Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Welcome to the new platform of Programmer's Heaven! We apologize for the inconvenience caused, if you visited us from a broken link of the previous version. The main reason to move to a new platform is to provide more effective and collaborative experience to you all. Please feel free to experience the new platform and use its exciting features. Contact us for any issue that you need to get clarified. We are more than happy to help you.

Oddest Problem with request.form

I have a form as shown below (I removed all the table tags for clarity):
==================================================


User id:
Password:
E-mail address:
First Name:
Last Name:
Company:
Street:
Suite:
City:
State:
Zip:
Country:
Phone: -
-



==================================================

The following is the .asp code which is called when the form is submitted:
==================================================
<%@ Language=VBScript %>

<%
Dim u1 ' Form storage variables
Dim u2
Dim u3
Dim u4
Dim u5
Dim u6
Dim u7
Dim u8
Dim u9
Dim u10
Dim u11
Dim u12
Dim u13
Dim u13b
Dim u13c
Dim u14
%>
The form data <%= Request.Form %>


<%
If Request.Form("userid") > "" Then
u1 = Trim(Request.Form("userid"))
u2 = Trim(Request.Form("userpass"))
u3 = Trim(Request.Form("email"))
u4 = Trim(Request.Form("first"))
u5 = Trim(Request.Form("last"))
u6 = Trim(Request.Form("company"))
u7 = Trim(Request.Form("address1"))
u8 = Trim(Request.Form("address2"))
u9 = Trim(Request.Form("city"))
u10 = Trim(Request.Form("state"))
u11 = Trim(Request.Form("zip"))
u12 = Trim(Request.Form("country"))
u13 = Trim(Request.Form("night_phone_a"))
u13b = Trim(Request.Form("night_phone_b"))
u13c = Trim(Request.Form("night_phone_c"))
u14 = Trim(Request.Form("referer"))

'combine the phone number into one string
u13 = u13 &u13b &u13c

response.write("Form Variables:
" )
response.write("userid = " &u1 &"
" )
response.write("userpass = " &u2 &"
" )
response.write("email = " &u3 &"
" )
response.write("first = " &u4 &"
" )
response.write("last = " &u5 &"
" )
response.write("company = " &u6 &"
" )
response.write("addr1 = " &u7 &"
" )
response.write("addr2 = " &u8 &"
" )
response.write("city = " &u9 &"
" )
response.write("st = " &u10 &"
" )
response.write("zip =" &u11 &"
" )
response.write("country = " &u12 &"
" )
response.write("phone = " &u13 &"
" )
response.write("referer = " &u14 &"
")

' Build the SQL insert command
strSQL = "Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('" &u1 &"','" &u2 &"','" &u4 &"','" &u5 &"','" &u6 &"','" &u7 &"','" &u8 &"','" &u9 &"','" &u10 &"','" &u11 &"','" &u12 &"','" &u13 &"','" &u3 &"','" &u14 &"')"
response.write(strSQL)
End If
%>
==================================================
The line "The form data <%= Request.Form %>" will print all the form data while the lines:
response.write("Form Variables:
" )
response.write("userid = " &u1 &"
" )
response.write("userpass = " &u2 &"
" )
response.write("email = " &u3 &"
" )
{snip] all the remaining response.writes
Only print out the userid and userpass (u1 and u2), no other variables will print.

doing a response.write on strSQL shows the sql string but only with u1 and u2, all other uX variables are blank.

Here is the output:
==================================================
The form data referer=&userid=ttest&userpass=0427&passtwo=&%94email%94=mailloop@localhost.com&%94first%94=Tim&%94last%94=Test&%94company%94=Anycompany%2C+Inc.&%94address1%94=11108+Masters+Way&%94address2%94=C-102&%94city%94=Augusta&%94state%94=GA&%94zip%94=30342&%94country%94=USA&%94night_phone_a%94=404&%94night_phone_b%94=111&%94night_phone_c%94=2222&B1=Submit

Form Variables:
userid = ttest
userpass = 0427
email =
first =
last =
company =
addr1 =
addr2 =
city =
st =
zip =
country =
phone =
referer =
Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('ttest','0427','','','','','','','','','','','','')
==================================================

Clearly something is happening to variables u3 through u14 but I have no clue what it could be!

Please HELP!!!

Thanks,

Phil

Comments

  • WEBMASTERWEBMASTER Posts: 549Member
    hi


    Think I got the problem!



    you are using and not " around the type attribute value.

    You see that in

    The form data referer=&userid=ttest&userpass=0427&passtwo=&%94email%....

    Because there's a lot of %94 and those should not be there.



    Also, do not use

    strSQL = "Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('" &u1 &"','" &u2 &"','" &u4 &"','" &u5 &"','" &u6 &"','" &u7 &"','" &u8 &"','" &u9 &"','" &u10 &"','" &u11 &"','" &u12 &"','" &u13 &"','" &u3 &"','" &u14 &"')"


    it is a bad practice because it is a major security risk and
    will allow for SQL_injection attacks.
    see http://en.wikipedia.org/wiki/SQL_injection


    I also usually add a & "" to the request.form statements like

    u10 = Trim(Request.Form("state") & "" )

    So that if the "state" field is missing in the HTML form, then
    you will not get an error/crash. Request.Form("state") returns
    null in that case.





    [blue][italic][b]/WEBMASTER[/b][/italic][/blue]

  • ppetreeppetree Posts: 2Member
    Good catch on the quotes... not sure how those got in there but its certainly a good example of the block-copy method of bug propogation! LOL

    I'll look closer at the SQL injection issues... thanks for that tip!

    Phil
    : hi
    :
    :
    : Think I got the problem!
    :
    :
    :
    : you are using and not " around the type attribute value.
    :
    : You see that in
    :
    : The form data referer=&userid=ttest&userpass=0427&passtwo=&%94email%....
    :
    : Because there's a lot of %94 and those should not be there.
    :
    :
    :
    : Also, do not use
    :
    : strSQL = "Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('" &u1 &"','" &u2 &"','" &u4 &"','" &u5 &"','" &u6 &"','" &u7 &"','" &u8 &"','" &u9 &"','" &u10 &"','" &u11 &"','" &u12 &"','" &u13 &"','" &u3 &"','" &u14 &"')"
    :
    :
    : it is a bad practice because it is a major security risk and
    : will allow for SQL_injection attacks.
    : see http://en.wikipedia.org/wiki/SQL_injection
    :
    :
    : I also usually add a & "" to the request.form statements like
    :
    : u10 = Trim(Request.Form("state") & "" )
    :
    : So that if the "state" field is missing in the HTML form, then
    : you will not get an error/crash. Request.Form("state") returns
    : null in that case.
    :
    :
    :
    :
    :
    : [blue][italic][b]/WEBMASTER[/b][/italic][/blue]
    :
    :

Sign In or Register to comment.