About Chris Expertise I can answer pretty much any question relating to VB.NET and its use in a Windows environment. I can also handle most questions using C#. I specialize in ASP.NET web development and MSSQL database access, but have some stale knowledge of the old ASP - I'd prefer to avoid questions about it.
Experience I have over 5 years of industry experience using VB.NET and other .NET technologies for web and database development.
Education/Credentials I have some college education, but does it really matter in this field of work?
Expert: Chris Date: 9/18/2007 Subject: Online form email confirmation using old ASP...
Question Sorry to ask this question...since you indicate you have some stale knowledge about it. I created an online form in HTML that passed the form processing to an ASP file as the processing page. The processing page (ASP) grabs the data and puts it into a database, then sends a confirmation email using CDOSYS. In order to use CDOSYS to send an email confirmation I had to do SMTP email server authentication using a username and password in the ASP processing page that generates the email confirmation. I couldn't use an anonymous username and/or password for SMTP email server authentication, so the only other option I was aware of to use was my regular email username and password for SMTP authentication. The form worked this way until last week when our networking group said this was a security risk. Since I was using ASP to hide the username and password I didn't think this would be a problem. Are there any other options?
Answer ASP is generally an insecure technology. There's no guarantees about it's execution restrictions like there are with ASP.Net. Although it's rare, it's possible for the user to access your source files, even if you've configured everything to disallow this. You should at the very least create a different username/password exclusively for this purpose, granting it only access to perform this one task, to minimize the risk should anybody gain access to your source files. It's best to keep everything encrypted as well, even if you've defined it as a constant in your code. Try to make it obscure as to how to get that data back to its unencrypted format by using seemingly random names in sensitive code (a method called obfuscation, which can be automated in .NET). Anything to make it less likely that even if your web front-end system is compromised that it won't pose a security risk to the rest of your network infrastructure.
