Is there a way to "hide" ASP code that's used on a web site? I've heard that .NET will compile the code, which would accomplish it, but I don't really know where to start.
Thanks -
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Right - the server is not in my area and I'm not sure who has access to what, but I'd just as soon not expose how we did every little thing.
We can go the ActiveX components, but doesn't that require that the user machine have updated system files (MDAC, DCOM, etc.)? Seems like it would introduce a whole new array of things that could screw up. Perhaps it's not that big a deal...
Microsoft has a script encoder available, http://www.microsoft.com/m
The only way (now) to keep code secure in an environment that is not completely your own is to wrap it in dlls.
"System files" are not really a concern because server.createobject() instantiates the same dll that the activeX component you created will. IIS is the "user machine". You are right, dll's do bring a whole new thing- for instance, any time you update a dll you need to bring down IIS, replace the dll and the start IIS and w3svc again.
A service provider typically will not allow you to register "Home Grown" dll's. So look very carefully at the contract, place copyright notices in your asp code- as both server side comments and javascript/client side comments-And talk to a lawyer. Another option- find a "server host" rather than a "site host". In other words place your own server, with your security at someone else's site. If you are distributing asp code to clients- again notch up the license agreement, hire a lawyer, or dictate dll usage.
I'm not sure I really understand what you are after- just offering a few things I've encountered- doing both dll in an IIS environment and asp.
Generally, it usually means that the server simply allows you to install custom components. Other than that, you should run into few problems as long as you maintain versioning within your compononents. If your host provides support for custom components, they will do the installation and registering of those components for you.
MS Script Encoder is not a solid solution. Just do a search on the web for the MS Script Decoder and youll find plenty of links.
Azra, I'm suprised you say Script Encoder is not a solid solution, while it can be hacked, [what code can't], I encode lots of my scripts with it. Just as a test, I have a simple date.asp file that I encrypted with MS Script Encoder. Here is the code before encrypting;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Date.asp</title>
<style>
body {
font-family : Arial;
}
</style>
</head>
<body>
Today is <%=FormatDateTime(Date(),2
Todays date and time is <%=Now()%>.
</body>
</html>
Here it is after encrypting;
<%@ LANGUAGE = VBScript.Encode %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Date.asp</title>
<style>
body {
font-family : Arial;
}
</style>
</head>
<body>
Today is <%=#@~^GAAAAA==oKDhmYGlYK
Todays date and time is <%=#@~^BQAAAA==HKhc*hQEAAA
</body>
</html>
And here is the .asp page after running it through a "MS Script Decoder" I found on the web.
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Wed, 05 Sep 2001 14:39:24 GMT
Connection: Keep-Alive
Content-Length: 272
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGGGGGKSQ=PCLDG
Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>Date.asp</title>
<style>
body {
font-family : Arial;
}
</style>
</head>
<body>
Today is 9/5/2001<p>
Todays date and time is 9/5/2001 7:39:24 AM.
</body>
</html>
Looks pretty secure and safe to me... while I agree registering a .dll is probably the safest way, the Script Encoder is fine for most needs.
If he is that concerned with securing his scripts, I am just saying that he probably wouldnt want to rely on using something that has been hacked and posted all over the internet. Of course, if his site host is that sneaky and devious, then he probably needs to find a new home elsewhere on the web anyways.
Sorry for the delay. After looking into it a bit, it does seem that the encoder will do just that, and is a quick and easy way to encode the ASP. It also seems, however, that it's about as quick to "un-encode" it. It's apparently been around without being changed, as well, which surely cuts down on its effectiveness.
My original question centered on .NET's "compiling" capabilities, but none of the answers mention it, so if it exists, it must not be very well known.
I think the suggestion of "wrapping in DLLs" might be a good one, but is there a source of how to do this? Are these DLLs registered on the server only, or do they have to be registered on the user machine as well?
>>My original question centered on .NET's "compiling" capabilities, but none of the answers mention it
Mainly do the fact that its still in BETA mode, and wont see full release til sometime next year, at least. Then, we get to enjoy the road of new versions and service packs that developers enjoyed with Visual Studio.
Yes, ASP.NET will be coded in any language targeting the .NET platform. VBScript is not one of those languages. You will be using VB, C++, C#, etc, when writing your asp pages. The benefit is compiled code, instead of interpreted code at run-time. Yes the code is compiled, but its not hidden. Your worries lie in the fact that someone can see your code. This will not change in ASP.NET. Your code is still visible to those who view your pages. The difference is how your pages are executed under the .NET platform. To "hide" your code, you still need to use a component, which, actually, may be even less "safe" under .NET because, currently, the .NET platform offers a decompiler tool that will generate IL code from compiled sources.
Wrapping up ASP code into an ActiveX DLL is not a difficult task, especially if youve coded in VBScript (most of the code can be copied/pasted into a VB component. These components need only be registered on the server, where they are utilized, and not on the client machine.
>>But the utility still requires the original .asp code.
Thats what he has been worried about all along, e.g., a hosting site seeing his code. Other than that, your server code is invisible to clients unless you have taken no steps to protect yourself.
>>but it's seems senseless to have to re-compile just to fix a spelling or some other issue.
Whether a component or script within an asp page, changes need to be made. Hopefully, youve tested it before registering and putting it into use. Even then, if changes are small, and youve compiled with binary compatibility, you can just copy over the old component with the new w/o any hassles of registering/unregistering.
To split points, just post a 0 pointer in Community Support, ask them to split the points, and link them to this question.
Azra, did you see the neat JS version?
If you dig hard enough at this site, you will find a Base64 encoding method that takes this basic page;
<title>Date.asp</title>
<style>
body {
font-family : Arial;
}
</style>
</head>
<body>
Today is 9/5/2001<p>
Todays date and time is 9/5/2001 7:39:24 AM.
</body>
</html>
And encodes it to this;
PGh0bWw+IA0KPGhlYWQ+IA0KPH
bGU+IA0KYm9keSB7IA0KZm9udC
ZT4gDQo8L2hlYWQ+IA0KPGJvZH
b2RheXMgZGF0ZSBhbmQgdGltZS
Ym9keT4gDQo8L2h0bWw+DQoNCg
The only caveat is that the decoder will have to be declared or included in an encrypted page, or better yet, wrap the decoder into a .class file... ;-)
[I love my the net...]
Right. The split will be as follows:
50=mgfranz
50=AzraSound
gglover, I will reduce you points by 50, and accept one qustion here.
Use the other 50 points and create a new question here in this Topic Area for the other Expert. Entitile the question *Points for <Expert Name)* In the Comment Box type *For your help in my question #20178511*
Choose the 50 point button and submit, this will complete the split.
Thank you,
ComTech
Community Support Modeator
Hopefully you've already been helped with this question, but thought you'd appreciate knowing this.
WindowsUpdate has new updates for .NET users; Details follow - Microsoft .NET Framework
The .NET Framework is a new feature of Windows. Applications built using the .NET Framework are more reliable and secure. You need to install the .NET Framework only if you have software that requires it.
For more information about the .NET Framework, see http://www.microsoft.com/n
System Requirements
The .NET Framework can be installed on the following operating systems:
Windows 98
Windows 98 Second Edition (SE)
Windows Millennium Edition (Windows Me)
Windows NT 4.0® (Workstation or Server) with Service Pack 6.0a
Windows 2000 with the latest service pack installed (Professional, Server, Datacenter Server, or Advanced Server)
Windows XP (Home Edition and Professional)
You must be running Internet Explorer version 5.01 or later for all installations of the .NET Framework.
To install the .NET Framework, your computer must meet or exceed the following software and hardware requirements:
Software requirements for server operating systems:
MDAC 2.6
Hardware requirements:
For computers running only a .NET Framework application, Pentium 90 mHz CPU with 32 MB memory or the minimum CPU and RAM required by the operating system, whichever is higher.
For server operating systems, Pentium 133 mHz CPU with 128 MB memory or the minimum CPU and RAM required by the operating system, whichever is higher.
Recomended software:
MDAC 2.7 is recommended.
Recommended hardware: For computers running only a .NET Framework application, Pentium 90 MHz CPU with 96 MB memory or the minimum CPU and RAM required by the operating system, whichever is higher.
For server operating systems, Pentium 133 MHz CPU with 256 MB memory or the minimum CPU and RAM required by the operating system, whichever is higher.
How to use -> Restart your computer to complete the installation. No other action is required to run .NET Framework applications. If you are developing applications using the .NET Framework, you can use the command-line compilers or you can use a development environment, such as Visual Studio .NET, that supports using the .NET Framework.
How to uninstall
To uninstall the .NET Framework: Click Start, point to Settings, and then click Control Panel (In Windows XP, click Start and then click Control Panel.).
Click Add/Remove Programs.
Click Microsoft .NET Framework (English) v1.0.3705 and then click Change/Remove.
More here http://www.microsoft.com/n
The .NET topic is being considered for addition to our All Topics link soon, so this may interest you as well:
http://www.experts-exchang
EXPERTS POINTS are waiting to be claimed here: http://www.experts-exchang
":0)
Asta
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
split - azrasound mgfranz
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
lavinder
EE Cleanup Volunteer
Business Accounts
Answer for Membership
by: AzraSoundPosted on 2001-09-04 at 16:55:46ID: 6455014
If youre concerned about visitors to your page, you are fine, so long as you havent done anything to allow your code to be viewed (such as script errors in an include file with *.inc extension)
If you mean you want to protect it from someone you are distributing it to, or from the company hosting your site, then you need to wrap up the "sensitive" code into components (e.g., ActiveX DLLs)