% @ Language=VBScript %> <% Option Explicit %> <% '**************************************************************************************** '** Copyright Notice '** '** Web Wiz Forums(TM) '** http://www.webwizforums.com '** '** Copyright (C)2001-2008 Web Wiz(TM). All Rights Reserved. '** '** THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS UNDER LICENSE FROM 'WEB WIZ'. '** '** IF YOU DO NOT AGREE TO THE LICENSE AGREEMENT THEN 'WEB WIZ' IS UNWILLING TO LICENSE '** THE SOFTWARE TO YOU, AND YOU SHOULD DESTROY ALL COPIES YOU HOLD OF 'WEB WIZ' SOFTWARE '** AND DERIVATIVE WORKS IMMEDIATELY. '** '** If you have not received a copy of the license with this work then a copy of the latest '** license contract can be found at:- '** '** http://www.webwizguide.com/license '** '** For more information about this software and for licensing information please contact '** 'Web Wiz' at the address and website below:- '** '** Web Wiz, Unit 10E, Dawkins Road Industrial Estate, Poole, Dorset, BH15 4JD, England '** http://www.webwizguide.com '** '** Removal or modification of this copyright notice will violate the license contract. '** '**************************************************************************************** '*************************** SOFTWARE AND CODE MODIFICATIONS **************************** '** '** MODIFICATION OF THE FREE EDITIONS OF THIS SOFTWARE IS A VIOLATION OF THE LICENSE '** AGREEMENT AND IS STRICTLY PROHIBITED '** '** If you wish to modify any part of this software a license must be purchased '** '**************************************************************************************** 'Set the response buffer to true Response.Buffer = True 'Dimension variables Dim strMode 'Holds the mode of the page, set to true if changes are to be made to the database Dim intMaxImageSize 'Holds the max image size Dim strFileTypes 'Holds the file types Dim intMaxFileSize 'Holds the max file size Dim strFilePath 'Holds the path to the files Dim blnAvatarEnabled 'Set to true if avatars are enabled Dim strAvatarTypes 'Holds the avatar types Dim intMaxAvatarSize 'Holds the max avatar size Dim saryBadFileTypes(56)'Array for bad file types Dim blnBadFileType 'Found bad file type Dim intLoopCounter 'Loop counter Dim intLoopCounter2 'Loop counter Dim strBadFileTypeName 'For error message Dim saryImageFileType 'Array holding the file types Dim intAllocatedSpace 'Holds the amount of allocated space that the user is allowed for uploading blnBadFileType = false 'Read in the details from the form strUploadComponent = Request.Form("component") strImageTypes = Request.Form("imageTypes") intAllocatedSpace = Request.Form("allocatedSpace") intMaxImageSize = CInt(Request.Form("imageSize")) strFileTypes = Request.Form("fileTypes") intMaxFileSize = CInt(Request.Form("fileSize")) strAvatarTypes = Request.Form("avatarTypes") intMaxAvatarSize = CInt(Request.Form("avatarSize")) blnAvatarEnabled = CBool(Request.Form("avatar")) If blnACode OR strInstallID = "" Then Call closeDatabase() Response.Redirect("admin_web_wiz_forums_premium.asp" & strQsSID1) End If 'If a hacker gains control of the admin account they can use the upload tool to upload files to the server to hack the entire site 'To prevent this certain file types are not allowed If Request.Form("postBack") Then 'List of bad file types 'ISAPI and CGI web page extensions (can be used to hack site) saryBadFileTypes(0) = "asax" saryBadFileTypes(1) = "ascx" saryBadFileTypes(2) = "ashx" saryBadFileTypes(3) = "asmx" saryBadFileTypes(4) = "aspx" saryBadFileTypes(5) = "asp" saryBadFileTypes(6) = "asa" saryBadFileTypes(7) = "asr" saryBadFileTypes(8) = "axd" saryBadFileTypes(9) = "cdx" saryBadFileTypes(10) = "cer" saryBadFileTypes(11) = "cgi" saryBadFileTypes(12) = "class" saryBadFileTypes(13) = "config" saryBadFileTypes(14) = "com" saryBadFileTypes(15) = "cs" saryBadFileTypes(16) = "csproj" saryBadFileTypes(17) = "cnf" saryBadFileTypes(18) = "dll" saryBadFileTypes(19) = "edml" saryBadFileTypes(20) = "exe" saryBadFileTypes(21) = "idc" saryBadFileTypes(22) = "inc" saryBadFileTypes(23) = "isp" saryBadFileTypes(24) = "licx" saryBadFileTypes(25) = "php3" saryBadFileTypes(26) = "php4" saryBadFileTypes(27) = "php5" saryBadFileTypes(28) = "php" saryBadFileTypes(29) = "phtml" saryBadFileTypes(30) = "pl" saryBadFileTypes(31) = "rem" saryBadFileTypes(32) = "resources" saryBadFileTypes(33) = "resx" saryBadFileTypes(34) = "shtm" saryBadFileTypes(35) = "shtml" saryBadFileTypes(36) = "soap" saryBadFileTypes(37) = "stm" saryBadFileTypes(38) = "vsdisco" saryBadFileTypes(39) = "vbe" saryBadFileTypes(40) = "vbs" saryBadFileTypes(41) = "vbx" saryBadFileTypes(42) = "vb" saryBadFileTypes(43) = "webinfo" saryBadFileTypes(44) = "cfm" saryBadFileTypes(45) = "ssi" saryBadFileTypes(46) = "swf" saryBadFileTypes(47) = "vbs" saryBadFileTypes(48) = "tpl" saryBadFileTypes(49) = "cfc" saryBadFileTypes(50) = "jst" saryBadFileTypes(51) = "jsp" saryBadFileTypes(52) = "jse" saryBadFileTypes(53) = "jsf" saryBadFileTypes(54) = "js" saryBadFileTypes(55) = "java" saryBadFileTypes(56) = "wml" saryBadFileTypes(56) = "xslt" 'Remove spaces and dots in file types strFileTypes = Replace(strFileTypes, " ", "", 1, -1, 1) strFileTypes = Replace(strFileTypes, ".", "", 1, -1, 1) strImageTypes = Replace(strImageTypes, " ", "", 1, -1, 1) strImageTypes = Replace(strImageTypes, ".", "", 1, -1, 1) strAvatarTypes = Replace(strAvatarTypes, " ", "", 1, -1, 1) strAvatarTypes = Replace(strAvatarTypes, ".", "", 1, -1, 1) 'Place the file and image types into an array saryImageFileType = Split(Trim(strImageTypes) & ";" & Trim(strFileTypes) & ";" & Trim(strAvatarTypes), ";") 'Loop through all the allowed extensions and see if the image has one For intLoopCounter = 0 To UBound(saryImageFileType) 'Loop through each of the file types For intLoopCounter2 = 0 To UBound(saryBadFileTypes) 'Check to see if the image extension is allowed If LCase(saryImageFileType(intLoopCounter)) = LCase(saryBadFileTypes(intLoopCounter2)) Then blnBadFileType = True strBadFileTypeName = strBadFileTypeName & saryBadFileTypes(intLoopCounter2)& ", " End If Next Next End If 'Initialise the SQL variable with an SQL statement to get the configuration details from the database strSQL = "SELECT " & strDbTable & "Configuration.* " & _ "From " & strDbTable & "Configuration " & _ "WHERE " & strDbTable & "Configuration.ID = 1;" 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set rsCommon.CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated rsCommon.LockType = 3 'Query the database rsCommon.Open strSQL, adoCon 'If the user is changing the upload setup then update the database If Request.Form("postBack") AND blnBadFileType = false Then With rsCommon 'Update the recordset If blnDemoMode = False Then .Fields("Upload_component") = strUploadComponent .Fields("Upload_img_types") = strImageTypes .Fields("Upload_img_size") = intMaxImageSize .Fields("Upload_files_type") = strFileTypes .Fields("Upload_files_size") = intMaxFileSize .Fields("Upload_avatar_types") = strAvatarTypes .Fields("Upload_avatar_size") = intMaxAvatarSize .Fields("Upload_avatar") = blnAvatarEnabled .Fields("Upload_allocation") = intAllocatedSpace 'Update the database with the new user's details .Update End If 'Re-run the query to read in the updated recordset from the database .Requery End With 'Empty the application level variable so that the changes made are seen in the main forum Application.Lock Application(strAppPrefix & "blnConfigurationSet") = false Application.UnLock End If 'Read in the deatils from the database If NOT rsCommon.EOF Then 'Read in the e-mail setup from the database strUploadComponent = rsCommon("Upload_component") strImageTypes = rsCommon("Upload_img_types") intMaxImageSize = CInt(rsCommon("Upload_img_size")) strFileTypes = rsCommon("Upload_files_type") intMaxFileSize = CInt(rsCommon("Upload_files_size")) strAvatarTypes = rsCommon("Upload_avatar_types") intMaxAvatarSize = CInt(rsCommon("Upload_avatar_size")) blnAvatarEnabled = CBool(rsCommon("Upload_avatar")) If isNull(rsCommon("Upload_allocation")) Then intAllocatedSpace = 1 Else intAllocatedSpace = CInt(rsCommon("Upload_allocation")) End If 'Close db rsCommon.Close 'Initalise the strSQL variable with an SQL statement to query the database 'WHERE cluse added to get round bug in myODBC which won't run an ADO update unless you have a WHERE cluase strSQL = "SELECT " & strDbTable & "Group.* " & _ "FROM " & strDbTable & "Group " & _ "WHERE " & strDbTable & "Group.Group_ID > 0 " & _ "ORDER BY " & strDbTable & "Group.Group_ID ASC;" 'Set the cursor type property of the record set to Dynamic so we can navigate through the record set rsCommon.CursorType = 2 'Set the Lock Type for the records so that the record set is only locked when it is updated rsCommon.LockType = 3 'Query the database rsCommon.Open strSQL, adoCon 'Update the db with file and image upload for groups If Request.Form("postBack") AND blnBadFileType = false Then 'Loop through cats Do While NOT rsCommon.EOF 'Update the recordset rsCommon.Fields("Image_uploads") = CBool(Request.Form("imageGroup" & rsCommon("Group_ID"))) rsCommon.Fields("File_uploads") = CBool(Request.Form("fileGroup" & rsCommon("Group_ID"))) 'Update the database rsCommon.Update 'Move to next record in rs rsCommon.MoveNext Loop 'Re-run the query to read in the updated recordset from the database '.Requery End If %>
Important - Please Read First! |
To be able to use file and image upload in your forums, you must have an upload component installed on the web server, if you are unsure about this check with your
web hosts, if they have any of the upload components mentioned below installed. If you run the web server yourself then you could download and install one of the following supported components. You will also need to make sure that the upload folder and it's subfolders have read, write and modify permissions for the Internet User Account (IUSR_<MachineName>) and is inside the root of your forum.
Please note: - The ASP File System Object (FSO) is also required when using upload features, check with your web hosting company that
they have not disabled this object. |