Due to a rare sequence of events it may be possible for a Spammer to post messgaes to the forum without being authorised.
This can happen if your forum loses it's application variable collection (this manifests itself as looking like the forum has lost all it's formatting)
The situation is caused by a problem on both your webserver and database simultaneously, but can allow someone to post without authentication.
To prevent these unauthorised posts, add the following lines to the end of config.asp (before the closing %> line)
if Application(strCookieURL & "STRVERSION")= "" Or IsNull(Application(strCookieURL & "STRVERSION")) then
Response.Write("Server Error, The Application variables are not loaded. Please try again later.")
Response.End
end if
Forgive my ignorance but why don't you redirect to setup.asp or just load the application variables instead of killing the request?
1) it is not generally recomended that setup.asp remain accessible to normal users, for security reasons. 2) reloading the app variables will only work if the situation that caused the problem has been rectified, if it hasn't it will put your browser into a continual redirect loop.
So, this is the best way to deal with the situation and prevent unwanted/unexpected problems<
The continual redirect loop is a serious concern, specially when the database, for some reason, is not available. You wouldn't be able to avoid the loop.<
if you want to come up with a more elegant solution then feel free, this is after all a community project, howver this is the quickest and simplest solution to prevent issue that relate to unloading of application variables.
I would not recommend redirecting normal web request through your setup.asp script, just load it up and you will see why.
don't forget, the test I have done is pretty much telling you that your db connection ain't working, if it was then the app vriables would have loaded and you would not get trapped by the response.end<
Huwr, I'm not trying to be awkward its just that using the solution above, every user will receive the error "Server Error, The Application variables are not loaded" until the admin goes to setup.asp to reload the variables.
It would be more convenient if the application variables were attempted to be loaded when the error is detected so that every subsequent request from visitors for the forum would attempt to reload the application variables until the problem was resolved.
Personally I don't see a problem redirecting to setup.asp but alternatively you could just include code similar to what is already in config.asp i.e. this code
'## if the configvariables aren't loaded into the Application object '## or after the admin has changed the configuration '## the variables get (re)loaded
for counter = 0 to my_conn.Errors.Count -1 ConnErrorNumber = Err.Number If ConnErrorNumber <> 0 Then If blnSetup <> "Y" Then my_Conn.Errors.Clear Err.Clear
if blnLoadConfig then Application.Lock do while not rsConfig.EOF Application(strCookieURL & Trim(UCase(rsConfig("C_VARIABLE")))) = Trim(rsConfig("C_VALUE")) rsConfig.MoveNext loop Application.UnLock rsConfig.close end if
In any event it will only ever affect a very small number of people. Do you have steps that can successfully recreate the problem ?<
config.asp already does that check, but can still arrive at the end of the file with empty app variables, hence the need to abort the request, or potentially put you into an endless loop trying to reload them.<
config.asp already does that check, but can still arrive at the end of the file with empty app variables, hence the need to abort the request, or potentially put you into an endless loop trying to reload them.
I concur with Huw, here. As long as the Db is not available, every try to load app variables will fail and it's hard to avoid an endless loop.
The exact code you posted, Podge, will be executed every single time a user tries to access the forum.<
I'm going to work with writing and reading the loops to a text file on the server instead of to the database using the FSO. When the text file has been written and updated to a maximum specified number of times, then the user will be redirected to a custom error found in config.asp (where the "Server Error, The Application variables are not loaded" note is for this fix) ... as a note, config.asp is also used in setup.asp, so I am making a duplicate config.asp (with a different file name) and including that into setup.asp.
I am with Podge as far as trying to reload the variables, if at all possible, on a user by user basis instead of waiting on the administrator to login and run setup.asp. Also, as long as it is secure, it seems that a remote db, like an access db, on another server can serve as a data storage container to count the number of loops each user is encountering on the main site through the normal config.asp.
I am speculating on a lot of this since I have not written the code nor tested these things. Can you guys give me some pros and cons from your experience on this? <
There are hosts who don't allow FSO on their servers (we have an alternate mod setup for a reason). How would you do handle it in that case? Everyone is free to find an alternate solution. We need a solution that will work in the most general scenario.<
quote:The exact code you posted, Podge, will be executed every single time a user tries to access the forum.
Only if the database is available. There is a check at the very beginning. If the database is available then the application variables should be loaded without problem, no ?
Why would HuwR's code work above and not the check thats already there in config.asp ? Its basically the same check, just for a different application variable.
Forum Locked
Topic Locked
Posted - 20 July 2008 : 15:18:37
