Security

VP-ASP provides extensive security features including:

• Ability to totally hide the administrative side of the shopping cart
• Security for the database
• Ability to set and assign userids with different privileges
• Ability to check for hackers and prevent them from shopping in your store
• Encrypting credit cards
• Supports both standard SSL and shared SSL
• Ability to email on successful login to administrative system
• IP checks on Administrative logins     

  Passwords and User ID's

  The supplied userids and passwords should be changed to avoid other VP-ASP users from accessing your database. Use Microsoft Access to alter the userids and passwords in tblUser or use the User Menu option with userid admin to change the passwords and add your own userids and delete the supplied userids.     

  Database

  If you are holding secure information in the database such as credit card information, make sure your database is not accessible to a web browser. Most Web Hosting companies will make a directory available to you to hold your database and this directory will be accessible from the VP-ASP Active Server Pages but not by general browsing of your site.

   

  If the database is in the same directory as the rest of VP-ASP files any hacker can steal it.
  Please move the database to a directory not viewable from the web

   

  After you move the database follow the instructions in the previous page to update the xdblocation field in shop$config.asp     

  Hide Administration Pages

  For extra security you should hide the name of the VP-ASP administration login page. By default this page is called shopadmin.asp.

  Hackers will not be able to even locate the VP-ASP administration page once you follow these steps:

  1. Open shopadmin.asp
  2. Locate around line 121:
     
     form action="%=getconfig("xadminpage")%>" method="post" name="LoginForm" id="LoginForm">
     
     Change to:
     
     form action="newloginpage.asp" method="post" name="LoginForm" id="LoginForm">
     
     Where newloginpage.asp is the secret name of your login page. Do not calll your page newloginpage.asp. Create a name that no one but you will know and remember.
  3. While you have this page open you can at the same time insert a 2nd password to add an extra layer of security.
  4. Save and close this file.
  5. Next rename this page itself using to match the newloginpage.asp name you inserted in the file itself. This must match the name otherwise you will not be able to log into the admin.
  6. Change these values in the configuration.

  Xadminpage	Youradminpage.asp - this needs to be different from the name you selected. This is so a hacker cannot see the name of your login page if they manage to gain access to your data somehow.
  Xshowadmin	No prevents VP-ASP from ever listing the above page

   

      

  Double Login Password

  Currently the userid and password are stored in the database. If someone had access to the database they could login to the administrative system. It is possible to add a second password that is not stored in the database. To do this, edit file shopadmin.asp and change 1 line

  const SecondPassword="myownpassword"

  Now when you login to the VP-ASP administration system, this screen will be displayed.

  

  The first password is your normal password in the database

  Password 2 is the one you just entered in shopadmin.asp

      

  Credit Cards

  The best security for credit cards is not to keep them on your site at all. If you are using an electronic gateway they may only be stored on the bank's computers. Not all gateways work like this and you may have the credit cards in the local database even if you are using a gateway. If you are storing credit cards, then we recommend using VP-ASP encryption. In VP-ASP configuration setup set: xEncryptCreditCard="Yes" In addition we recommend removing the credit card details from the database after you process the order, by editing the order.     

  Removing Extra Files

  The following files should normally be removed from your production environment.

  Convert…	all files starting with convert
  diag_sessionlist.asp	Lists Session variables.
  diag_dbtest.asp	Tests database and mail.
  Vpdemo..	If not using the demo shop

  If you have problems and report them to VP-ASP Support Group we may ask that you restore diag_sessionlist.asp and diag_dbtest.asp so that we can diagnose your problems quickly.     

  Preventing Hackers From Shopping

  Using VP-ASP anti-hacker checks, you can prevent hackers from shopping in the store. They will be able to browse your shop but will not be able to create and order.

  The hackers table can be set to have a record with e-mail addresses or IP addresses of customers whom you do not wish to allow to shop in your store. Additional logic could be added to shophacker.asp to do additional checking.

  Xhackercheck	Yes If yes, then the order is checked against the hackers table and hacker countries
  Xhackercountries	XX,YY A list of valid country abbreviations. If an order is attempted from these countries, it will not be allowed

  When using this facility a message will appear in the form. The number at the end tells you the reason why the customer was rejected

  You are not permitted to shop in this store - 4  

  4	The country matched a value in xhackercountries
  5	IP or e-mail address matched that in the hackers table
  6	If email address matched

      

  IP Checking Login to the Admin System

  An additional anti-hacker checks can be IP checking. The IPS address of the person trying to use the Administration System against a list that you create. The IP addresses can be a full IP address or a partial IP address. First decide if you need IP checking. If you are unsure what your IP address is, login to the VP-ASP admin system, look at the log history to see the IP addresses. In correct use of the facility can lock you out of the administrative system.

  Following our other recommendations, shopadmin.asp would have been renamed to some other name. In this case you would edit the real file name ansd not shopadmin.asp as in these examples.

  Const adminips="288.66"	List of IP addresses that should be allowed to login to admin system. This is in file shopadmin.asp and NOT in the Shop Configuration
  const adminemailIpcheck="Yes"	If you want to be notified if an attempt is made to access the admin page by an invalid IP address then set to Yes. The yes is case sensitive. It cannot be YES.

  For example of your IP address is 288.66.77.999

  You can specify

  const adminips="288"

  this will allow anyone with IP starting with 288 to try to login

  Example 2

  const adminips="288.66"

  Here the IP address must start with 288.66

  Example 3

  Multiple addresses can be used

  const adminips="288,127.0.0.1,299.66"

  Will allow anyone with IP address starting with 288, or 127.0.0.1 or 299.66 to login.     

  Email on Login to Admin System

  An email can be sent to the merchant each time a login occurs to the admin system. Changing one line in file shopadmin.asp does this.

  Const adminmail="Yes"

  Mail to merchant on each successful login to administrative system

      

  Assigning Tables to Users

  Users can be assigned userids and passwords through the administration system. They can also be assigned menu options (a list of tasks they can perform) and tables which they display/edit.

  This is not a foolproof system but it provides a measure of protection.

  One user may be able to update product details, while another may be able to view orders.    

  Securing your admin with SSL

  Are you accessing your Admin using HTTPS? Never access your admin using a normal HTTP. Always use the HTTPS at the start of a web address.

  To force your admin page to use a HTTPS connection you can modify your shopadmin.asp file.
  

  Open shopadmin.asp (or whatever you have renamed this page to) in any text or html editor

  Lines 1 and 2 of this file should read:

  !--#include file="shop$db.asp"-->
  !--#include file="shopmail.asp"-->

  Immediately following these two lines, add the following code to force your admin to load in HTTPS mode:

  %
  Response.Buffer = True
  If (Request.ServerVariables("HTTPS") = "off") Then
  Dim xredir__, xqstr__
  
  xredir__ = "https://" & Request.ServerVariables("SERVER_NAME") & _
  Request.ServerVariables("SCRIPT_NAME")
  xqstr__ = Request.ServerVariables("QUERY_STRING")
  
  if xqstr__ > "" Then xredir__ = xredir__ & "?" & xqstr__
  
  Response.redirect xredir__
  End if
  %>
  

      

  Security fix: XSS at while register an affiliate

  Please apply below fix, if you are using VPASP 7 with build date older than 3/September/2010, to avoild XSS attack register an affiliate page (shopaffregister.asp).

  Modify shopaffregister.asp.asp

  1a. Open shopaffregister.asp.asp

  1b. Locate line affstrTypeofpayment = CleanChars(Request.Form("affstrTypeofpayment")) (estimate line 144, within routine sub ValidateData)

  1c. Below the above code, please add:

  '700 - 2010.09.03 - Bug Fix: XSS issue
  if len(affstrTypeofpayment) > 50 then affstrTypeofpayment = ""

  1d. Save

      

  Encryption

  Credit cards, if stored in the database, should be encrypted to protect yourself against a hacker obtaining them. While we do not recommend storing credit cards, and according to Visa and MasterCard this is against their merchant rules, if you do then using encryption will provide at least an extra layer of protection.

  By default the encryption key is kept in the configuration file within the database. This field should be either left blank or removed. This is in versions prior to version 6.00.

  Setting Up Encryption

  Version 6.00

  We have now moved the encryption key to the shop$config.asp file and you should update this key prior to going live with your store.

  const xencryptkey="" ' put here for more security

  To your encryption key

  const xencryptkey="xxxxxxxxxxx" ' put here for more security

  and empty the encryption key in the shop configuration.

  In the online admin go to:

  Setup > Payments > xencryptcreditcard > Set to Yes (this should be Yes by default)

  Version 5.50

  For added security you can move the encryption key directly into file shophash.asp. So if someone steals the database, they will not also have the encryption key used for credit cards. To do this, edit shophash.asp and change this line:

  const xencryptkey="" ' put here for more security

  To your encryption key

  const xencryptkey="xxxxxxxxxxx" ' put here for more security

  and empty the encryption key in the shop configuration.

  In the online admin go to:

  Shop Configuration > Payments > xencryptcreditcard > Set to Yes

   

  Retrieving Encrypted Card Numbers

  When credit cards are encrypted, the only way they can be viewed decrypted again is by viewing the order in your shop administration.

  Please note: Credit Card numbers of orders that were made before you setup encryption will no longer be able to be viewed.

  Encryption Keys

  Encryptions keys can be of any format consisting of alphabetical characters, numerical characters or both.

  Examples of encryption keys

  Valid Keys

  ·         agabAhjBcG

  ·         HKHSskjuIs

  ·         DVstsTUYTs

  Invalid Keys

  ·         %^SGHgjgss

  ·         Hkj&4S$hs*

  It is a good idea to choose encryption keys based on just a random selection of numbers and or alphabetical characters. Make sure they are not meaningful containing names, store specific words etc.

      

  Catching Bogus Orders - IP to Country

  VP-ASP has the facility to determine the country from which the hacker is actually making an order. This is done by looking up their IP address in a database. The database is not supplied in the distribution package and must be downloaded separately from our add-ons.

  At the end of an order the IP to country is invoked. If the country does not match the customer's country as supplied on the customer form, two changes are made to the order. The ocardtype field has the country abbreviation added and the IP address has the long country name appended. By changing the ocardtype field, certain automated end of order processing is stopped. For example order attachments and downloads. It also alerts the merchant that the order is suspicious

  Xhackeriptocountry

  Yes If yes, then IP to country checks are turned on. Do not use until Iptocountry database is installed.

  • IP To Country Restrictions

  IP To Country uses a public domain database that is supplied on an as-is basis. VP-ASP does not warrant that this database is complete or accurate. The database may not be updated for future IP changes. You must download this separate database from our web site. It is not supplied in the normal VP-ASP distribution.     

  Security fix: XSS at product listings page

  Please apply below fix, if you are using VPASP 7 with build date older than 3/September/2010, to avoild XSS attack to product listings page.

  1. Modify shop$db.asp

  1a. Open shop$db.asp

  1b. Locate function gennavrefstr (ref) (estimate line 2660)

  1c. Replace whole function gennavrefstr, as below:

  function gennavrefstr (ref)
  if Request.QueryString("sppp") <> "" then
  '6.50 - precautionary security fix
  if isnumeric(Request.QueryString("sppp")) then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&sppp=" & cleanchars(Request.QueryString("sppp"))
  end if
  end if
  
  '700 - Paging Navigation - bookmark page2, page3 for the category
  if Request.QueryString("id") <> "" then
  if isnumeric(Request.QueryString("id")) then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&id=" & cleanchars(Request.QueryString("id"))
  end if
  end if
  
  '700 - Paging Navigation - bookmark page2, page3 for simple search
  if Request.QueryString("Keyword") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&Keyword=" & cleanchars(Request.QueryString("Keyword"))
  end if
  if Request.QueryString("Search") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&Search=" & cleanchars(Request.QueryString("Search"))
  end if
  
  '700 - Paging Navigation - bookmark page2, page3 for advanced search
  if Request.QueryString("category") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&category=" & cleanchars(Request.QueryString("category"))
  end if
  if Request.QueryString("highprice") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&highprice=" & cleanchars(Request.QueryString("highprice"))
  end if
  if Request.QueryString("lowprice") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&lowprice=" & cleanchars(Request.QueryString("lowprice"))
  end if
  if Request.QueryString("allwords") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&allwords=" & cleanchars(Request.QueryString("allwords"))
  end if
  if Request.QueryString("exact") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&exact=" & cleanchars(Request.QueryString("exact"))
  end if
  if Request.QueryString("atleast") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&atleast=" & cleanchars(Request.QueryString("atleast"))
  end if
  if Request.QueryString("without") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&without=" & cleanchars(Request.QueryString("without"))
  end if
  
  '700 - Paging Navigation - for footnote query
  if Request.QueryString("bc") <> "" or session("seocbc") <> "" then
  if Request.QueryString("bc") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&bc=" & cleanchars(Request.QueryString("bc"))
  else
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&bc=" & cleanchars(session("seocbc"))
  end if
  end if
  if Request.QueryString("queryprefix") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&queryprefix=" & cleanchars(Request.QueryString("queryprefix"))
  end if
  if Request.QueryString("cname") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&cname=" & cleanchars(Request.QueryString("cname"))
  end if
  
  '700 - Paging Navigation - for catalogid query
  if Request.QueryString("catalogid") <> "" then
  '700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
  ref = ref & "&catalogid=" & cleanchars(Request.QueryString("catalogid"))
  end if
  
  gennavrefstr = ref
  end function
  

  1d. Save

  2. Modify shop$db.asp

  2a. Open shop$db.asp

  2b. Locate function CleanChars(strWords) (estimate line 3433)

  2c. Replace whole function CleanChars(strWords), as below:

  function CleanChars(strWords)
  '6.5.1 - exit function if strwords is nothing
  if strwords = "" then exit function
  if isnull(strwords) then exit function
  
  '6.50 - replace '' with ' in case function has been run twice on same string
  strWords = replace(strWords, "''", "'")
  
  do while instr(strWords,"  ") > 0
  strWords = replace(strWords, "  ", " ")
  loop
  
  dim badChars,i
  dim newChars, decodeChars
  dim sensitiveChars
  
  '700 - 2010.09.08 - Bug Fix: XSS issue
  badChars = array("select ", "drop ", "--", "insert into", "delete from","xp_","char(","@@","|","<script",".js","onload","alert(","xss","onmouseover","document.cookie","convert(","<iframe","cast(","nvarchar","varchar","chr(","exec(","%00","expression(")
  
  sensitiveChars = array("union ","update ","declare ")
  
  newChars = strWords
  dim newReplace,bpos,bpos2
  
  ' check bad chars and assign to null
  for i = 0 to uBound(badChars)
  if instr(1,lcase(newchars),lcase(badchars(i)),1)>0 then
  bpos = instr(1,lcase(newchars),lcase(badchars(i)),1)
  newReplace=""
  bpos2 = bpos + len(newReplace)
  newchars = mid(newchars,1,bpos-1) & newReplace & mid(newchars,len(badchars(i))+bpos,len(newchars) + bpos2 + 999)
  end if
  next
  
  ' check sensitive chars and assign spaces to %nbsp;
  for i = 0 to uBound(sensitiveChars)
  if instr(1,lcase(newchars),lcase(sensitiveChars(i)),1)>0 then
  bpos = instr(1,lcase(newchars),lcase(sensitiveChars(i)),1)
  newReplace=replace(lcase(sensitiveChars(i))," "," ")
  bpos2 = bpos + len(newReplace)
  newchars = mid(newchars,1,bpos-1) & newReplace & mid(newchars,len(sensitiveChars(i))+bpos,len(newchars) + bpos2 + 999)
  end if
  next
  
  'newchars=replace(newchars,"""",""")
  newchars=Replace(newchars,"%22","") 'remove any encoded double quotes
  newchars=replace(newchars,"©","&copy;")
  newchars=replace(newchars,"<br>","<br />")
  newchars=replace(newchars,"<BR>","<br />")
  newchars=replace(newchars,"<Br>","<br />")
  
  '700 - 2010.08.24 - Bug Fix: XSS issue
  newchars=replace(newchars,"<","&lt;")
  newchars=replace(newchars,">","&gt;")
  newchars=replace(newchars,"'","&apos;")
  newchars=replace(newchars,")","&#x29;")
  newchars=replace(newchars,"(","&#x28;")
  
  CleanChars = newChars
  end function

  2d. Save

  3. Modify shop$db.asp

  3a. Open shop$db.asp

  3b. Locate function ToSQL(Value, sType) (estimate line 3646)

  3c. Replace whole function ToSQL(Value, sType), as below:

  function ToSQL(Value, sType)
  dim Param
  Param = Value
  if Param = "" then
  ToSQL = ""
  else
  if sType = "Number" then
  ToSQL = CDbl(Param)
  else
  '700 - 2010.08.24 - Bug Fix: XSS issue
  Param=replace(Param,"&lt;","<")
  Param=replace(Param,"&gt;",">")
  Param=replace(Param,"&apos;","'")
  Param=replace(Param,"&#x29;",")")
  Param=replace(Param,"&#x28;","(")
  
  ToSQL = Replace(Param, "'", "''")
  end if
  end if
  end function

  3d. Save

      

  ** SECURITY PATCHES - 5.5 & Below **

  Hackers are a persistent nuisance on the web and a very real threat to your business. Unfortunately, no matter how hard we try, or what security measures we put in place, they find new ways to 'beat the system.'
  
  At VP-ASP we care about your online security. We constantly check for vulnerabilities in our software and if found, put 'fixes' in place to repair them. 'Fixes' relate to specific, known hacker attacks and in many cases, apply to all releases of VP-ASP.
  
  We have compiled the following list of 'fixes' for you to download to protect you and your online business. But for us to help you, you must help yourself. These 'fixes' MUST be implemented IMMEDIATELY.
  
  All fixes below must be checked no matter when you purchased VP-ASP. Most will have already been applied but please go through each one to make sure you are secure.

  Download Security Updates

  Do it NOW, before it's too late......

  If you have any concerns, or problems implementing these 'fixes,' please submit a ticket in our online help desk at:

  http://www.vpasp.com/virtprog/helpdesk

  To check these files against your version you can use a program called WinMerge availbale as a free download from:

  http://winmerge.org/

  Safe selling........ from the team at VP-ASP.

  Please also review our general security guidelines and the security check list before going live.

      

  *** SECURITY CHECKLIST ***

  Security Audits

  VP-ASP is committed to providing it's customers with as much security help and information as possible. As such, we have employed a team of security professionals to assist in auditing your site's security from as little as US$295. For more information click here.

  At VP-ASP we are committed to helping you ensure your site is as safe and secure as possible. Failure to follow the guidelines presented below may result in your site falling victim to hacker attacks.

  Have you changed your passwords? The default username and passwords used to access the admin need to be changed. Ensure that you choose a powerful password. Click here to find out how.

  Have you added a 2^nd password? Click here to find out how.

  Have you renamed your Admin Page? It is recommended that the admin log in page is a stand-along page with no reference in the database. Click here to find out how.

  Is your xadminmenucheck set to ‘YES'? Click here to find out how.

  Is your xrestrictadmintables set to ‘YES'? Click here to find out how.

  Is your xshowadmin set to ‘NO'? Click here to find out how.

  Have you changed your database name? Change the name of the database to something unique and hard to guess. Reference this new name in the shop$config.asp file. Click here to find out how.

  Have you removed all files starting with the letter “c”? Click here for a list of these files.

  Have you removed all files starting with “diag”? Click here for a list of these files.

  Are you encrypting credit card numbers & is your encryption code different to that of the Payments section of the config? Click here to find out how.

  Are you deleting all credit card numbers? If you are taking credit card numbers into your system rather than using a Payment Gateway, do not store the details any longer than necessary. Click here for more info.

  Is your database secure? Is your database in a secure location and are you sure it cannot be downloaded via a browser? Click here to find out how.

  Are you accessing your Admin using HTTPS and storing credit cards? Never access your admin using a normal HTTP if you store credit cards. Always use the HTTPS at the start of a web address.

  Have you kept your passwords safe & have you changed them recently? Never give out your passwords under any circumstances. Change them regularly.

  Are you regularly checking our pages for Updates? Always check the Security Update and Patches pages for updates. Bookmark these pages or set them as your default home page – this way you will always be on top of new updates or security releases.

      

  *** VP-ASP 6.00 Upgrades ***

  NOTE: Please read the installation instructions below carefully before starting the upgrade process!

  1. Download Upgrade
  2. Installation Instructions
     • Free Version
     • Value Pac
     • Plus Pac
     • Deluxe Pac
  3. Installation Troubleshooting
  4. Change listing

  Download Upgrade

  The VP-ASP Shopping Cart updates contain all previous upgrades so you only need to install the latest upgrade.

  	Download the upgrade for theFREE VP-ASP Starter Pac	Download
  	Download the upgrade for theValue, Plus! and Deluxe Pacs. ( Requires an order number )	Download

  FREE VP-ASP Starter Pac Upgrade Installation Instructions:

  1. The files in thearchivefolder are included as replacements for the copies from your original version. Please copy this folder into the location you have saved your original download of VP-ASP, in case you need them in the future.

     YOU DO NOT NEED TO UPLOAD THE ARCHIVE FOLDER TO YOUR SERVER.

  2. Upload all files and foldersEXCEPTthe ARCHIVE folder to your server.

  3. Open your browser and enter the URL for your shop followed by convertsql.asp (eg.http://www.vpasp.com/shopping/convertsql.asp- wherehttp://wwww.vpasp.com/shoppingis your URL) and enter one of the below items into the text box (choose the item that matches the database you are using):
     • upgrade/upgrade_access.txt
     • upgrade/upgrade_sqlserver.txt
     • upgrade/upgrade_mysql.txt

     When you have done this, you can delete the UPGRADE folder and CONVERTSQL.ASP from your server.

  4. PLEASE NOTE: Customers upgrading from VP-ASP 6.08 can skip this step.
     
     In theupdatezip, there is a file called shopadmin.asp.

     Open this file and locate the following line near the top:

     const xadminpage = "shopadmin.asp"

     Change this to be the name of your current admin login page.

     eg. const xadminpage = "myadminloginpage.asp"

     
     Locate the following line, also near the top:

     const xsecondpassword = ""

     Change this to be your second password

     eg. const xsecondpassword = "mysecondpassword"

     Delete your current admin login page and rename shopadmin.asp to be the same name as your old file.

     Upload the new admin login page to your server (please be sure to delete shopadmin.asp from your server if you have uploaded it).

  5. Several new language variables have been included in thisupdate.
     
     In your shop administration pages, go to Occassional Tasks >International >Add Language
     
     Follow the installation steps as per the following helpnote, but substitute the word Spanish as in the example, for English -
     
     http://www.vpasp.com/helpnotes/shopexd.asp?id=318
     
     You will then need to Reset Language and select English.
     
     If you have any other languages installed, you will need todownloadthem and reinstall them too.

  6. PLEASE NOTE: Customers upgrading from VP-ASP 6.08 can skip this step.
     
     Two new menu items have been added with this update -

     • Customer Orders
     • Manage Downloads
     If you wish, login to your admin go to OCCASIONAL TASKS >USERS >Admin Users and grant your users access to the newly added menu items.
     
  7. Login to your admin and go to the Setup tab. Click Reload Configuration.

  
  VP-ASP Value Upgrade Installation Instructions:

  1. The files in thearchivefolder are included as replacements for the copies from your original version. Please copy this folder into the location you have saved your original download of VP-ASP, in case you need them in the future.

     YOU DO NOT NEED TO UPLOAD THE ARCHIVE FOLDER TO YOUR SERVER.

  2. Upload all files and foldersEXCEPTtheARCHIVE, VPASP_PLUS_ONLYandVPASP_DELUXE_ONLYfolders to your server.

  3. Open your browser and enter the URL for your shop followed by convertsql.asp (eg.http://www.vpasp.com/shopping/convertsql.asp- wherehttp://wwww.vpasp.com/shoppingis your URL) and enter one of the below items into the text box (choose the item that matches the database you are using):
     
     • upgrade/upgrade_access.txt
     • upgrade/upgrade_sqlserver.txt
     • upgrade/upgrade_mysql.txt
     
     When you have done this, you can delete the UPGRADE folder and CONVERTSQL.ASP from your server.
     
  4. PLEASE NOTE: Customers upgrading from VP-ASP 6.08 can skip this step.
     In the update zip, there is a file called shopadmin.asp.

     Open this file and locate the following line near the top:

     const xadminpage = "shopadmin.asp"

     Change this to be the name of your current admin login page.

     eg. const xadminpage = "myadminloginpage.asp"

     
     Locate the following line, also near the top:

     const xsecondpassword = ""

     Change this to be your second password

     eg. const xsecondpassword = "mysecondpassword"

     Delete your current admin login page and rename shopadmin.asp to be the same name
     as your old file.

     Upload the new admin login page to your server (please be sure to delete shopadmin.asp from your server if you have uploaded it).

  5. Several new language variables have been included in this update.
     
     In your shop administration pages, go to Occassional Tasks >International >Add Language

     Follow the installation steps as per helpnote -http://www.vpasp.com/helpnotes/shopexd.asp?id=318

     But substitute the word Spanish as in the example, for English

     You will then need to Reset Language and select English.

     If you have any other languages installed, you will need todownloadthem and reinstall them too.

  6. PLEASE NOTE: Customers upgrading from VP-ASP 6.08 can skip this step.
     

     Two new menu items have been added with this update -

     • Customer Orders
     • Manage Downloads

     If you wish, login to your admin go to OCCASIONAL TASKS >USERS >Admin Users and grant your users access to the newly added menu items.

  7. Login to your admin and go to the Setup tab. Click Reload Configuration.

  
  VP-ASP Plus! Upgrade Installation Instructions:

  1. The files in thearchivefolder are included as replacements for the copies from your original version. Please copy this folder into the location you have saved your original download of VP-ASP, in case you need them in the future.

     YOU DO NOT NEED TO UPLOAD THE ARCHIVE FOLDER TO YOUR SERVER.

  2. Upload all files and foldersEXCEPTtheARCHIVE, VPASP_PLUS_ONLYandVPASP_DELUXE_ONLYfolders to your server.

  3. Upload all files from theVPASP_PLUS_ONLYfolder to your server (upload the files into the same folder that you uploaded the files to in Step 3. Do not upload them to a folder called VPASP_PLUS_ONLY on your server).

  4. Open your browser and enter the URL for your shop followed by convertsql.asp (eg.http://www.vpasp.com/shopping/convertsql.asp- wherehttp://wwww.vpasp.com/shoppingis your URL) and enter one of the below items into the text box (choose the item that matches the database you are using):
     
     • upgrade/upgrade_access.txt
     • upgrade/upgrade_sqlserver.txt
     • upgrade/upgrade_mysql.txt
     
     When you have done this, you can delete the UPGRADE folder and CONVERTSQL.ASP from your server.
     
  5. PLEASE NOTE: Customers upgrading from VP-ASP 6.08 can skip this step.
     In the update zip, there is a file called shopadmin.asp.

     Open this file and locate the following line near the top:

     const xadminpage = "shopadmin.asp"

     Change this to be the name of your current admin login page.

     eg. const xadminpage = "myadminloginpage.asp"

     
     Locate the following line, also near the top:

     const xsecondpassword = ""

     Change this to be your second password

     eg. const xsecondpassword = "mysecondpassword"

     Delete your current admin login page and rename shopadmin.asp to be the same name
     as your old file.

     Upload the new admin login page to your server (please be sure to delete shopadmin.asp from your server if you have uploaded it).

  6. Several new language variables have been included in this update.
     
     In your shop administration pages, go to Occassional Tasks >International >Add Language

     Follow the installation steps as per helpnote -http://www.vpasp.com/helpnotes/shopexd.asp?id=318

     But substitute the word Spanish as in the example, for English

     You will then need to Reset Language and select English.

     If you have any other languages installed, you will need todownloadthem and reinstall them too.

  7. PLEASE NOTE: Customers upgrading from VP-ASP 6.08 can skip this step.
     

     Two new menu items have been added with this update -

     • Customer Orders
     • Manage Downloads

     If you wish, login to your admin go to OCCASIONAL TASKS >USERS >Admin Users and grant your users access to the newly added menu items.

  8. Login to your admin and go to the Setup tab. Click Reload Configuration.

  
  VP-ASP Deluxe Upgrade Installation Instructions:

  1. The files in thearchivefolder are included as replacements for the copies from your original version. Please copy this folder into the location you have saved your original download of VP-ASP, in case you need them in the future.

     YOU DO NOT NEED TO UPLOAD THE ARCHIVE FOLDER TO YOUR SERVER.

  2. Upload all files and foldersEXCEPTtheARCHIVE, VPASP_PLUS_ONLYandVPASP_DELUXE_ONLYfolders to your server.

  3. Upload all files from theVPASP_DELUXE_ONLYfolder to your server (upload the files into the same folder that you uploaded the files to in Step 2. Do not upload them to a folder called VPASP_DELUXE_ONLY on your server).

  4. Open your browser and enter the URL for your shop followed by convertsql.asp (eg.http://www.vpasp.com/shopping/convertsql.asp- wherehttp://wwww.vpasp.com/shoppingis your URL) and enter one of the below items into the text box (choose the item that matches the database you are using):
     
     • upgrade/upgrade_access.txt
     • upgrade/upgrade_sqlserver.txt
     • upgrade/upgrade_mysql.txt
     
     When you have done this, you can delete the UPGRADE folder and CONVERTSQL.ASP from your server.
     
  5. PLEASE NOTE: Customers upgrading from VP-ASP 6.08 can skip this step.
     In the update zip, there is a file called shopadmin.asp.

     Open this file and locate the following line near the top:

     const xadminpage = "shopadmin.asp"

     Change this to be the name of your current admin login page.

     eg. const xadminpage = "myadminloginpage.asp"

     
     Locate the following line, also near the top:

     const xsecondpassword = ""

     Change this to be your second password

     eg. const xsecondpassword = "mysecondpassword"

     Delete your current admin login page and rename shopadmin.asp to be the same name
     as your old file.

     Upload the new admin login page to your server (please be sure to delete shopadmin.asp from your server if you have uploaded it).

  6. Several new language variables have been included in this update.
     
     In your shop administration pages, go to Occassional Tasks >International >Add Language

     Follow the installation steps as per helpnote -http://www.vpasp.com/helpnotes/shopexd.asp?id=318

     But substitute the word Spanish as in the example, for English

     You will then need to Reset Language and select English.

     If you have any other languages installed, you will need todownloadthem and reinstall them too.

  7. PLEASE NOTE: Customers upgrading from VP-ASP 6.08 can skip this step.
     

     Two new menu items have been added with this update -

     • Customer Orders
     • Manage Downloads

     If you wish, login to your admin go to OCCASIONAL TASKS >USERS >Admin Users and grant your users access to the newly added menu items.

  8. Login to your admin and go to the Setup tab. Click Reload Configuration.
     

  Troubleshooting

  PROBLEM:After applying the update, I receive the following error:

  Microsoft VBScript compilation error '800a0411'
  Name redefined
  /shopping/shop$version.asp, line 2
  const xvpaspversion = "6.09"

  SOLUTION:Open shop$config.asp and locate the following line:

  const xvpaspversion = "6.08"

  Change it to:

  'const xvpaspversion = "6.08"

  
  

  
  

  PROBLEM:After applying the update, I receive the following error in shopa_addproduct.asp:

  Microsoft VBScript runtime error '800a005e'
  Invalid use of Null: 'replace'
  /shopping/shopa_addproduct.asp, line 832

  SOLUTION: Re-download patch and replace existing copy of shopa_addproduct.asp with new one from patch zip.

  
  

  PROBLEM: After applying the update, the HTML editor no longer appears.

  SOLUTION: Re-download patch and copy EDITOR folder from patch zip over the top of your existing EDITOR folder.

  
  

  PROBLEM: After applying the update, hidden categories show in shopdisplaycategories.asp

  SOLUTION: Re-download patch and copy shopdisplaycategories.asp from patch zip over the top of your existing shopdisplaycategories.asp file.

  
  

  PROBLEM: After applying the update, when I try to run a Static HTML Generation, I receive this error:

  Missing } on field starting at 22

  SOLUTION: Re-download patch and copy shopfileio.asp from patch zip over the top of your existing shopfileio.asp file. If you are using the default templates, also copy over tmp_product.htm, tmp_productinvent.htm and tmp_productformat.htm.
  

  
  PROBLEM: I have address2 turned on and when it's left blank I get the following error:
  
  Microsoft JET Database Engine error '80040e21'
  Field 'customers.address2' cannot be a zero-length string.
  /shop/shopcustregister.asp, line 164
  
  SOLUTION:
  
  1. Download your Access database and open it
  2. Click on the Customers table and choose Design
  3. Select the address2 field
  4. Change the "allow zero length" to be True
  5. Save the table
  6. Reupload the database
  
  
  PROBLEM: When viewing my admin I get the following error:
  
  Microsoft VBScript runtime error '800a01f4'
  Variable is undefined: 'regFltr'
  /shop/shopheaders.asp
  
  SOLUTION: Open shopheader.asp and make the following changes.
  
  Locate the following lines:
  
  public dyninclude, include_vars, include_vars_count
  dim objfschk
  
  Add this below:
  
  dim regFltr,regFltr2
  
  
  Locate the following lines:
  
  public default function dyninclude(byval str_path)
  dim str_source
  
  Add this below:
  
  dim init_path
  err.clear
  
  
  Locate the following lines:
  private function processincludes(tmp_source, curdir, curdepth)
  dim int_start, str_path, str_mid, str_temp, localdir
  
  Change to:
  
  private function processincludes(tmp_source, curdir, curdepth)
  dim int_start, str_path, str_mid, str_temp, localdir,str_method,newdir
  
  
  Locate the following lines:
  
  private function readfile(str_path)
  dim objfile, matches
  
  Change to:
  
  private function readfile(str_path)
  dim objfile,matches,pend,pstart,str_temp_new,match,matches2,pend2,pstart2,cpystr,match2
  
  
  Save and upload to your server.
  
  

  PROBLEM: After applying the update, when I try to run a Static HTML Generation, I receive this error:

  Missing } on field starting at 22

  SOLUTION: Please try making the following changes to your shoptax.asp file:
  
  You will need to comment out line 50-52 of your shoptax.asp file:
  ' If getconfig("xtaxincludeshipping")="Yes" then
  ' taxprice=taxprice+shippingcost
  ' end if
  
  and change lines 273-278 from:
  if foundproduct=false then
  'VP-ASP 6.09 - fix for tax calculation when a discount is used
  'Newsubtotal=newsubtotal + ProdQuantity* ProdPrice
  Newsubtotal=oldsubtotal
  end if
  
  change to:
  if foundproduct=false then
  'VP-ASP 6.09 - fix for tax calculation when a discount is used
  'Newsubtotal=newsubtotal + ProdQuantity* ProdPrice
  Newsubtotal=oldsubtotal
  else
  if getconfig("xtaxincludeshipping")="Yes" then
  newsubtotal=newsubtotal+shippingcost
  end if
  
  end if