ASP 3.0 Folder/File Permissions Settings

[ASP Pee-Wee]

Dear W3Schools,Hi, I have built a form input page in HTML thathas an action to post to an ASP handler/processor.asp file. The form handler/processor .asp filecontains only <% Insert VBScript Here %> and noHTML output whatsoever.The .asp file was never intended to be a"web viewable" .asp file like an .asp home pagefile or html file would. It's supposed to befor my eyes only- not the public's howeverit does need to take info posted by the publicand do something with it on it's end.I have used VBScript/ASP3.0 to build the formhandler/processor file and would like to know howto keep someone from viewing the actual VBScriptin the handler/processor .asp file. I am aware ofobfuscation but I would like to know how to keepprying eyes from even being able to take a lookat the obfuscated code in the handler/processorfile.I realize that the server executes the .asp filefirst before outputting anything to the browser soI guess that my main concern is mostly that someonemay could "download" the form handler/processor .asp file,then view it's contents on their machine.Assuming the form handler .asp file is where it is,behind the root, and is on a windows server(no htaccess approach) how could one protect it so thatit could never be viewed or simply pulled down viaanonymous ftp or something like that?Is there something like "script only" permissions thatthe system administrator could set up for a particularfolder? Remember, with shared hosting I can't go abovethe root. If so, would the form still be able to post?How would any of you guys go about protecting theasp file in addition to obfuscation? Any help wouldbe greatly appreciated.Thanks,

[shaffiq_fiq88]

You use ASP, meaning that you use code block that need to be processed by the server. So there is no any chance that the visitor can download the .asp page even if they know where it is.<%@Language="VBScript"%> directive will make sure and always make sure that the .asp page is processed before it can be viewed. If you .asp form handler just contain code block, it mean nothing to be viewed. If the visitor load the page by typing the URL ie:http://yourdomain.com/process.asp, it will only show a blank page with blank page source unless there is coding error made by yourself.Anyway, it is about form processing. You may put conditional variable to make it safer.If request.form("dataA") = "" ThenResponse.Redirect("/error.asp")Else'ContinueEnd IfOr you may create a session variable.Also try to avoid using On Error Resume Next.The main thing is, turn off directory listing.That is all I can give. Hope others can give you more satisfy solution.Happy scripting.