|
|||||||||
|
|||||||||
|
|||||||||
 |
|||||||||
| |
||
|
|
|
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
| |
||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
ASP Free Forums Sponsor:
|
|
|
|
#1
November 26th, 2008, 09:03 AM
|
|||
|
|||
|
Blog Commenting but on website
Hi,
My website is programmed in ASP. I would like to get people to comment on my exsiting pages (which are static appart from some rotating includes). Do you know of a program that I can add to the bottom of each page so that people can leave comments? Cheers
|
|
#2
November 26th, 2008, 11:02 AM
|
||||
|
||||
|
It's your lucky day.. I wrote something like this about 7 years ago.
first, have page called "Comments.asp" with the following code: Code:
<%
Public COMMENTS_PATH, COMMENT_DELIMETER
COMMENTS_PATH = Server.MapPath(Request.ServerVariables("Script_Name"))&".rem"
COMMENT_DELIMETER = "---------------- end of comment ----------------"&VbNewLine
'--------------------------------------------------------------
' comment line structure:
' ...comment... | ...who posted... | ...date posted...
' (user input) (user input) (coded)
'--------------------------------------------------------------
If Request("writecomment")="1" Then
Call WritePageComment()
End If
Sub GetPageComments()
Const LAST_COMMENTS_COUNT=10
Dim strPageName, x, strAllFile
Dim objFSO, objFile, arrComments
Dim strCurLine, strCurComment, arrTemp
strPageName = Request.ServerVariables("Script_Name")
Response.Write("<script language=""javascript"">")
Response.Write(" function OpenComment(strComment)")
Response.Write(" {")
Response.Write(" var objWin = window.open(""about:blank"", ""_blank"", ""height=200,width=200,"&_
"status=no,toolbar=no,menubar=no,location=no"");")
Response.Write(" objWin.document.write('<Div>');")
Response.Write(" objWin.document.write(strComment);")
Response.Write(" objWin.document.write(""<BR><BR><BR><Center>"&_
" <Input type=button value='[Close this window]' onclick='self.close();'></Center>"");")
Response.Write(" objWin.document.write('</Div>');")
' Response.Write(" return true;")
Response.Write(" }")
Response.Write("")
Response.Write(" function SendComment(a)")
Response.Write(" {")
Response.Write(" commentsFrame.location = """&strPageName&"?writecomment=1"";")
Response.Write(" ")
Response.Write(" return false;")
Response.Write(" }")
Response.Write("")
Response.Write("</script>")
Response.Write("<iFrame name=""commentsFrame"" src=""about:blank"" width=0 height=0 border=0></iFrame>")
Response.Write("<table id=""CommentsTable"" border=""1""><TR><TD><Div>")
Response.Write("<H5>What do you think of this page?</H5>")
Response.Write("<Form name=""frmComments"" id=""frmComments"" onsubmit=""return SendComment(this);"">")
Response.Write("<TextArea cols=""25"" rows=""3"" wrap=""hard"" name=""comments""></TextArea><BR>")
Response.Write("<table border=0><TR><TD valign=bottom><B>Your name:</B></TD>")
Response.Write("<TD valign=bottom><Input type=text name=""username"" size=10></TD></TR></table><BR><BR>")
Response.Write("<input type=submit value=""Send your opinion"">")
Response.Write("</Form>")
Response.Write("<BR><BR><BR>")
Response.Write("<H5>Last comments on this page:</H5>")
Set objFSO=Server.CreateObject("Scripting.FileSystemObject")
If Not(objFSO.FileExists(COMMENTS_PATH)) Then objFSO.CreateTextFile(COMMENTS_PATH)
Set objFile=objFSO.OpenTextFile(COMMENTS_PATH, 1) 'forReading
strAllFile=""
If Not(objFile.AtEndOfStream) Then strAllFile=objFile.ReadAll
objFile.Close
Set objFile=Nothing
Set objFSO=Nothing
arrComments=Split(strAllFile, COMMENT_DELIMETER)
Response.Write("<Table border=0>")
For x=1 To LAST_COMMENTS_COUNT
If (x-1)>(UBound(arrComments)) Then Exit For
strCurLine=arrComments(x-1)
arrTemp=Split(strCurLine, "|")
If UBound(arrTemp)=2 Then
strCurComment=arrTemp(0)
strCurComment = Server.HtmlEncode(strCurComment)
Response.Write("<TR>")
Response.Write("<TD align=center valign=bottom>")
Response.Write("   ")
Response.Write(arrTemp(2))
Response.Write("   ")
Response.Write("</TD>")
Response.Write("<TD align=center valign=bottom>")
Response.Write("   ")
Response.Write("["&CStrDef(Server.HTMLEncode(Trim(arrTemp(1))), "Anonymous")&"]")
Response.Write("   ")
Response.Write("</TD>")
Response.Write("<TD align=center valign=bottom>")
Response.Write("   ")
Response.Write("<A href=""javascript:OpenComment('" &_
Server.HtmlEncode(Replace(Replace(strCurComment, VBCrLf, "<BR>"), "'", "\'")) & "');"">"&_
MakeShort(strCurComment)&"</A>")
Response.Write("   ")
Response.Write("</TD>")
Response.Write("</TR>")
End If
Next
Response.Write("</table>")
Response.Write("</Div></TD></TR></Table>")
End Sub
Sub WritePageComment()
Dim strComment
Dim objFSO, objFile, strUserName
strComment=Request("comment")
If Len(strComment)=0 Then
Response.Write("<form name=""form1"" id=""form1"" action="""&_
Request.ServerVariables("Script_Name")&"?writecomment=1"" method=""POST"">")
Response.Write(" <input type=hidden name=""comment""><input type=hidden name=""username"">")
Response.Write("</form>")
Response.Write("<script type=""text/javascript"">")
Response.Write(" window.onload = function WindowLoad(event) {")
Response.Write(" var theComment = parent.document.getElementById(""frmComments"").comments.value;")
Response.Write(" if (theComment.length > 0)")
Response.Write(" {")
Response.Write(" document.getElementById(""form1"").comment.value = theComment;")
Response.Write(" document.getElementById(""form1"").username.value = parent.document.getElementById(""frmComments"").username.value;")
Response.Write(" document.getElementById(""form1"").submit();")
Response.Write(" }")
Response.Write(" else")
Response.Write(" parent.alert(""Please write an opinion"");")
Response.Write(" }")
Response.Write("</script>")
Response.Flush
Response.END
End If
strUserName=Request("username")
Set objFSO=Server.CreateObject("Scripting.FileSystemObject")
If Not(objFSO.FileExists(COMMENTS_PATH)) Then objFSO.CreateTextFile(COMMENTS_PATH)
Set objFile=objFSO.OpenTextFile(COMMENTS_PATH, 8) 'forAppending
objFile.WriteLine(strComment&"|"&strUserName&"|"&Now)
objFile.Write(COMMENT_DELIMETER)
objFile.Close
Set objFile=Nothing
Set objFSO=Nothing
Response.Write("<script>")
Response.Write(" parent.alert(""Thank you "&Replace(strUserName, Chr(34), Chr(34)&Chr(34))&_
"\nYour opinion has been saved\n\n"&_
"Please reload the page to see changes"");")
Response.Write("</script>")
Response.Flush
Response.END
End Sub
Function MakeShort(str)
Const MAX_STRING_SIZE=20
Dim strAns
strAns=Left(str, MAX_STRING_SIZE)
If Len(str)>MAX_STRING_SIZE Then
strAns=Left(strAns, MAX_STRING_SIZE-3)&"..."
End If
MakeShort=strAns
End Function
Function CStrDef(str, defValue)
If Len(str)>0 Then
CStrDef=str
Else
CStrDef=defValue
End If
End Function
%>
now in every page where you want comments, add this line somewhere on top: Code:
<!-- #include file="Comments.asp" --> and in the position where you want comments to appear have this: Code:
<% Call GetPageComments() %> that's all.. the code will do the rest. basically, it will show small form asking for name and comments, button to send and list of all current comments. like I said, it's very old code written when I was complete n00b so please forgive the bad HTML and messy code.  Last edited by Shadow Wizard : November 30th, 2008 at 07:46 AM.
|
|
#3
November 26th, 2008, 12:32 PM
|
|||
|
|||
|
Wow, that looks nice and comprehensive! Thanks. I’ll try it out tonight. So I don’t need a database to do it? Also is it hack proof?
cheers
|
|
#4
November 27th, 2008, 02:22 AM
|
||||
|
||||
|
Quote:
the name of the ASP file plus ".rem" extension and in there store the comments for that page. I fear the code is not hack proof, as I said it was written long ago and back then terms like XSS and Injection were foreign to me. you'll need to add protection against XSS. first step is replacing those lines: Code:
strCurComment=Replace(strCurComment, "<", "<")
strCurComment=Replace(strCurComment, "'", "'")
strCurComment=Replace(strCurComment, Chr(34), """)
with this one line: Code:
strCurComment=Server.HTMLEncode(strCurComment) and this line: Code:
Response.Write("<A href=""javascript:OpenComment('"&Replace(strCurComment, VBCrLf, "<BR>")&"');"">"&_
MakeShort(strCurComment)&"</A>")
with this instead: Code:
Response.Write("<A href=""javascript:OpenComment('" &_
Server.HtmlEncode(Replace(Replace(strCurComment, VBCrLf, "<BR>"), "'", "\'")) & "');"">"&_
MakeShort(strCurComment)&"</A>")
having this, even if user put malicious comment (e.g. <script>alert('evil');</script>) it won't get executed. I'll try to add even more protection and clean the code then put it in the Code Bank.. in the meanwhile learn about XSS and Form Injection attacks and try to add protection against it.
|
|
#5
November 27th, 2008, 06:47 AM
|
|||
|
|||
|
Hi Shadow,
I tried the code out its really good, thank you, I customised it a bit, mainly just CSS. The bit of code: Code:
Response.Write("<A href=""javascript:OpenComment('"&Replace(strCurComment, VBCrLf, "<BR>")&"');"">"&_
MakeShort(strCurComment)&"</A>")
I replaced with: Code:
Response.Write(""&CStrDef(Server.HTMLEncode(Trim(arrTemp(0))), "Anonymous")&"")
So I assume now that this bit of the code isn’t a threat? When replacing: Code:
strCurComment=Replace(strCurComment, "<", "<")
strCurComment=Replace(strCurComment, "'", "'")
strCurComment=Replace(strCurComment, Chr(34), """)
Do I literally delete the above code completely and replace it with: Code:
strCurComment=Server.HTMLEncode(strCurComment) Thanks
|
|
#6
November 27th, 2008, 08:51 AM
|
||||
|
||||
|
with your new code you no longer need those lines anyway as you're
not using the strCurComment variable. and yes, the line you posted is protecting against XSS in the same way the code I gave is protecting. however, there is one weird thing in your code: in case of empty comment you'll see "Anonymous" written. that's quite confusing, not sure what's your motive.
|
|
#7
November 27th, 2008, 09:50 AM
|
|||
|
|||
|
Quote:
So now that I have taken that bit of JS out do you reckon the code is hack proof? How can I test if it is hack proof? regarding the anonymous, I was just being lazy and copied the code you wrote for returning the user's name. I should really change that to "no comment". Sorry but I have one more question, how do I make it so that when the user hits carraige return a Code:
<br> Thanks
|
|
#8
November 27th, 2008, 10:41 AM
|
||||
|
||||
|
to preserve line breaks change this:
Code:
Server.HTMLEncode(Trim(arrTemp(0)) to this: Code:
Replace(Server.HTMLEncode(Trim(arrTemp(0)), "VBCrLf, "<br />") as for hacking, removing that script is not relevant.. hack can occur when user put malicious code as the comment. you can't really prevent it, so you must "purify" the data somehow. using Server.HTMLEncode when showing the data is one important step but it's not perfect, I fear my knowledge in XSS and the like is far from being complete.
|
|
#9
November 27th, 2008, 03:55 PM
|
|||
|
|||
|
Hi Shadow,
I tried the above code to replace CR with a line break but it didn't work. My syntax isn't very good and I tried juggling the code but it still didn't work could you please alter the below code so that it contains the Code:
VBCrLf, <br /> Code:
Response.Write(""&CStrDef(Server.HTMLEncode(Trim(arrTemp(0))), "Anonymous")&"")
Also i've discovered that you can't post comments when in Fire Fox or netscape, why might this be? Thanks
|
|
#10
November 30th, 2008, 07:49 AM
|
||||
|
||||
|
I have fixed the code to support Firefox, take it from the original post I made.
as for replacing line breaks, here is the full code that you need to have: Code:
Response.Write(CStrDef( Replace(Server.HTMLEncode(arrTemp(0)), VBCrLf, "<br />"), "-empty-" )) I hope you will be able to understand how it works.
|
|
#11
November 30th, 2008, 03:17 PM
|
|||
|
|||
|
Hi Shadow,
Thanks very much, its working in FF and netscape now which is great and the line break works. The only problem i've found is that if you write a comment (when in netscape), one you reload the page it appears (which is great) but if you reload the page again (even if there isn't any text in the comment box) it will duplicate the comment. This doesn't happen in IE. Cheers Mike |
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
