This chapter will discuss methods of getting your control on the
World Wide Web. We'll cover not only the method of distributing
your controls to Web users, but also the basics of the VBScript,
the scripting language that enables you to program ActiveX controls
that you've embedded in your Web pages.
| NOTE |
Appendix A gives information on online references pertaining to Visual Basic that you might want to check out, including a Web page for this book. |
In order to have a place where users can view your Web pages (and download ActiveX controls), you need access to a Web server, a computer connected to the Internet that runs software designed to send Web pages to other users' computers.
For individuals, the easiest way to locate a Web page on a Web server is to obtain an Internet Service Provider (ISP) that offers space on their Web server as part of their basic service package. With this kind of setup, you don't have to worry about maintaining the technical details of the Internet connection; the ISP does it all for you. However, you may have to pay the ISP extra if your site is very large or very popular; check with your service provider for details on that.
If you have more sophisticated requirements, you may wish to set up your own Web server. Microsoft gives its Web server software away free as a part of the Windows NT Server operating system; there are a number of other Web server packages available from a variety of vendors.
Note that your Web server need not be hooked up to the Internet-at-large to be effective. Web servers designed to serve the needs of individuals within a department or organization are gaining popularity as a way to distribute information within corporations.
This chapter assumes that you have access to some kind of Web server and that you have the ability to place files on it.
If you're not hooked up to the Internet already, this chapter
still has relevance to you. Much of what is discussed in this
chapter has relevance both to the Internet and to intranets
(defined as private networks using technology standards developed
on the Internet).
| NOTE |
I personally can't stand the term intranet, since to a software developer, there is no such thing as an intranet. Your software either adheres to Internet standards and makes use of Internet technologies, or it doesn't. So this book won't make much of a distinction between the greater Internet and your intranet. Bear in mind that essentially anything having to do with Internet technologies is also applicable to intranets. |
Even if you're totally Net-impaired, you should be able to use and test most of the demonstrations in this chapter using a stand-alone machine. If you use Windows NT Server 3.51 or 4.0, you can use the free Internet Information Server (IIS) software; if you're on Windows 95, you'll want to investigate the Personal Web Server that comes with Microsoft FrontPage 97.
You start your ActiveX Web odyssey by obtaining a copy of ActiveX Control Pad. This is a tool you can use to put together Web pages; it's specifically geared toward building pages that contain ActiveX controls controlled with the VBScript language. I use this tool to test ActiveX controls in Web pages because it's free, it's fast, and it's no-nonsense. It also has some nice features for automatically inserting VBScript code into your HTML Web pages.
You can, of course, use other tools (including Microsoft FrontPage
and plain old Windows Notepad) to build Web pages containing ActiveX
controls, if you like. And while the Web page examples in this
chapter were created with the ActiveX Control Pad, you shouldn't
have too much trouble tailoring the discussion to your development
tool of choice, since the underlying HTML code is the same.
| NOTE |
You can obtain a free copy of the ActiveX Control Pad from the Microsoft Web site at http://www.microsoft.com/workshop/author/cpad/. |
Once you've obtained and set up the ActiveX control pad, you're ready to get started sticking your control into a Web page and writing code to make it do its magic.
In this demonstration, you'll use a combination of two Web technologies-HTML and VBScript-in order to embed a SoundButton control in a Web page.
Hypertext Markup Language (HTML) is the language that defines
the appearance of World Wide Web pages. You don't have to know
much of anything about HTML to get through this chapter, but you
will need to know something about it to set up and maintain a
Web site. Fortunately, it's not hard to learn.
| NOTE |
The greatest books on how to get started with HTML are written by Laura Lemay. Her Teach Yourself Web Publishing with HTML 3.2 in 14 Days (Sams.net, 1996) and Teach Yourself Web Publishing with HTML 3.2 in a Week (Sams.net, 1996) are essential. (The "In a Week" title is a lighter-weight version of the "In 14 Days" book, which is comprehensive.) If you have not done so already, go acquire one or the other immediately. |
VBScript is a Microsoft extension to HTML. You can use VBScript to program ActiveX controls inside a Web page, among other things.
VBScript is a subset of Visual Basic. It lacks many of the features
of the Visual Basic language, because it is optimized for speed
and safety over the public Internet. (See the section titled "Safety
Considerations" later in this chapter for more about safety
on the Internet.)
| NOTE |
This section is (obviously and necessarily) an extremely limited discussion of the capabilities of VBScript. For more information on how to use VBScript, check out the Microsoft VBScript Web site at http://www.microsoft.com/vbscript, or check out the title Teach Yourself VBScript in 21 Days by Keith Brophy and Timothy Koets (Sams.net, 1996). It didn't actually take me 21 days to get through their book, and if you know Visual Basic already, it shouldn't take you that long, either. |
Now that you have the two-bit backgrounder on HTML and VBScript,
here's a brief demonstration of how to use an ActiveX control
in a Web page. This demonstration assumes that you have Microsoft
Internet Explorer 3.01, the ActiveX Control Pad, and the SoundButton
control installed on your machine. (If you didn't compile and
install the SoundButton control back in Chapter 12, there is an
installable version of the control on your CD-ROM.)
| NOTE |
The current version of Microsoft Internet Explorer for Windows 95 and Windows NT is 3.01. This update is supposed to fix some ActiveX-related problems, but Microsoft is a little cagey on exactly what those problems are. At any rate, if you have an older version, download the update. It ain't exactly the most expensive software in the world. |
In this demonstration, you'll create an HTML Web page that will contain an embedded SoundButton control. The point of this demonstration is not to have a fully functional Web page right off the bat, but just to make the control appear in the browser. To do this:
<p>This page demonstrates the SoundButton control. Not only does the SoundButton control emit a pleasant sound, but it can perform useful actions in a web page.</p>
Be sure to remember to type the <p> tag at the beginning and the </p> at the end of the sentence. This tag pair indicates that this is a paragraph, so that a paragraph break will be inserted after the text. The HTML should look like Figure 13.2.
Figure 13.2 : Web page with text.
Next you'll insert the SoundButton control in the page you're editing. To do this:
The ActiveX Control Panel has inserted the following code in your document:
<OBJECT ID="SoundButton1" WIDTH=84 HEIGHT=36
CLASSID="CLSID:7E0B5DF2-576C-11D0-9A3B-204C4F4F5020">
<PARAM NAME="_ExtentX" VALUE="2223">
<PARAM NAME="_ExtentY" VALUE="953">
<PARAM NAME="Caption" VALUE="Click Me!">
</OBJECT>
This is the code that makes the ActiveX control show up on the Web page. Here's a brief description of the lines of code that were inserted:
That's it. At this point your control is ready for testing (even though it doesn't really do anything yet). Leave the ActiveX Control Pad open for now; in the next section you'll bring up Microsoft Internet Explorer and try out your HTML page.
Now that you have a minimal HTML test page with a copy of your ActiveX control embedded into it, you can see how it looks in a Web browser. To test the Web page you're developing:
| NOTE |
The exact message you see when loading a control is dependent on your Web browser's security settings. The message displayed here is what you'd see when your browser's security is set to Medium. To change your browser's security settings, in Internet Explorer choose the menu command View, Options, then select the Security tab, then click on the Safety button. |
This page doesn't do much of anything, but if you click on the Click Me! button, you will be treated to the pleasant clicking sound you've grown so accustomed to.
Figure 13.4 : Potential safety violation dialog box.
Figure 13.5 : SoundButton Control in the browser window.
In the next demonstration, you'll return to the ActiveX Control Pad to make the page do something more useful.
Now that you have a rudimentary Web page, it's time to make it more functional. To do this, you'll add a VBScript procedure to it using the ActiveX Control Pad. To do this:
Figure 13.6 : ActiveX Control Pad Script Wizard.
http://www.mcp.com/
<SCRIPT LANGUAGE="VBScript">
<!-
Sub SoundButton1_Click()
Window.location.href = "http://www.mcp.com/zdpress/"
end sub
->
You can see that with the exception of the <SCRIPT> tag
and HTML comment tags (the <!- and -> tags), the code is
quite similar to a Visual Basic event procedure.
| NOTE |
The <!- and -> tags are HTML comment tags. In a normal HTML Web page, these tags mark the beginning and end of a comment; normally they are not interpreted by a browser. However, when a Web page contains a script, the body of the script is usually placed inside comment tags in order to keep Web browsers that don't understand the script (in this case, every browser in the world except Microsoft Internet Explorer 3.0) from displaying the lines of code that comprise the script as literal text in the Web page. The ActiveX Control Pad inserts these comment tags for you, but if you ever get to the point where you can hand-code VBScript, be sure not to forget these tags, or else your page will look goofy in non-Microsoft browsers. |
To test this procedure, do the following:
Well, that's it. You've created a test page that successfully
tests the two elements of the SoundButton control's interface
(its Click event and its Caption property) as well as its feature-set
enhancement (the pleasant clicking sound).
| NOTE |
A script debugger for VBScript Web pages is available free from Microsoft. You can use this tool to check the syntax of Web pages you create that include VBScript code. You can download this tool from the Microsoft Web site at http://www.microsoft.com/workshop/prog/scriptie. |
If you want, you can insert a few more lines of HTML code in your page to enhance it. To do this, replace the <BODY> tag with the following HTML code:
<BODY bgcolor=CCFFCC> <FONT FACE="Trebuchet MS, Ariel, Helvetica"> <h1>SoundButton Control Test</h1>
Here's a brief explanation of what the new HTML code does:
To test this, save the HTML file, switch to MS Internet Explorer, and refresh the page. It should look something like Figure 13.8 (although the exact color and font you see will depend on what you have installed on your system).
Figure 13.8 : Greatly enhanced SoundButton test page.
From here, you could go on to build a complete Web site based on SoundButton controls, clicking yourself silly in short order. But there are a few enhancements you need to make to the distribution of the SoundButton control-specifically, addressing the issue of the Potential Safety Violation warning, but also handling the actual installation of the control over the Net. I'll address those issues later in this chapter.
I know what you're saying. You're saying, "Well, Jeffrey, this may be all well and good, but the minute a Netscape user hits my page, the whole thing is going to go kablooey." Am I right? Well, friends, gather 'round, because I'm going to show you a way to display an ActiveX control that will look like an ActiveX control to a Microsoft Internet Explorer user and like a hyperlink to a Netscape Navigator user (or a user of any one of a number of other fine browsers).
The home page for this book (http://www.well.com/user/jeffreyp/activex/) contains a list of links to ActiveX-related resources. Originally, this list was a conventional list of hypertext links. But the more I worked with the pleasant-sounding SoundButton control, the more I liked the idea of a clicky hypertext button. So I decided to replace the hyperlinks with SoundButtons. Here's how I did it.
Originally, the HTML code that produced hypertext links on the book's home page looked like this:
<a href="author.html">About the Author</a><br> <a href="errata.html">Errata</a><br> <a href="xlinks.html">ActiveX Resources</a><br> <a href="vblinks.html">Visual Basic Resources</a><br> <a href="../vbscript/index.html">VBScript Links</a><br>
<a href="http://www.mcp.com/zdpress">Ziff-Davis Press</a>
But that was boring, and I'm a novelty freak, so I started replacing the hyperlinks with buttons. Here's what this looks like for the first hyperlink:
<OBJECT ID="sbnAuthor" WIDTH=83 HEIGHT=24
CLASSID="CLSID:7E0B5DF2-576C-11D0-9A3B-204C4F4F5020">
<PARAM NAME="Caption" VALUE="Author">
<a href="author.html">About the Author</a>
</OBJECT><br>
Although most of this could have been done with the ActiveX Control
Pad, there is one extra twist that makes the page compatible with
non-Microsoft browsers: the hyperlink
tag embedded inside the OBJECT tag. This works because
whenever a browser can't figure out what to do with a particular
tag, it generally tosses the tag out, ignoring it completely.
In the case of the OBJECT tag, non-Microsoft browsers can't figure
out what to do with the SoundButton control, so it displays the
part of the OBJECT tag it does understand: the hyperlink.
Microsoft browsers get the ActiveX control interface, other browsers
get the conventional hyperlink interface, and your Web page is,
once again, safe for democracy.
| NOTE |
You can view the underlying HTML of any Web page by going to the page, then choosing the menu command View, Source. This is a great way to get information on real-world usage of HTML and to answer the question "How'd they do that?" when you're viewing a page. |
In order to distribute your control over the Internet, you must create a special type of compressed installable file. The Setup Wizard (introduced in Chapter 12) has an option that enables you to build such files. To see how this works:
Figure 13.9 : Internet Package screen.
| NOTE |
For more information on component safety, see the topic Safety Considerations later in this chapter. |
| NOTE |
You can get information on locally hosting Visual Basic support files on the Microsoft Web site at http://www.microsoft.com/vbasic/controls/webmastr/cabs.htm. You would want to look into this information if you are planning to deploy your controls across a corporate intranet or if your users are otherwise restricted from downloading the Visual Basic distributables from www.microsoft.com. |
Figure 13.10: Safety dialog box.
In the directory you selected to serve as the repository for your controls, you should have a .CAB file, as well as a few other files I'll describe in the next section.
You should now be able to see that the directory you selected back in step 5 of the Setup Wizard process has been filled with files-specifically, a .CAB file and an .HTM file, as well as a subdirectory called Support that contains the original, uncompressed version of the control along with a few other files.
The .CAB file is the important one. This is a compressed file that contains your .OCX file and any other files required for your control to run. (Absent from this file are support files, such as the Visual Basic Virtual machine, for reasons discussed in the demonstration.) Because they're compressed and they don't include Visual Basic and Windows support files, .CAB files tend to be fairly small.They're perfect for placing on a Web page without slowing the download process too much, although the exact size of your control's .CAB file will obviously depend on the size and complexity of your control.
The .HTM file is important, too, because it shows you exactly what HTML code needs to be written in order to embed your control in a Web page. This is going to be old hat to you, assuming you followed the ActiveX Control Pad demonstration earlier in this chapter. But just for your edification, here are the contents of SNDBTN.HTM:
<HTML>
<!- If any of the controls on this page require licensing,
you must create a license package file.
Run LPK_TOOL.EXE in the tools directory to create the
required LPK file.
<OBJECT CLASSID="clsid:5220cb21-c88d-11cf-b347-00aa00a28331">
<PARAM NAME="LPKPath" VALUE="LPKfilename.LPK">
</OBJECT>
->
<OBJECT
classid="clsid:7E0B5DF2-576C-11D0-9A3B-204C4F4F5020"
id=SoundButton
codebase="sndbtn.CAB#version=1,0,0,0">
</OBJECT>
</HTML>
Since SoundButton isn't a commercial file, you don't need to worry about the licensing part (see the section later in this chapter about distributing licensed controls). The other code should be familiar to you, except for the CODEBASE tag, which I'll explain next.
When you deploy your ActiveX control on the Internet, you need to provide a way for the Web browser to find the binary .OCX file in situations where the user's machine doesn't already have it.
You use a <CODEBASE> tag to do this. A <CODEBASE>
tag is part of the <OBJECT> tag; it tells the Web browser
where to download the software component. The value of a CODEBASE
tag can be an .OCX file, but it's more commonly a .CAB file. The
location of a file in a CODEBASE tag can be on a disk drive on
your LAN, or it can be a URL.
| NOTE |
This may seem obvious, but it's worth stating explicitly: If your Web browser runs across a Web page that contains an ActiveX control that is already installed on your system, it won't bother to re-download the control. This is a great thing, because it means that Web browsers don't have to re-download your ActiveX component each time they visit your page. This behavior is in contrast to Java components, which must be downloaded fresh each time you hit the page into which they are embedded. There is an emerging Java technology specification called Java Beans that seeks to make Java applets behave like ActiveX controls in this respect. |
You can see that at the end of the CODEBASE tag, the VERSION parameter was added. This is important because it directs the Web browser to download the latest version of the ActiveX control if it needs to.
For example, let's say you make enhancements to the SoundButton control, releasing version 2.0. You update all the HTML files on your Web site so the CODEBASE tag refers to version 2.0 of the control. Later, a user who has version 1.0 of the SoundButton control on her computer hits one of your Web pages. Because the CODEBASE tag indicates that the HTML page requires SoundButton 2.0, her browser knows to download the new version before rendering the Web page.
Note that when a browser downloads and installs a new version of a control, it overwrites any previous version the end user has installed on his or her computer. This is one reason why it's important that your control maintain a consistent, backward-compatible interface across versions, so that upgrading to a newer version of the control doesn't break existing applications.
The GUID used as an argument to the CODEBASE tag is generated at the time the control is compiled. The GUID of a particular control should never change after the control is released, even if you release a new version of the control. (To enforce this, you turn binary compatibility on when compiling the control; for more information on this, see Chapter 12.)
It goes without saying that to avoid transcription errors, you should avoid typing a GUID directly into the OBJECT tag. Use the ActiveX Control Wizard, or copy and paste the OBJECT tag in from the sample HTML file generated by the Setup Wizard.
Safety refers to a control's ability to cause harm to an end-user's computer. A control is said to be safe if it is incapable of performing such actions as filling the user's hard drive, shutting down the user's computer, and filling memory.
It is your responsibility as the control's author to devote mental resources to determining if your control is safe. This is particularly the case if your control is signed, because signed controls include your or your company's name. If you certify a control as safe and it's really not, end users can figure out who you are through your code signature, find you, hunt you down, and gnaw on your limbs.
Script-safe controls are certified by the control author (you) to be incapable of damaging a machine no matter what the script does. Put another way, when you certify a control as script-safe, you're saying that no scripting command can possibly cause your control to harm someone's computer.
Controls that are initialization-safe are certified to not cause problems on an end user's machine no matter what wacky values the control's initial properties (in its PARAM tags) are set to.
For example, consider a control that has a Picture property. If you permit a user to assign the Picture property of your control to a 9GB picture file, it's going to download that file and hang the user's machine. If your control has the ability to save to a file (something that isn't possible to do using scripting, but is possible to do using Visual Basic and is therefore possible to do using an ActiveX control), you need to make sure that the control can't overwrite a file (such as a vital operating system file) or fill the end user's hard drive with files.
Does safety mean you can't build ActiveX controls with properties that can be freely set? No, it just means you can't distribute such controls on the Net and mark them as safe. Does safety mean that you can't use unsafe constituent controls in your ActiveX control? Again, no. The degree of safety provided by your control is a function of the elements its interface provides.
When you distribute licensed controls over the Web, you must contend with additional issues, most of which stem from the fact that on the Web, there is no such thing as design-time.
The solution to this problem is to create a license package file
that temporarily checks out a license to the Web browser. This
license is held in memory, enabling the Web browser to display
the control, but it does not permit the user to then use your
control in a development environment such as Visual Basic (unless,
of course, the user has purchased a licensed version of your control
and installed it on his computer).
| NOTE |
For your control to support licensing, you must specify a licensing option at the time the control is compiled. See Chapter 12 for information on how to do this. |
You'll recall from the previous section that the Setup Wizard put the following license package-related code in the SoundButton control's sample HTML file:
<!- If any of the controls on this page require licensing,
you must create a license package file.
Run LPK_TOOL.EXE in the tools directory to create the
required LPK file.
<OBJECT CLASSID="clsid:5220cb21-c88d-11cf-b347-00aa00a28331">
<PARAM NAME="LPKPath" VALUE="SoundButton.LPK">
</OBJECT>
->
If the SoundButton control were a licensed control, you would be required to include this HTML at the top of any Web page in which a SoundButton control resided. You'd also be required to create and store the file SoundButton.LPK (the SoundButton control's license package file) on the Web server along with the .CAB file for your control. The following section describes how to create a license package file.
The Lpk_tool utility enables you to create a license package (.LPK) file. To create an .LPK file for the SoundButton control, do the following:
| NOTE |
The Lpk_tool utility used in this book was taken from the ActiveX Software Development Kit because the beta version of Visual Basic used for testing the examples in this book did not contain it. However, it is likely that the Lpk_tool utility will be included with the final, shipping version of Visual Basic 5.0. |
Figure 13.11: Lpk_tool utility.
So you've got a compiled control, you've marked it as safe for scripting and safe for initialization, you've made it into a .CAB file, you've put it on a Web server, and you've purchased it the cutest little pair of footed jammies with bunny ears. You may think your life is complete, but there's something missing-you still don't have everything you need to put your control on the public Internet.
In order to distribute your controls over the Web, you must digitally sign your control. Signing your control embeds information that connects you, the software developer (or software development company), with the file you're distributing. The theory here is that if your name is associated with the software you write, it's less likely that you'll write controls that will reformat people's hard drives, shut down their computers, or stomp through downtown Tokyo crushing buildings and breathing fire. Digital signing, then, is a way of keeping ActiveX control developers from unleashing destructive control abominations upon the Internet landscape.
The process of digitally signing code is known as Authenticode. In order to digitally sign a control created in Visual Basic, you must go through the following steps:
The first step to getting your signed controls on the Web is to sign up with a certificate authority. As of this writing, there is only one certificate authority, Verisign, although there may be more authorities by the time you read this book. The Verisign page is at http://digitalid.verisign.com/.
The starting point to obtain a digital ID is http://digitalid.verisign.com/codesign.htm. If you're an individual software developer, you want to get a Class 2 certificate, which as of this writing costs $20 a year. If you're registering a company that produces software, you'll need to obtain a Class 3 certificate, which costs $400 a year. Also, if you are based outside of the U.S. or Canada, you can't get a Class 2 certificate.
The Verisign Web pages tell you exactly what you need to get signed up. The process to receive a digital ID is arranged in a series of steps; each Web page tells you what's required in detail, and it's pretty hard to mess up. The steps are:
After you've supplied this information, Verisign will e-mail you a digital ID personal identification number (PIN) that you'll need to activate your digital ID. (Doing it this way verifies that the e-mail address you gave them is valid.) When you receive this PIN, you return to Verisign's Web site, enter the PIN, and your digital ID request is complete.
At this point, the request process generates two files on your machine: a credential file and a private key. Because it can be made to work like a signature, you should store the private key on a disk that is not connected to the Net. (I keep mine on a floppy, with a backup in my safe deposit box at my bank.)
The credential file contains information about who you are, such
as whether you're an individual or a business and what your e-mail
address is. Both the credential file and the private key are used
by the signing utility when you sign your file.
| NOTE |
Authenticode should not be looked at as an airtight security system for ActiveX objects. Instead, it's a way to make developers more accountable for the effects of the software they create. The premise is that a developer will devote more effort into debugging and safety verification if that developer can be identified through Authenticode. Authenticode is based on two concepts: integrity and authenticity. The premise of authenticity dictates that if your name is attached to the code you're distributing, it's less likely to contain a virus or other destructive code. The principle of integrity covers situations where your code might be altered by a malicious third party. But just because the code is authentic doesn't mean it doesn't contain bugs, for example. |
Once you've obtained a software publisher's certificate, you can
use the Signcode utility to digitally sign your files. Signcode
is a utility that comes with the ActiveX SDK (on my machine, it's
installed into the \inetsdk\bin\i386 directory).
| NOTE |
The Signcode utility used in this book was taken from the ActiveX Software Development Kit because the beta version of Visual Basic used for testing the examples in this book did not contain it. However, it is likely that this utility will be included with the final, shipping version of Visual Basic 5.0. |
When you run Signcode, it launches the Code Signing Wizard, as illustrated in Figure 13.12.
Figure 13.12: Code Signing Wizard.
To sign your code using Code Signing Wizard, do the following:
Figure 13.13: Code Signing Wizard with the details filled in.
Figure 13.14: Code Signing Wizard screen with credential and private key information.
The wizard will read the files it needs to read, then it will alter your .CAB file to accommodate the digital signature. When it's done, it will display a message saying that it successfully signed the program.
The easiest way to test a signed ActiveX control is to load it through Microsoft Internet Explorer. If the control hasn't been installed on your computer before and it has been signed properly, your digital certificate will appear after the control is downloaded, as Figure 13.15 illustrates.
When this certificate appears, it confirms your identity to the end users of your control.
Figure 13.15: SoundButton control certificate.
| NOTE |
If the control has been installed on your computer before and you want to uninstall it for the purpose of testing a Web installation, use the Regsvr32 utility. This utility is described in Chapter 12. |
In this chapter you learned how to embed an ActiveX control into an HTML Web page using the ActiveX Control Pad. You also saw how to create a .CAB file, a compressed file that enables Web users to seamlessly download your ActiveX control with a Web browser.
In the next chapter, you'll take this crazy Internet thing one step further, creating Internet-aware controls that transmit data over the Net and have the ability to remotely download their properties.