Here we start out with a simple "settings" file, named settings.asp. This
file will be included on each page, and will contain the basic settings for this
guestbook.
Since the password (logincode) is NOT in the database, you can leave the
database in the webroot with a mappath statement to make the install easier.
However, the best place for the database is outside of your webroot, in which
case you would want to change the database_path string to your full path
("C:\inetpub\database\post.mdb" for example)
There is also an important settings to allow html, or not. Many times folks
abuse a guestbook by filling it with links, and other junk. It would be a good
idea to disallow html, unless you really need it.
The language setting is just a set of variables for text used within the
system, for each language there is a different text that is used. Very easy to
add a "new" language to the system.
Details
The login is a simple login check page, which checks the login code entered
on the form with the one stored in the settings.asp file.
"
title of your guestbook.
pagetitle = "
Demo"
"
language
"
english = en, german = ger, french = fr
lang = "
en"
"
admin password
logincode = "
1234"
"
number of entries to show.
show_posts = "
25"
"
minimum length of post to be allowed.
minimum_length = 4
"
set to "no" for no html, set to "yes" to allow html (not recommended!)
allow_html = "
no"
"
leave as is, unless you want to move your database.
database_path = Server
.MapPath("
post.mdb"
)
<%
Option
Explicit
%>
<
/span
>
<%
if
Request
.Form("
mynumber"
) = "
"
then
response
.redirect("
login.asp?l=password_blank"
)
End
If
"
set variables from form
FormPwd = Request
.Form("
mynumber"
)
FormPwd = replace
(FormPwd,"
""
,"
"""
)
"
run login or return to login page
if
formpwd = logincode then
Session("
LoginID"
) = formpwd
else
response
.redirect("
login.asp?l=incorrect_login_or_password"
)
End
if
"
final redirect
response
.redirect("
post.asp"
)
%>
The login uses session variables to store the login information, so to log
off we simple abandon the session. The redirect appends the date to avoid seeing
a "cached" login page after being logged out. This is not a security issue, but
just for convenience.
<%
session.abandon
response
.redirect("
post.asp?d="
& date
)
%>
Now the main code is the post.asp page, this page is the same whether you are
logged in as admin or just a guest visiting the page. If you are logeed in you
see the same data as a guest, only you have more options available, you can
delete posts, or restore deleted posts, or empty the "recycle bin" (where
deleted posts are stored until you clear them out).
As you can see from the code below, we check for the loggedin session right
from the start, then we can use this throughout the rest of the script to
display data based on your status as admin or guest.
Once you are logged in you see more options available.
The file is split up into "parts" depending on what querystring is
passed.
The section below checks to see if you are logged in and then check so see
if you have attempted to empty the "deleted" items from the database.
"
============Empty Deleted Items from the database============
If
LoggedIn <> "
"
Then
if
request
.querystring("
del"
) = 1
then
Set
dConn = Server
.CreateObject
("
ADODB.Connection"
)
dConn.Open "
& _
database_path
mySQL = "
DELETE FROM tblpost where active = 2;"
dConn.execute(mySQL)
dconn.close
set
dconn = nothing
response
.redirect("
post.asp"
)
end
if
end
if
As you can see from the rest of the main "post" code, different items are
displayed or actions performed based on being logged in or not, and if so what
querystring value you have passed to the page.
"
============set based on delete or undelete============
If
LoggedIn <> "
"
Then
showdeleted = request
.querystring("
showdeleted"
)
if
showdeleted = 1
then
active = 2
removetype = 1
delete_text = undelete_text
delimage = "
undelete.gif"
else
active = 1
removetype = 2
delete_text = delete_text
delimage = "
delete.gif"
end
if
else
active = 1
end
if
"
============Delete/Undelete Items from the guestbook display============
remove = request
.querystring("
remove"
)
if
remove = 1
then
Set
dConn = Server
.CreateObject
("
ADODB.Connection"
)
dConn.Open "
PROVIDER=MICROSOFT.JET.OLEDB.4.0;DATA SOURCE="
& database_path
removetype = request
.querystring("
removetype"
)
mySQL = "
UPDATE tblPost SET Active = "
& removetype & "
WHERE ID = "
& _
ID & "
;"
response
.write "
updating"
dConn.execute(mySQL)
dConn.Close
set
dConn = Nothing
response
.redirect("
post.asp"
)
end
if
"
============End Delete Section============
Set
dataRS = Server
.CreateObject
("
ADODB.RecordSet"
)
dataSQL = "
Select TOP "
& show_posts & "
message, remote_addr, sysdate, "
&_
"
systime, id FROM tblPost WHERE active = "
& active &_
"
order by sysdate DESC, systime DESC;"
"
Response.Write dataSQL
"
response.end
Set
dConn = Server
.CreateObject
("
ADODB.Connection"
)
dConn.Open "
PROVIDER=MICROSOFT.JET.OLEDB.4.0;DATA SOURCE="
& database_path
dataRS.Open dataSQL, dConn, 1
, 3
recordcount = dataRS.recordcount
if
recordcount > 0
then
data = dataRS.GetRows()
"
Data is retrieved so close all connections
dataRS.Close
Set
dataRS = Nothing
dconn.close
set
dconn = nothing
"
Setup for array usage
iRecFirst = LBound
(data, 2
)
iRecLast = UBound
(data, 2
)
end
if
"
============IF IS A POST BACK============
message = trim
(request
.form("
message"
))
if
request
.form("
ispostback"
) = 1
AND
(len
(message) > minimum_length) then
if
allow_html = "
no"
then
message = RemoveHTMLtags(message)
else
message = PreSubmit2(message)
end
if
strSQL = "
tblPost"
"
Open a recordset
Set
cRS2 = Server
.CreateObject
("
ADODB.recordset"
)
Set
dConn = Server
.CreateObject
("
ADODB.Connection"
)
dConn.Open "
PROVIDER=MICROSOFT.JET.OLEDB.4.0;DATA SOURCE="
&_
database_path
cRS2.Open strSQL, dConn, 1
,3
cRS2.AddNew
cRS2("
message"
) = message
cRS2("
sysdate"
) = date
()
cRS2("
systime"
) = time
()
cRS2("
remote_addr"
) = request
.ServerVariables("
remote_addr"
)
cRS2("
Active"
) = 1
cRS2.Update
cRS2.Close
Set
cRS2 = Nothing
dConn.Close
Set
dConn = Nothing
response
.redirect("
post.asp"
)
end
if
"
============End POSTBACK Section============
%>
<%=pagetitle%>
title
>
head
>