Request.form issues

Results 1 to 3 of 3

Thread: Request.form issues

  1. #1
    Join Date
    Dec 1969

    Default Request.form issues

    Hi all,<BR><BR>Perhaps you can hel me with two problems<BR><BR>1. I have a form with an input field that includes a URL that I want to store in an access DB. I get error characters when trying to write it to an access DB. When the field (name URL) includes e.g. "", the stored value in the .mdb file gets "1,". What is wrong? Samples of my code in the forms page:<BR>--<BR>&#060;FORM name="mainform" ACTION = "updatecomponent.asp?component=1" METHOD = "post" &#062;<BR>&#060;input name="web" type="text"&#062;<BR>--<BR>Samples of my code in the updatecomponent.asp page:<BR>--<BR>Set pConn = Server.CreateObject("ADODB.Connection")<BR>pConn.O pen "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strFilePath & "/data/test.mdb"<BR><BR>sql = "update companies set web=&#039;" & request.form("web") & "&#039; where id=" & request.form("id")<BR><BR>pConn.Execute (sql)<BR>--<BR><BR>2. I have a textarea on my form page that I post to the Access-DB (just like the RESPONSE TEXT field on this site actually. Problem is that when I post to the DB the textarea posts a lot of empty characters in the DB after the last data entered in the textarea. How can I avoid this?<BR><BR>Samples of code from my form page:<BR><BR>--<BR>&#060;FORM name="mainform" ACTION = "updatecomponent.asp?component=1" METHOD = "post" &#062;<BR>&#060;textarea name="description" cols="75" rows="9"&#062;<BR>&#060;% response.write(selection.Fields(2).Value) %&#062;<BR>&#060;/textarea&#062;<BR>--<BR>Samples of my code in the updatecomponent.asp page:<BR>--<BR>Set pConn = Server.CreateObject("ADODB.Connection")<BR>pConn.O pen "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strFilePath & "/data/test.mdb"<BR><BR>sql2 = "update companies set description=&#039;" & request.form("description") & "&#039; where id=" & request.form("id")<BR><BR>pConn.Execute (sql2)<BR><BR>--<BR><BR>Many thanks in advance!!!<BR><BR>Isac

  2. #2
    Join Date
    Dec 1969

    Default * Crosspost. And WAY not advanced. (eop)


  3. #3
    Join Date
    Dec 1969

    Default RE: Request.form issues

    Howdy Isac,<BR><BR>For the first, probably somewhere in your form you have another input item named "web". It is probably before the first. When you have two or more items with the same name and request the values without indexing, you will get a single string, comma separated. Look for a second item named "Web" with a value of 1, and rename it.<BR><BR>For number two, I don&#039;t see anyplace extra whitespace would come from. Perhaps you can try using the Trim function to clean up leading and trailing whitespace on the form value. I don&#039;t remember if the VBS Trim removes newlines as well, maybe someone else will comment.<BR><BR>I have a few other critiques I hope you do not mind me mentioning. The first is you need to SQL encode every string you put in a database. You also need to HTML encode every string you write to the page from your database.<BR><BR>For an SQL encoding example, if someone entered "Isac&#039;s Company" in your description field, your resulting SQL statement would look like:<BR>"update companies set description=&#039;Isac&#039;s Company&#039; where id=0"<BR><BR>As you can see, to the SQL parser, the string looks like it ends after the first c. You will get an SQL error on your page. But worse, suppose someone enters "&#039;; drop table companies; --" as a description. Take a look at the SQL you would build now: <BR>"update companies set description=&#039;&#039;; drop table companies; --&#039; where id=0"<BR><BR>The database sees two SQL statements and one comment. This should scare the crap out of you.<BR><BR>SQL encoding consists of replacing every single apostrophe with two consecutive single apostrophes. The first SQL statement would then look like this:<BR>"update companies set description=&#039;Isac&#039;&#039;s Company&#039; where id=0"<BR><BR>The two consecutive apostrophes are treated as one inside a string, and the value is entered into the database as expected. For the second example, the literal string is added harmlessly. To read more, search for "SLQ Injection" on this forum or Google.<BR><BR>They can also do the same thing with the numbers. Always make sure your numbers are indeed numbers (and only numbers) before using them in an SQL statement.<BR><BR>For an example of the HTML encoding, they can enter a description of &#039;"&#062;&#060;script src=""&#062;&#060;/script&#062;&#060;&#039; and do all sorts of malicious things to your website. Steal database info, just about anything. To read more, search for "HTML Injection".<BR><BR>For SQL encoding and number validation build yourself some functions:<BR>Function sqlEncode(ByVal string)<BR> sqlEncode=Replace(string,"&#039;","&#039;&#039;")< BR>End Function<BR><BR>Function numericValue(ByVal n)<BR> If IsNumeric(n) Then<BR> numericValue=n<BR> Else<BR> Response.Write("PANIC")<BR> Response.End()<BR> End If<BR>End Function<BR><BR>Then, an example line from your code:<BR>sql = "update companies set web=&#039;" & sqlEncode(request.form("web")) & "&#039; where id=" & numericValue(request.form("id"))<BR><BR>Create validators for any other datatypes you use in your SQL too. <BR><BR>For HTML encoding, use the built in:<BR>Server.HTMLEncode(...)<BR><BR>Again, example lines from your code:<BR>&#060;textarea name="description" cols="75" rows="9"&#062;<BR>&#060;% response.write(Server.HTMLEncode(selection.Fields( 2).Value)) %&#062;<BR>&#060;/textarea&#062;<BR><BR>Call these functions with religious zealotry. I can&#039;t emphasize enough how important this is.<BR><BR>Hope this helps,<BR>Scott

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts