will click on submit or send to have it inserted into a database (we will be talking databases here but this can apply to XML or other flat files). The visitors information is then returned via the database back to the browser so everyone can see their information. This is all done via ASP or some other server-side scripting language (we will be talking about ASP here).
Now malicious Joe Schmoe has entered a javascript into the message part of the guestbook and has submitted it to the database. This script tells the browser to endlessly create new popup windows in the visitors browser. Every time a new visitor comes to look at your guestbook the script is ran client side as javascript. Very annoying :( So what can you do? First, you can clean the database out manually so the entry is no longer there and hope he doesn't come back... or you can recode your application to make sure that any characters submitted via the ASP page is HTMLEncoded. HTMLEncode means that each text value entered into the form is encoded server-side before entering into the database. For example, the HTMLEncode version of the "&" symbol is &#amp; many HTML coders know this already and can understand what the encoding does. It takes non-text/extended characters such as the "<", ">", "&", and encodes them to HTML. The "<" becomes &#lt;, the ">" becomes &#gt;, etc. The browser knows to display them in a recognizable form for the viewer.
Now for how it is done on the ASP page:
Let's assume that there are 3 fields you are asking folks to fill out:
Name, Email, and Message.
USER_NAME = Server.HTMLEncode(request.Form ("USER_NAME"))
USER_MAIL = Server.HTMLEncode(request.Form ("USER_MAIL"))
USER_MESSAGE = Server.HTMLEncode(request.Form ("USER_MESSAGE"))
The ASP script, just before INSERTing the values into a database, should have the Server.HTMLEncode before the request.form function. This will encode the values from the Form. At this point you can INSERT them anywhere (just keep that to yourself) and they will be safe for displaying at a later time.
Some reference links for using HTMLEncode:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q259352
http://www.w3schools.com/asp/met_htmlencode.asp
June 30, 2002
GotDotNet.com, another cool site for those looking to develop on the .NET framework. There is a game called Terrarium that allows you to build a Carnivore, Herbivore or Hybrid-type for a "SIMS" survivial sort-of thing. Also, free source code for many applications, such as the message boards.
Got .NET?
Got .NET?
June 20, 2002
Ok, so you have decided that maybe you would like to take the plunge and start getting into the .NET development environment. Alas, you do not have $2,500 to pony up for the VS.NET Enterprise Architect, maybe you do but I can think of numerous other goodies I'd rather spend that loot on. Now what do you do? I'll tell you what to do. Head on over to http://www.asp.net/webmatrix/ and pick yourself up a FREE copy of open-sourced IDE made specifically for .NET !@!#$%$! That's right folks it is FREE! Don't say Microsoft never gave you anything for free.
Here's something else that will make you grin from ear to ear, it is a 1.2MB download... you can get up off the floor now. This little project is the best thing since Lavern and Shirley re-runs and the only hefty item you need to make sure you have is the .NET framework itself which is also available here (33MB). The IDE is very similar to VS.NET so there is little to no learning curve if you do decide that the new car you were saving up for can wait cause you need VS.NET.
I can't tell you all the great things about this application here you should get it yourself and jump right in.
Here's something else that will make you grin from ear to ear, it is a 1.2MB download... you can get up off the floor now. This little project is the best thing since Lavern and Shirley re-runs and the only hefty item you need to make sure you have is the .NET framework itself which is also available here (33MB). The IDE is very similar to VS.NET so there is little to no learning curve if you do decide that the new car you were saving up for can wait cause you need VS.NET.
I can't tell you all the great things about this application here you should get it yourself and jump right in.
June 15, 2002
OK, Let's talk a little bit about ASP.NET and some of the techniques that make .NET the rave on the Web.
One of the great things about the .NET framework is that it supports numerous languages. Most enterprise-wide solutions involve different schools of thought, anything from JAVA to simple HTML. Microsoft's .NET provides functionality for all of the players in the solution to work on their own part of the project at their own pace, and simultaneously. The .NET framework provides "code-behind" functionality - meaning, an application has code behind it working side-by-side with other code. So you may ask yourself... "What does this mean for me?" It means that if you are an HTML designer working on a wire-frame for a Web application, you do not have to wait for the JAVA developers to finish their part before you can work on yours, and vice versa. Everyone can work in parallel as the framework only compiles their specific work and not the whole solution, unless need be.
Secondly, the .NET framwork adds very robust cacheing to the delivering Web servers. When an application is called by a visitor from the web site, it will stay in memory until it needs to be flushed out for a different application. You can see this in action on this simple ASP.NET page, http://www27.brinkster.com/owlick/dotnet/something.aspx.
This page utilizes a feature called "postback form". This means the page is both responsible for displaying the results of the application and processing the the data input by the user.
Because of this, 2 pages are no longer needed for simple form processing. The submitting of the form posts the information to itself via reload, and the HTML is rendered accordingly.
This does not mean that you cannot have an ACTION property. It is just as easy to redirect the user upon submit to another .aspx page for processing. We will stick to the postback topic for now.
Let's take a look at the code for the something.aspx: http://www.randompsycho.org/owlick/dotnet/something.aspx.txt.
The first line: shows the language used as Visual Basic - script language="vb"; and the attribute of runat="server". The language is your preference. Microsoft is pushing C# as the primary language and if you have other object-orientated language experience such as C++ or JAVA you can pick the C# language up fairly easily. I prefer VB.NET as I have experience in Visual Basic.
The second line: starts the Subroutine called Page_Load with the basic variables needed for any .NET application (sender As Object, e As EventArgs). We will not get into this part in depth as the focus of this topic is the ASP.NET page and postback feature and not the rudimentaries of the .NET framework. But to let you know, it is the event for creating an event handler and is most commonly used. When the Page_Load is fired a view state is created and then you can access the Web controls for this particular page.
Third line: comments about the process performed. NOTE: Comments in an application rule! Please use them. It is good practice to do so and helps other troubleshoot your application.
Fourth line: The infamous Response.Write part of ASP. This returns the value entered into the textbox of the form.
Fifth line: Ends the Subroutine.
The next few lines are basic HTML with some added features. You will notice that in the form there are Web controls which you are probably not used to seeing in HTML or traditional ASP. The runat="server" makes the form server-side and secure. The textbox becomes a Web control as and is also run at the server. Make sure you give it an ID as it is what the Response.Write will get for its information. The button also has become a Web control and is run at the server.
Simple form here, but the main issue at hand is... when you run this form you will notice that the speed of which the form processes is instantaneous upon submit. There is NO round trip back to the server for processing. It is handled here, via postback! Cacheing allows for this :) It is a server admin dream and creates a better user experience.
Next time: More postback features and responding to postback form and checking to see if the form has already been posted back.
One of the great things about the .NET framework is that it supports numerous languages. Most enterprise-wide solutions involve different schools of thought, anything from JAVA to simple HTML. Microsoft's .NET provides functionality for all of the players in the solution to work on their own part of the project at their own pace, and simultaneously. The .NET framework provides "code-behind" functionality - meaning, an application has code behind it working side-by-side with other code. So you may ask yourself... "What does this mean for me?" It means that if you are an HTML designer working on a wire-frame for a Web application, you do not have to wait for the JAVA developers to finish their part before you can work on yours, and vice versa. Everyone can work in parallel as the framework only compiles their specific work and not the whole solution, unless need be.
Secondly, the .NET framwork adds very robust cacheing to the delivering Web servers. When an application is called by a visitor from the web site, it will stay in memory until it needs to be flushed out for a different application. You can see this in action on this simple ASP.NET page, http://www27.brinkster.com/owlick/dotnet/something.aspx.
This page utilizes a feature called "postback form". This means the page is both responsible for displaying the results of the application and processing the the data input by the user.
Because of this, 2 pages are no longer needed for simple form processing. The submitting of the form posts the information to itself via reload, and the HTML is rendered accordingly.
This does not mean that you cannot have an ACTION property. It is just as easy to redirect the user upon submit to another .aspx page for processing. We will stick to the postback topic for now.
Let's take a look at the code for the something.aspx: http://www.randompsycho.org/owlick/dotnet/something.aspx.txt.
The first line: shows the language used as Visual Basic - script language="vb"; and the attribute of runat="server". The language is your preference. Microsoft is pushing C# as the primary language and if you have other object-orientated language experience such as C++ or JAVA you can pick the C# language up fairly easily. I prefer VB.NET as I have experience in Visual Basic.
The second line: starts the Subroutine called Page_Load with the basic variables needed for any .NET application (sender As Object, e As EventArgs). We will not get into this part in depth as the focus of this topic is the ASP.NET page and postback feature and not the rudimentaries of the .NET framework. But to let you know, it is the event for creating an event handler and is most commonly used. When the Page_Load is fired a view state is created and then you can access the Web controls for this particular page.
Third line: comments about the process performed. NOTE: Comments in an application rule! Please use them. It is good practice to do so and helps other troubleshoot your application.
Fourth line: The infamous Response.Write part of ASP. This returns the value entered into the textbox of the form.
Fifth line: Ends the Subroutine.
The next few lines are basic HTML with some added features. You will notice that in the form there are Web controls which you are probably not used to seeing in HTML or traditional ASP. The runat="server" makes the form server-side and secure. The textbox becomes a Web control as
Simple form here, but the main issue at hand is... when you run this form you will notice that the speed of which the form processes is instantaneous upon submit. There is NO round trip back to the server for processing. It is handled here, via postback! Cacheing allows for this :) It is a server admin dream and creates a better user experience.
Next time: More postback features and responding to postback form and checking to see if the form has already been posted back.
June 10, 2002
For all of you who need a testing server to test out your .NET creations. http://www.brinkster.com offers one heck-of-a-deal !
June 05, 2002
May 30, 2002
Fun with JavaScript
When sitting around with extra time on my hands, there's nothing like a online game for entertainment. I found this interesting JavaScript version of Battleship and decided to fancy it up a bit.
For starters, I practiced with some "onClick" code for the button to pop up a window in which to play the game in. The original game displayed your opponent's ships in the window status bar. That didn't suit since I was using a popup window. Snooping through the code I found the function that passed the status value (a variable named "statusmsg") and added one additional line: document.statusbox.display.value = statusmsg; (you gotta love DOM, eh?). The final touches were adding a form to the page (named "statusbox") and a readonly textarea (of course, named "display") and a handy little button that would call a function to reload the page when the game is over.
Credits for the original JavaScript are in the source code. It makes for good reading.
Addendum: After thinking about it for awhile, I realized that I didn't need a special function just to reload the game. Again, the DOM comes in handy and I simply used the reload method of the "location" object. Gee, isn't that easier?
So, give it a try:
When sitting around with extra time on my hands, there's nothing like a online game for entertainment. I found this interesting JavaScript version of Battleship and decided to fancy it up a bit.
For starters, I practiced with some "onClick" code for the button to pop up a window in which to play the game in. The original game displayed your opponent's ships in the window status bar. That didn't suit since I was using a popup window. Snooping through the code I found the function that passed the status value (a variable named "statusmsg") and added one additional line: document.statusbox.display.value = statusmsg; (you gotta love DOM, eh?). The final touches were adding a form to the page (named "statusbox") and a readonly textarea (of course, named "display") and a handy little button that would call a function to reload the page when the game is over.
Credits for the original JavaScript are in the source code. It makes for good reading.
Addendum: After thinking about it for awhile, I realized that I didn't need a special function just to reload the game. Again, the DOM comes in handy and I simply used the reload method of the "location" object. Gee, isn't that easier?
So, give it a try:
May 23, 2002
Just in case you have not already learned how to utilize style sheets:
An Introduction to Cascading Style Sheets (CSS)
An Introduction to Cascading Style Sheets (CSS)
Does your site bite?
If nothing else, check out this article to make sure your site isn't one of the examples!
WebmasterBase - 10 Sites that Bite
If nothing else, check out this article to make sure your site isn't one of the examples!
WebmasterBase - 10 Sites that Bite
May 09, 2002
So, you've got a killer web site and you've outgrown that free web hosting package (you know the ones). What's next? Web Hosting Options
Web site confessional
Naw, we'd never do anything that would be considered bad design. No, not ever. (wink) Check out this article, just to make sure.
WebmasterBase - 10 Deadly Web Site Sins
Naw, we'd never do anything that would be considered bad design. No, not ever. (wink) Check out this article, just to make sure.
WebmasterBase - 10 Deadly Web Site Sins
April 30, 2002
What's up with Doctypes?
No longer just for HTML validation, new browsers are now paying attention to your doctype declarations.
O'Reilly Network: Use the Right Doctype
No longer just for HTML validation, new browsers are now paying attention to your doctype declarations.
O'Reilly Network: Use the Right Doctype
April 25, 2002
Pop-ups, you gotta love 'em
Ok, I know, pop-up windows are everywhere. But here is a handy script that sets a cookie so that the message only pops up once per day (adjustable).
Java-scripts.net: Create a Popup Once Window
Ok, I know, pop-up windows are everywhere. But here is a handy script that sets a cookie so that the message only pops up once per day (adjustable).
Java-scripts.net: Create a Popup Once Window
For those that are artistically inclined, here is the first of a three part series on designing logos:
Design Harbor: Logo Design Workshop, Part I
Design Harbor: Logo Design Workshop, Part I
Apparently there is still much debate over the the use of "cookies" on the Web.
WebmasterBase - The Cookie Conundrum
P.S. Feel free to post your opinion over in the Forums sections too.
WebmasterBase - The Cookie Conundrum
P.S. Feel free to post your opinion over in the Forums sections too.
Set your own style...
It never hurts to brush up on your style sheets every once and awhile. And for those who haven't starting using CSS yet:
CSS Is Easy!
It never hurts to brush up on your style sheets every once and awhile. And for those who haven't starting using CSS yet:
CSS Is Easy!
April 15, 2002
I may have posted this once before, but this is still a handy tool for turning off services on your IIS web server that you don't need (and might be creating a security risk).
IIS Lockdown Tool (version 2.1) - 14 Nov 2001
IIS Lockdown Tool (version 2.1) - 14 Nov 2001
Been hacked lately?
Here's the latest Security Bulletin from Microsoft on IIS patches (posted April 10, 2002):
Cumulative Patch for Internet Information Services
Here's the latest Security Bulletin from Microsoft on IIS patches (posted April 10, 2002):
Cumulative Patch for Internet Information Services
Subscribe to:
Posts (Atom)