Category: Classic ASP

Classic ASP 3.0 Code Tips and Hints

Classic ASP Design Mistakes: OWASP & The Open Web Application Security Project

Who the hell still codes in old school ASP?

I still see classic ASP used for rapid prototyping and I work for a large org that had lots of old code all over the place so it is not uncommon to come across it as a professional software developer.

I get to work on and support a lot of stuff in my day job. C# MVC applications, Data Warehouses, Saleforce.com, Cloud Stuff, Legacy Code and how to tie all these things together.

ASP may be an old technology but I would suggest there a lot of reasons to use it including teaching computing programming and web development, prototyping and inexpensive solutions for businesses.

You can run it on your Windows 7 and later PCs and runs on every new Microsoft server I’ve encountered and it won’t cost your company a dime, it is already built-in.

Some others Devs scoff at using Classic ASP but it really does have quite a lot to offer and it does all of it with just 7 objects. The simplicity is its power, you can still do a lot of “bread and butter” web functionality including AJAX calls with classic ASP.

I’m not here to debate whether developing in Classic ASP is either good or bad but I’ll say in my defense, you have to pick a tech stack and stick to it long-term to get traction on a big project like my side gig, https://www.finditclassifieds.com which I’ve been working on in my spare time for 21 years now.

I really felt the need to pick a technology or two or three and just get really good at those and make a bet on which technologies would be in production the longest so I would not be slowed by having to learn new languages, frameworks, databases and operating systems all the time.

So far I’ve guessed right.  Over the years I’ve added PHP, Python and some others but form more of back end processing stuff.  ASP is always sitting on top with web services under the hood written in any language.

If you’re still coding in ASP or you would like to learn.

Check out the tutorials on the W3Schools website.

https://www.w3schools.com/Asp/

Also make sure you’re coding your Classic ASP as securely as possible.

The OWASP site was very helpful with their documentation on ASP coding errors to watch out for and brought some potential security issues to my attention and am better for it.

Make sure to learn about the Open Web Application Security Project and check out their references on the most common ASP designs that affect security.

https://www.owasp.org/index.php/Classic_ASP_Design_Mistakes

For Loops for Beginners – ASP, C#, PHP, JavaScript & Python Examples

A “For Loop” executes a block of code a specific number of times or while a specified condition is true.

PHP For Loop

for (init; condition; increment)
  {
  code to be executed;
  }

php fOR lOOP PARAMETERS

  • init: Mostly used to set a counter (but can be any code to be executed once at the beginning of the loop)
  • condition: Evaluated for each loop iteration. If it evaluates to TRUE, the loop continues. If it evaluates to FALSE, the loop ends.
  • increment: Mostly used to increment a counter (but can be any code to be executed at the end of the iteration)

Note: The init and increment parameters above can be empty or have multiple expressions (separated by commas). Example The example below defines a loop that starts with i=1. The loop will continue to run as long as the variable i is less than, or equal to 5. The variable i will increase by 1 each time the loop runs:

PHP For Loop Example Code

<?php
for ($i=1; $i<=5; $i++)
  {
  echo("The number is " . $i . "<br>");
  }
?>

Classic ASP For Loop Example Code

<%
For i = 1 to 5
 Response.Write("The number is " & i & "<br>")
Next
%>

JavaScript For Loop Example

<%
For i = 1 to 5
 Response.Write("The number is " & i & "<br>")
Next
%>

C# For Loop Example

for (int i = 0; i < 5; i++) 
      {
        Console.WriteLine(i);
      }

Python For Loop Example

states = ["Alaska", "Alabama", "Arkansas"]
for x in states:
  print(x) 
  if x == "Alabama":
    break

How to Concatenate a String using VBScript

How to Concatenate a String Value in VBScript

To concatenate string values using VBScript we use the ampersand (&) character to piece together our composite string value.

Code Example:

Srting1 = "Word 1"
String2 = "Word 2"
String3 = String1 & String2
or 
String3 = "Word 1" & "Word 2"
msgbox(String3)

The output value would be “Word 1 Word 2”.

If you’re more familiar with JavaScript, you might be used to concatenating strings using the plus character (+).

In VBScript you can only use the + operator on numeric values.

Classic ASP Sleep Function or How to Delay a HTTP Response in Classic ASP – Explanation & Alternative Solutions

Is There a Sleep Method in Classic ASP?

First, and sorry, there is no built in sleep method in classic ASP. Probably for good reason though. Keep reading for background on why and I’ll offer some possible alternatives.

VBScript Sleep Function Code Example

Normally, when I think of a sleep function, I think of the built-in VBScript Sleep Function where we can set a delay in seconds to pause some code in a function. 

WScript.Sleep(5000)
WScript.Echo("5 seconds have passed.")

What is Classic ASP?

Classic ASP is VBScript interpreted rather than compiled on the IIS web server then converted into 100% HTML before it is delivered to the client / web browser in a HTTP call.

I’ll emphasize, with Classic ASP, the client never sees the underlying VBScript, only rendered HTML.

The Refresh Meta Tag / Wait vs. Sleep

An alterative to “Sleep” might be delay or wait. We can use the Meta Tag, “Refresh”, if you just need a web page to wait for a number of seconds before refreshing which includes redirecting the page on refresh to another URL.

You would include the meta refresh tag inside the web page’s head tags as shown in the code example below.

Meta Refresh Tag Example Code

<html>
    <head>
        <title>Meta Tag Refresh Example</title>
        <meta http-equiv="refresh" content="5"; url="Test.html" />  
    </head>
    <body>
    </body>
<html>

Custom ASP Sleep Function Alternative

As a prerequisite, I can’t imagine why you would want to delay a Classic ASP page from being served to a user’s web browser for 10 seconds. That’s a long time to make a user wait but you can do anything with code.

I will warn you, if you cause the HTTP Response to delay for a User Agent like Google bot, Google will probably exclude your website from their search indexes so I typically would not do this in practice on a website that needed any kind of Search Engine Optimization (SEO) friendliness.

DIY Classic ASP Sleep Function?

With Classic ASP, since we don’t have a native sleep or delay method, we can just build our own. By default, I’m going to stay with a delay of specific number of seconds as our end goal.

I’m sure we can come up with a few ways to solve for this but this solution is mine.

Building the Sleep Function from Scratch

  • We will set some variables for a start time and a current time.
  • Then start a While Loop that watches for # of seconds we’ve chosen.
  • We update the current time at each iteration of the loop and check it at start of each loop iteration.
  • Once current time increments by 10 seconds, loop completes giving you a delay of specified seconds.

Classic ASP Sleep Function Code

<%
Sub Delay(intSeconds)
	StartTime = Now()
	CurrentTime = Now()
	While DateDiff("s",StartTime,CurrentTime) < intSeconds
		CurrentTime = Now()
	Wend
End Sub

Response.Write("Something<br>")
call Delay(10)
Response.Write("Something 10 seconds later")
%>

Another reason I would not recommend this approach is that we are tying up the CPU while running this loop waiting for the time to change. Making this more of a weapon than a tool.

From a bad guy perspective, if you could get this code loaded and running on multiple pages with lots of traffic you could really degrade the performance of the server.

I hope this helps you if you were looking for a simple Classic ASP HTTP Response delay function but be careful how you use it.

Hope this helps you in your search for a VBScript Sleep Function.

~Cyber Abyss

Classic ASP Maximum Script Timeout Setting for Microsoft IIS

This is a re-post of a popular blog article from my old Blogger blog that was originally posted back in 2012.

I was scripting in old school ASP version 3.0 on IIS6 this week and had a script that needed a long time to run and kept timing out.

So I asked the question… What is the maximum script timeout setting for ASP on IIS?

After a lot of digging, I found out the answer.

The maximum value for ScriptTimeout is 2^32-1, or 2147483647.

If you try to set it to 2147483648 or higher, you will get the following error:
Microsoft VBScript runtime (0x800A0006)
Overflow: ‘server.scripttimeout’

Normally you would script it out like this.

<%
    Server.ScriptTimeout = 180
%>

Now with the maximum value, it looks like this.
 <%
    Server.ScriptTimeout = 2147483647
%>

The real solution was that my database was not performing at its best.  So needed to create additional indexes on more fields which increased the speed of the script.

 Hope this helps somebody out.

Happy coding!

Classic ASP: How to Do Parameterized Queries to Help Prevent SQL Injection

I’m a professional web developer who has spent 20+ years working in Classic ASP.

I work in modern stacks too but I still actively develop in Classic ASP on a side hustle project that is too expensive to re-write at this time.

This article focuses on an example of classic ASP SQL injection prevention using a basic parameterized query done in Classic ASP VBScript.

I’ve included links to all my references below.

Please note the first code example won’t work without translation of the ADO property, “adCmdText”, constant.

You can find the “adCmdText” reference in the adovbs.inc (include file) that contains all the ADO Constants we use for commands like the “adCmdText”.  None of the other sources mentioned that at all. 

I’ve added a second code example that should allow you to ditch the need for the include file and just enter an enumeration of the CommandType.  

ADOVBS.INC Example: 

'---- CommandTypeEnum Values ----
Const adCmdUnknown = &H0008
Const adCmdText = &H0001
Const adCmdTable = &H0002
Const adCmdStoredProc = &H0004

<%
 set rs = Server.CReateObject("ADODB.Recordset")
 set cmd1  = Server.CreateObject("ADODB.Command")
 Set conn = Server.CreateObject("ADODB.Connection")
 conn.Open [Connection String Value]
 cmd1.ActiveConnection = conn //connection object already created
 cmd1.CommandText = "SELECT * FROM [table] where ID = ?"
 cmd1.CommandType = adCmdText
 'cmd1.Prepared = True ' only needed if u plan to reuse this command often
 cmd1.Parameters.Refresh
 cmd1.Parameters(0).Value = "55"
 set rs = cmd1.Execute
 While NOT rs.eof
  Response.Write(rs("ID") & "
")
  rs.MoveNext
 Wend
 Set rs = Nothing
 Set conn = Nothing
%>
Can also be written replacing constant adCmdText with acceptable enumeration of 1 for the CommandType.
<%
set rs = Server.CReateObject("ADODB.Recordset")
set cmd1  = Server.CreateObject("ADODB.Command")
Set conn = Server.CreateObject("ADODB.Connection")
conn.Open [Connection String Value]
cmd1.ActiveConnection = conn //connection object already created
cmd1.CommandText = "SELECT * FROM [table] where ID = ?"
cmd1.CommandType = 1
'cmd1.Prepared = True ' only needed if u plan to reuse this command often
cmd1.Parameters.Refresh
cmd1.Parameters(0).Value = "55"
set rs = cmd1.Execute
While NOT rs.eof
    Response.Write(rs("ID") & "
")
    rs.MoveNext
Wend
Set rs = Nothing
Set conn = Nothing
%>

References:

CommandType Enumeration

https://www.w3schools.com/asp/prop_comm_commandtype.asp

Parameters Collection (ADO)

https://docs.microsoft.com/en-us/sql/ado/reference/ado-api/parameters-collection-ado?view=sql-server-2017

https://blogs.technet.microsoft.com/neilcar/2008/05/23/sql-injection-mitigation-using-parameterized-queries-part-2-types-and-recordsets/

https://stackoverflow.com/questions/7654446/parameterized-query-in-classic-asp/9226886#9226886

Classic ASP SQL injection prevention by using query parameter