Form Security & Integration with ASP

S

Sim Marsh

Hello all,

2 Quick questions -

First - Form in HTML page sends results to a text file -
Problem is anyone doing a right-click can find path to the
hidden file & access the contents - Is there a good way to
stop this - maybe within IIS6??

Second - Form set-up in page with ASP extension to send
results to text file won't work - ie no confirmation page
and no stored results - but rename as HTML and works
fine .. Why & Any suggestions?

Thanks

Sim
 
K

Kevin Spencer

Hi Sim,
First - Form in HTML page sends results to a text file -
Problem is anyone doing a right-click can find path to the
hidden file & access the contents - Is there a good way to
stop this - maybe within IIS6??
Click to expand...

No. You can, however, create your own forms and form handlers using ASP or
some other server-side technology.
Second - Form set-up in page with ASP extension to send
results to text file won't work - ie no confirmation page
and no stored results - but rename as HTML and works
fine .. Why & Any suggestions?
Click to expand...

ASP is an ISAPI that is different from FrontPage server extensions. Only one
ISAPI can process a file. If you want an ASP form, use ASP to handle it.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.
 
J

Jim Buyens

-----Original Message-----
Hello all,
Howdy.

2 Quick questions -

First - Form in HTML page sends results to a text file -
Problem is anyone doing a right-click can find path to
the hidden file & access the contents - Is there a good
way to stop this - maybe within IIS6??
Click to expand...

Yes, and it doesn't require IIS6.

1. Create a new folder inside your Web.
2. Configure the Save Results component to save its
data in the the new folder from step 1.
3. Open your "live" Web site in FrontPage.
4. If necessary, create a folder corresponding to the
one from step 1.
5. In the Folder list or Folders view, right-click the
folder, choose Properties, and clear the Allow Files
To Be Browsed check box.

Note that this will disable *your* access to the new
folder as well. To view or retrieve the file, you'll need
to open the "live" site in FrontPage.
Second - Form set-up in page with ASP extension to send
results to text file won't work - ie no confirmation page
and no stored results - but rename as HTML and works
fine .. Why & Any suggestions?
Click to expand...

The ASP processor and the FrontPage "Smart HTML
Interpreter" (which processes form results) are
incompatible. If you can't get FrontPage to do everything
you want, you have to code the whole page in ASP (or
ASP.NET, or PHP, or whatever).

Jim Buyens
Microsoft FrontPage MVP
http://www.interlacken.com
Author of:
*----------------------------------------------------
|\---------------------------------------------------
|| Microsoft Office FrontPage 2003 Inside Out
||---------------------------------------------------
|| Web Database Development Step by Step .NET Edition
|| Microsoft FrontPage Version 2002 Inside Out
|| Faster Smarter Beginning Programming
|| (All from Microsoft Press)
|/---------------------------------------------------
*----------------------------------------------------
 
S

Sim Marsh

Hi Jim

Thanks for replying - however whilst your suggestion works
by stopping browsing - it doesn't work if they browse
directly to the file storing the results - IE6 just shows
the file, no questions asked.

Maybe I'm wrong but if anyone can read these form results
why do people like JBots bother providing a credit card
validator?

Cheers

Sim
 
S

Sim Marsh

Oops Sorry Jim

Does seem to work - if you clear your browser cache !!!

But this doesn't disable your access if you can get into
IIS6 as administrator - then you can access via PC
Anywhere etc and find the file that way without having to
resort to FP access.

Cheers

Sim
 
S

Sim Marsh

Hi Kevin

The dilemma is that I have an Item on the page that uses
ASP but the form itself only needs HTML... and if I save
the page with the HTML extension the ASP component fails.

Like catch 22 but don't really want to use Frames (even if
this would work, of which I'm not certain.)

Simeon
 
T

Thomas A. Rowe

A truly secure eCommerce web site never stores the full credit card data on
the web site, as they use real-time credit card validation, and no one see
the customer's full credit card info.

A semi-secure eCommerce web site stores the full credit card data in a
database for only as long as needed to process the credit card manually, and
then the credit card data is deleted from the database.

The merchant access the order info via a browser's SSL connection to the
database to retrieve the order and credit card data.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================
 
M

Mike Mueller

We recently did a web project that had CC info being stored in a db and when
I checked with the card issuers they want triple-des encyption on the db and
the only limit other than that was that you could only store the CID number
for 10 minutes while in prpcessing.

Mike
 
T

Thomas A. Rowe

I never store the CID in the database, instead when the CC is stored in the
database, I send the CID (by itself) in the email notification to the
merchant with the order detail and a login link to access full record in the
db.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================
 
J

Jim Buyens

Sim Marsh said:
Oops Sorry Jim

Does seem to work - if you clear your browser cache !!!

But this doesn't disable your access if you can get into
IIS6 as administrator - then you can access via PC
Anywhere etc and find the file that way without having to
resort to FP access.
Click to expand...

Nothing can save your data from someone who gets into the OS
as an administrator. And this is just as true for any operating
system and Web server software you care to name.

If you don't trust your administrator, get a different host.

Jim Buyens
Microsoft FrontPage MVP
http://www.interlacken.com
Author of:
*----------------------------------------------------
|\---------------------------------------------------
|| Microsoft Office FrontPage 2003 Inside Out
||---------------------------------------------------
|| Web Database Development Step by Step .NET Edition
|| Microsoft FrontPage Version 2002 Inside Out
|| Faster Smarter Beginning Programming
|| (All from Microsoft Press)
|/---------------------------------------------------
*----------------------------------------------------
 
Top