 |
|
8000XXXX Errors Alerts ASP.NET 2.0
Classic ASP 1.0 COM / ActiveX Components Forms General Topics Date/Time Routines Email Scripts & Info Files/Directories & FSO Databases General Concepts Search Engine Optimization (SEO)Search
ASP FAQ Tutorials :: Classic ASP 1.0 :: General Topics :: Should I use the .inc extension for my include files?
Should I use the .inc extension for my include files?
Not if you value any of the ASP code they contain. There are sites all over the web that use .inc file to hold their database connection info and other data that should remain on the server side; they think that information is safe because they haven't told anybody where it is. Well, I remember several times I would get an error on someone's site, and the error message would tell me:
So, I would type in the URL to /includes/database.inc file and, lo and behold, the browser would dump out the ASP code (in a few cases, with sa passwords!). In fact just now, it took me all of five minutes to find a username / password through a search on Google, register the server in SQL Enterprise Manager, and be tempted to execute a command like:
Of course I didn't do this, and promptly informed the server's owner about the hole (and that they should change their password, pronto).
There are two decent workarounds that will prevent this from happening to you. One way is to leave your .inc files alone, and simply map .inc extension to asp.dll (as described in Article #2124). The other is to simply use the .asp extension on all files that include ASP code. If you need to differentiate between "includes" and normal interface pages, simply change your naming scheme a bit. In one project I was involved in, the authors had realized the security concerns and quickly renamed all files such as "include.inc" to "include.inc.asp" - so the files were still easily identifiable as includes, but they were protected from casual viewing.
One concern people have raised in the past about the extension workaround is that now asp.dll will have to process all "includes" as ASP files... even the ones that don't contain ASP code. Never fear, IIS 5.0 and above have much smarter interpreters that only invoke the ASP engine when necessary.
| Error Type: Microsoft VBScript runtime (0x800A01B6) Object doesn't support this property or method: 'rs.moveOver' /includes/database.inc, line 3 |
So, I would type in the URL to /includes/database.inc file and, lo and behold, the browser would dump out the ASP code (in a few cases, with sa passwords!). In fact just now, it took me all of five minutes to find a username / password through a search on Google, register the server in SQL Enterprise Manager, and be tempted to execute a command like:
| TRUNCATE TABLE master..sysobjects |
Of course I didn't do this, and promptly informed the server's owner about the hole (and that they should change their password, pronto).
There are two decent workarounds that will prevent this from happening to you. One way is to leave your .inc files alone, and simply map .inc extension to asp.dll (as described in Article #2124). The other is to simply use the .asp extension on all files that include ASP code. If you need to differentiate between "includes" and normal interface pages, simply change your naming scheme a bit. In one project I was involved in, the authors had realized the security concerns and quickly renamed all files such as "include.inc" to "include.inc.asp" - so the files were still easily identifiable as includes, but they were protected from casual viewing.
One concern people have raised in the past about the extension workaround is that now asp.dll will have to process all "includes" as ASP files... even the ones that don't contain ASP code. Never fear, IIS 5.0 and above have much smarter interpreters that only invoke the ASP engine when necessary.
Related Articles
Can I bypass the ten connection limitation in Workstation / Professional? Can I compact / repair an Access database from ASP code? Can I create an array's size dynamically? Can I detect the presence of ActiveX controls, like Flash, from ASP? Can I dictate the load order of files on the client from ASP? Can I have optional parameters to my subs / functions? Can I host multiple sites in 2000 Workstation or XP Professional (e.g. PWS)? Can I mimic trim / ltrim / rtrim in JScript? Can I perform simple encryption / decryption in ASP? Can I run IIS 5.0 / ASP 3.0 on Windows NT 4.0 or Windows 9x? Can I run IIS on Windows Millennium or Windows XP Home? Can I use IP address to uniquely identify visitors? Does order matter when using different languages in ASP? How can I give them a better 404 message? How can I stop Photoshop from opening ASP files? How can I track when my site is added to a user's favorites? How do I access all active sessions on the server? How do I access my server's registry from an ASP page? How do I change a list into a set of table rows and columns? How do I change document names / extensions in IIS / PWS? How do I change the default server scripting language in InterDev? How do I cloak / hide URL and QueryString information? How do I comment blocks of ASP code? How do I control access to an area? How do I control printing from ASP? How do I convert a name to proper case? How do I convert exchange rates in ASP? How do I convert from Hex to Int and back? How do I convert numbers into words? How do I convert old IDC / HTX pages to ASP? How do I count the number of current users / sessions? How do I count the number of times x occurs in string y? How do I create a database from ASP? How do I create my own blog? How do I deal with disappearing application variables? How do I decode an encoded URL? How do I detect ENABLED cookies / javascript? How do I detect the browser's encryption level / cipher strength? How do I determine which version of IIS / ASP I'm running? How do I disable the back/forward buttons? How do I display the Euro symbol (€) in my ASP pages? How do I embed a TAB character into source code? How do I embed apostrophes (') and quotes (") in an HTML string? How do I embed ASP delimiters (<% or %>) in a string? How do I estimate the total size of my web page? How do I execute a DOS command / batch file / exe from ASP? How do I execute a ping command from ASP, and retrieve the results? How do I find out the amount of space left on my server? How do I fix the ::$DATA bug? How do I FTP files from ASP? How do I generate a treeview from ASP? How do I generate unique GUIDs from ASP? How do I get all the UBound() values in a multi-dimensional array? How do I get IntelliSense to see ASP 3.0 methods? How do I get my visitors' login name / username? How do I get screen resolution from ASP? How do I get the computer name / IP address of the server? How do I get the server's timezone information? How do I get the user's IP address or browser information? How do I highlight words in a string? How do I host multiple web sites on one IIS box? How do I increase timeout values? How do I iterate through session variables? How do I know which version of VBScript my server is running? How do I log / track ASP errors on my web site? How do I make hyperlinks out of plain text URLs and e-mail addresses? How do I make JavaScript send values to ASP? How do I make my ASP page pause or 'sleep'? How do I make my ASP page refresh? How do I make my ASP pages more efficient? How do I make search engines index pages with QueryStrings? How do I make sure an entered string contains only valid characters? How do I make sure my ASP question gets answered? How do I make sure my servers have the same time? How do I make sure people go to page x before page y? How do I make sure the client is still connected before processing? How do I make Visual InterDev's debugging features work? How do I manage a session across multiple windows? How do I pad digits with leading zeros? How do I parse / analyze IIS Logs? How do I parse the domain name out of a URL? How do I parse the file name out of a path or URL? How do I perform a Whois / DNS lookup from ASP? How do I persist session state without cookies / session variables? How do I prevent 'Invalid use of Null' errors? How do I prevent my ASP pages from caching? How do I prevent people from printing my ASP page? How do I print the first n characters of a large block of text? How do I prompt a "Save As" dialog for an accepted mime type? How do I protect my ASP code? How do I protect my client-side JavaScript code? How do I protect my images and other visual content? How do I put my ASP application onto a CD-Rom? How do I read the contents of a remote web page? How do I read the event log from ASP? How do I redirect an http:// request to https://? How do I refresh global.asa without restarting the application? How do I round a number *properly* with VBScript? How do I run ASP on other web servers besides IIS? How do I schedule ASP files? How do I send a MsgBox or InputBox from ASP? How do I set session variables from client-side script? How do I show a "Please Wait..." message? How do I solve 'Event ID 5' errors? How do I solve 'The Requested Resource is in Use' errors? How do I solve 'The server failed to load the application' errors? How do I solve 'The specified procedure could not be found' errors? How do I solve ASP 0115 errors? How do I specify ByRef / ByVal in VBScript? How do I stress test my ASP application? How do I time my ASP code? How do I turn a KB Article #, like Q191987, into a usable URL? How do I use ASP to [...] How do I use extensions other than .ASP for ASP files? How do I warn people when their session is about to expire? How do I zip / unzip files from ASP? I called Session.Abandon, why are my session variables still there? I have plenty of RAM, why do I get an 'Out of memory' error? Is there an easier way to patch my server(s)? Should I use ADOVBS.inc for declaring constants? Should I use sessionID to uniquely identify users? Should I use VBScript or JScript for ASP? What do I do when IIS 5.0 will not start? What do I need to know about Response.Redirect? What is Event ID 36, and how can I get IIS running again? What is this 'Cannot detect OS type' error with NT 4.0 Option Pack? What is this error 'An unhandled data type was encountered'? What is wrong with IsNumeric()? What is wrong with Request.ServerVariables("HTTP_REFERER")? What is wrong with Session_OnEnd()? What kind of object is Response.Crackers? What's the deal with IIS 5.0 and ASP 3.0? When I run a page in my browser, why does the ASP code not execute? Where can I find out about .NET? Where can I find out about running Perl in IIS? Where can I host ASP pages for free (or at least cheap)? Where do I get IIS / ASP? Where else can I learn about ASP? Which editor should I use for developing ASP applications? Which is better, rs(0) or rs("column_name")? Why am I getting 'subscript out of range' errors? Why am I having problems installing Visual Studio.NET RTM? Why am I having problems with Server.Execute and/or Server.Transfer? Why are people telling me to fix my clock / timezone? Why can't I browse localhost without an Internet connection? Why can't I grab custom headers from Request.ServerVariables()? Why can't I pass querystring information AND links to #bookmarks? Why can't I turn buffering off using Response.Buffer? Why can't I use #EXEC or #ECHO in an ASP page? Why do I get 'BOF or EOF' errors? Why do I get 'HTTP 500-12 Application Restarting' errors? Why do I get 'HTTP/1.0 Invalid Application Name' errors? Why do I get 'Invalid Default Script Language' errors? Why do I get 'Name redefined' errors? Why do I get 'Object doesn't support this property or method' errors? Why do I get 'The RPC Server is Unavailable' messages? Why do I get 'Type Mismatch' when using the Session object? Why do I get 8000FFFF / 8002802B errors? Why do I get 80010105 errors? Why do I get 80010108 errors? Why do I get 80020003 errors? Why do I get 80020005 errors? Why do I get 80020009 errors? Why do I get 8002000E errors? Why do I get 80029c84 errors? Why do I get 8004E00F errors? Why do I get 80070034 / 80070035 errors? Why do I get 80070056 errors? Why do I get 80070057 errors? Why do I get 80090016 errors? Why do I get 800A01C2 errors? Why do I get 800A01C9 errors? Why do I get 800A01CA errors? Why do I get 800A01F4 errors? Why do I get 800A01F9 errors? Why do I get 800A03EC errors? Why do I get 800A03ED / 800A03EE errors? Why do I get 800A03F6 errors? Why do I get 800A0401 errors? Why do I get 800A0408 errors? Why do I get 800A0414 errors? Why do I get 800A138F errors? Why do I get a 500 Internal Server error for all ASP errors? Why do I get an 'overflow' error using CInt? Why do I get an error about a 'Smart HTML interpreter'? Why do I get ASP 0101 errors? Why do I get ASP 0113 / Script timed out errors? Why do I get ASP 0130 / ASP 0131 errors? Why do I get ASP 0138 errors? Why do I get ASP 0158 errors? Why do I get errors in the 800A0001 -> 800A000F range? Why do I get errors in the 800A0030 -> 800A003A range? Why do I get errors in the 800A03F1 -> 800A03FF range? Why do I get errors in the 800A0400 -> 800A041F range? Why do I get errors when trying to redirect? Why do I get HTTP/1.1 400 Bad Request errors? Why do I get non-database-related 80004005 errors? Why do I get script errors on one machine but not another? Why do I get the error Object Required: ''? Why do my session / application variables disappear? Why does 3.2 + 1.5 = 4.7000000000000002? Why does 4 / 5 = 0? Why does global.asa not fire? Why does GUID not work correctly with response.write? Why does IIS hang and/or stop serving ASP pages? Why does my page render (properly) in IE and not in Netscape? Why does RecordCount return as -1? Why does REMOTE_HOST return an IP address instead of a name address? Why does session.abandon not take effect right away? Why is Netscape slow in IIS 5.0? Why won't my ASP pages work in IIS 6.0? Why won't my session variables stick? Why won't QueryString values work with Server.Execute / Server.Transfer? Why won't Windows search ASP files? DllHost.Exe