In a previous tip, we discussed how SQL injection attacks in poorly protected Web pages can jeopardize your critical business systems. Here's another way to prevent them. Look for semicolons in the item posted to the Web page before executing a SQL statement and/or make semicolons invalid characters in your form fields.

This would look something like this:

UP

Have you ever presented dynamic content in an inline frame and wished you could get rid of the scroll bars? The following bit of code inserted as a function in the parent page will allow you to do it:

<SCRIPT language=javascript>
   function resetIFrame() {
      //Dynamically resize frame based on the frame's content.
      var iDocHeight = window.frames
      ("insetFrame").document.forms(0).scrollHeight + 30;
      var iDocWidth = window.frames("insetFrame").document.
      forms(0).scrollWidth + 30;
      document.all.insetFrame.width = iDocWidth;
      document.all.insetFrame.height = iDocHeight;
   }
</SCRIPT>

Then, simply call the function in your onload event in the iframe:

<IFRAME id=insetFrame name=insetFrame onload=resetIFrame()
frameborder='0' width='600px' height='500px' src
='http://www.myapp.com'></IFRAME>

After the frame loads, it will resize itself based on the new content, and the scroll bars will disappear.

UP

A nice element you can easily add to your ASP-based Web sites is a time-based greeting or other interface element. For example, you can greet your users with a hearty "Good Morning!" or a
tranquil "Good Evening" based on the time of day. Take a look at the following function for an idea of how easy this is to implement:

<%
Function GreetUser()
Dim intHour

intHour = Hour(Now)

If intHour >= 0 and intHour < 12 Then
GreetUser = "Good Morning"
ElseIf intHour > 12 and intHour < 18 Then
GreetUser = "Good Afternoon"
Else
GreetUser = "Good Evening"
End If
End Function
%>

You might also try basing the selection of images or color schemes on the time of day. Or here's another idea. Why not also look at the date? Then, you can adjust the appearance of your Web site to reflect the seasons of the year. In the end, you'll have a more visually interesting site, which can help keep users coming back.

UP

One of the disadvantages of VBScript is that, unlike the
Visual Basic language, of which it's a subset, VBScript
doesn't support the declaration of optional parameters in
subroutines or functions. You can, of course, work around
this in a couple of ways. For example, you can pass in an
array instead of a more basic parameter type. Then, include
members of the array for each parameter you want to pass.
"Optional parameters" correspond simply to omitted members
of the array. Or you can declare the parameter, but always
pass an empty value for it, like this:

Call TestFn("TestString", "")

But these are both relatively clumsy solutions. JScript, on
the other hand, *does* support optional parameters. And it's
a perfectly valid choice for server-side ASP code. Here's an
example of how to use optional parameters in JScript:

function TestFn(Param1, Param2)
{
    Response.Write(Param1 + Param2);
}

TestFn('1','2');
TestFn('1');

UP

Although the FileSystemObject classes don't include any sort of Rename method which would allow you to rename files directly, the Name property of the File object is, in fact, read/write.

To rename a file, then, all you really need to do is assign the Name property a new value, representing the new name for the file. Here's a sample:

<%
Set fso = Server.CreateObject("Scripting.FileSystemObject")
fso.GetFile("c:\test.txt").Name = "c:\test.bak"
Set fso = Nothing
%>

UP

 Oftentimes, you'll have an entire path and filename passed into your ASP page, and you'll want to parse out the filename only. There are several ways to accomplish this, but here's probably the easiest one we've seen:

For a local path, use this syntax:

<%
    FullPath = "C:\inetpub\wwwroot\testpage.asp"
    PartsArray = split(FullPath,"\")
    Response.Write PartsArray(UBound(PartsArray))
%>

For a URL (where the backslash is replaced with the forward slash), make this adjustment:

UP

If you need to change the default scripting language in VI6.0, it isn't terribly difficult to do, if you know where to look. Right-click on your project in the Solution Explorer and choose Project Properties. Then, click on the Editor Defaults tab. In the Default Scripting Language dropdown list, which will be automatically populated with all installed Active Scripting Engines, choose the new default. This is how, for instance, you can choose PerlScript or Python as your new default scripting language in VI6.0.

UP

Image maps offer a very sophistocated way to map out the vertices of complex polygons that serve as links on your Web site. Though most of the time you'll use simple rectangles, circles, or polygons, there may be times when you want to trace the outline of a very complicated shape. Before you do, however, you should know that IIS places a limit on the number of vertices you can define in your image map. For IIS 4.0 and earlier, that limit is 100, while for IIS 5.0, it's 160. This will probably never be an issue for you, but just in case, you can't say you weren't warned!

UP

Content ratings are often overlooked in Web site development, but rating your content's suitability for younger audiences is a very responsible thing to do. To rate a page or Web application, access the Properties dialog box for it in the Internet Services Manager, and then select the HTTP Headers tab. Click the Edit Ratings button to invoke the Content Rating dialog box. Once there, select the Ratings tab and select the Enable Ratings For This Resource check box.

Now, to rate the page, directory, or site, use the slider control to provide ratings in each of the four RASC categories: violence, nudity, sex, and language. You'll also need to provide a name and date to identify the ratings.

UP

You're probably tired of trying to figure out what caused an error in your ASP page when all it spits out is something like this:

ASP 0100

Active Server Pages often returns a generic error with little information to help you diagnose the problem. Worse, all you get is the error number. How do you track down the problem when you
aren't even sure what the error is? The answer is to look up the error in this handy table:

http://offers.elementkjournals.com/redir3/x0APUxGAB!http://support.microsoft.com/default.aspx?scid=kb;en-us;Q294271

This Knowledge Base article translates error codes into their associated descriptions for all versions of IIS (all the way up to version 6.0).

UP

Often, you'll no doubt want to include a VBScript variable in an ASP SQL statement. For example, suppose you want to let a user search a table for names that begin with a letter they specify. To use a variable in a SQL statement, simply concatenate the various parts of the statement together. To see how this works, create an ASP page with the following code:

<HTML>

<BODY>

<FORM Name="test" Action="SQLVars.asp" Method="POST">

<INPUT Name="txtSearch" TYPE="TEXT" Size=15

VALUE="SearchForMe">

<INPUT Type="SUBMIT" VALUE="Submit">

</FORM>

<%

Dim strSQL1

Dim strSQL2

Dim strSearch

strSearch = Request.Form("txtSearch")

If Len(strSearch) Then

strSQL1 = "Select From Customer(MyField) Where " _

& "Name(Col.Name) Like 'strSearch%'"

strSQL2 = "Select From Customer(MyField) Where " _

& "Name(Col.Name) Like '" & strSearch & "%'"

End If

%>

<UL>

<LI>Before concatenation: <%=strSQL1%>

<LI>After concatenation: <%=strSQL2%>

</UL>

</BODY>

</HTML>

When you run the page, only strSQL2 contains the variable's actual
value, which can then be sent on to SQL Server, or any other
database that processes SQL statements. Also, notice the use of the
single quote before the double quote and after the percent sign.
This ensures that the database interprets the variable's value
as a string.

UP

Most ASP developers already know that maintaining state in ASP pages comes at a performance cost and that you should avoid persisting state when it makes logical sense to do so. But did you know that you could be paying a performance cost for state management even when your code isn't using it?

The issue is that the ASP engine makes room for the possibility you'll use state management features of the session object even if you never refer to any of them in code. So, if you know that you aren't using state at all, you should add the directive

<%@ EnableSessionState = False %>


to any page that doesn't require the session object. This declaration allows
ASP to process scripts concurrently instead of sequentially and will improve
overall performance.

UP

In ASP, you have a couple ways to create a GUID. One of our
favorite ways was posted to the newsgroups a while back by
Peter Watt. It uses the Scriptlet type library to generate
the value, like this:

<%

guid = server.createobject _

("scriptlet.typelib").guid

response.write guid

%>

As with all Windows GUID operations, this method uses the
current system time to create the unique value. Of course, to
take advantage of this technique, you'll need the Scrobj.dll
installed on your server (available in the latest Scripting
Engine downloads from the Microsoft MSDN site, <a href=http://msdn.microsoft.com/scripting>
http://msdn.microsoft.com/scripting</a>).

UP

Nowadays, if your Web application requires a user to enter specific company information, you probably have a field for
an email address. No doubt, you'll want to ensure that the
address not only contains the @ and dot, but that the remaining
characters contain only letters, numerals, or underscores (and
perhaps a dash or period). At first, this may seem like a daunting
task. And if you use standard VBScript's string functions alone,
it will be. Fortunately, the RegExp object provides an easier way.

The following code validates an email address in a textbox named Text1:

<head>

<script language="VBScript">

Sub checkEmail(sEmail)

Dim myReg

Set myReg = New RegExp

myReg.IgnoreCase = True

myReg.Pattern = "^[\w-\.]+@\w+\.\w+$"

msgbox myReg.Test(sEmail)

End Sub

</script>

</head>

<body>

<form>

<input type="text" id="txtEmail" name="txtEmail"></input>

<input type="button" onclick="checkEmail(document.forms(0).txtEmail.value)"

value="Verify"></input>

</form>

</body>

Here, the pattern accepts any number of numeric, underscore, letters,
periods, or dash characters before the @ character and only numerals,
underscores, or letters before and after the dot.

UP

If you're like us, then you're getting really, *really* tired of
all the spam mail piling up in your in box. While we can't tell
you how to get rid of it entirely, we can give you a tip that
will help cut down on spam.

As you may know, most spam list generators work by browsing the
Web and gleaning email addresses from Web sites. Because of an
email address' distinct format, it's pretty easy to find one in a
page. Well, you'll be happy to know there's a technique that lets
your email addresses show up in a page, but still defeats the spam
list spiders. The trick is to use a JavaScript function, like the
one that follows, to generate the email addresses:

<script language="JavaScript">

<!-- Hide from old browsers

function ShowAddress(part1, part2)

{

var addr = part1 + "@" + part2;

var result = ("<a href='" + "mail" + "to:" + addr + "'>" + addr + "</a>")

return result;

}

file://-->

</script>

To make an email address appear in the page, call the function like so:

<script language="Javascript">

<!--

document.write(ShowAddress("wdv","zdjournals.com"));

file://-->

</script>

Now, won't those spam list spiders be baffled!

Submitted by: Vik Nokhoudian, World Wide Web Associates [vik@wwwa.com]

UP