Oddest Problem with request.form - Active Server Pages

Active Server Pages

Moderators: None (Apply to moderate this forum)

Number of threads: 1763
Number of posts: 4498

With full replies

Topics only

Active Server Pages

Forum Info

This Forum Only

Single Post View Linear View Threaded View f

Printer Friendly

RSS Feed

Oddest Problem with request.form Posted by ppetree on 2 Mar 2007 at 10:19 PM

I have a form as shown below (I removed all the table tags for clarity):
==================================================
<form name="account_setup" method="POST" action="/customer/register.asp">
<input type="hidden" name="referer" value=>
User id: <input type="text" name="userid" size="20">
Password: <input type="password" name="userpass" size="20">
E-mail address: <input type="text" name=email size="50">
First Name: <input type="text" name=first size="50">
Last Name: <input type=text name=last size="50">
Company: <input type=text name=company size="80">
Street: <input type=text name=address1 size="80">
Suite: <input type=text name=address2 size="50">
City: <input type=text name=city size="80">
State: <input type=text name=state size="2">
Zip: <input type=text name=zip size="10">
Country: <input type=text name=country size="50">
Phone: <input type=text name=night_phone_a size="3">-
<input type=text name=night_phone_b size="3">-
<input type=text name=night_phone_c size="4"></td>
<input type="submit" value="Submit" name="B1" onclick="validate('account_setup');"> <input type="reset" value="Reset" name="B2"></p>
</form>
==================================================

The following is the .asp code which is called when the form is submitted:
==================================================
<%@ Language=VBScript %>

<%
Dim u1 ' Form storage variables
Dim u2
Dim u3
Dim u4
Dim u5
Dim u6
Dim u7
Dim u8
Dim u9
Dim u10
Dim u11
Dim u12
Dim u13
Dim u13b
Dim u13c
Dim u14
%>
The form data <%= Request.Form %>
<br>
<%
If Request.Form("userid") > "" Then
u1 = Trim(Request.Form("userid"))
u2 = Trim(Request.Form("userpass"))
u3 = Trim(Request.Form("email"))
u4 = Trim(Request.Form("first"))
u5 = Trim(Request.Form("last"))
u6 = Trim(Request.Form("company"))
u7 = Trim(Request.Form("address1"))
u8 = Trim(Request.Form("address2"))
u9 = Trim(Request.Form("city"))
u10 = Trim(Request.Form("state"))
u11 = Trim(Request.Form("zip"))
u12 = Trim(Request.Form("country"))
u13 = Trim(Request.Form("night_phone_a"))
u13b = Trim(Request.Form("night_phone_b"))
u13c = Trim(Request.Form("night_phone_c"))
u14 = Trim(Request.Form("referer"))

'combine the phone number into one string
u13 = u13 &u13b &u13c

response.write("Form Variables: <br>" )
response.write("userid = " &u1 &"<br>" )
response.write("userpass = " &u2 &"<br>" )
response.write("email = " &u3 &"<br>" )
response.write("first = " &u4 &"<br>" )
response.write("last = " &u5 &"<br>" )
response.write("company = " &u6 &"<br>" )
response.write("addr1 = " &u7 &"<br>" )
response.write("addr2 = " &u8 &"<br>" )
response.write("city = " &u9 &"<br>" )
response.write("st = " &u10 &"<br>" )
response.write("zip =" &u11 &"<br>" )
response.write("country = " &u12 &"<br>" )
response.write("phone = " &u13 &"<br>" )
response.write("referer = " &u14 &"<br>")

' Build the SQL insert command
strSQL = "Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('" &u1 &"','" &u2 &"','" &u4 &"','" &u5 &"','" &u6 &"','" &u7 &"','" &u8 &"','" &u9 &"','" &u10 &"','" &u11 &"','" &u12 &"','" &u13 &"','" &u3 &"','" &u14 &"')"
response.write(strSQL)
End If
%>
==================================================
The line "The form data <%= Request.Form %>" will print all the form data while the lines:
response.write("Form Variables: <br>" )
response.write("userid = " &u1 &"<br>" )
response.write("userpass = " &u2 &"<br>" )
response.write("email = " &u3 &"<br>" )
{snip] all the remaining response.writes
Only print out the userid and userpass (u1 and u2), no other variables will print.

doing a response.write on strSQL shows the sql string but only with u1 and u2, all other uX variables are blank.

Here is the output:
==================================================
The form data referer=&userid=ttest&userpass=0427&passtwo=&%94email%94=mailloop@localhost.com&%94first%94=Tim&%94last%94=Test&%94company%94=Anycompany%2C+Inc.&%94address1%94=11108+Masters+Way&%94address2%94=C-102&%94city%94=Augusta&%94state%94=GA&%94zip%94=30342&%94country%94=USA&%94night_phone_a%94=404&%94night_phone_b%94=111&%94night_phone_c%94=2222&B1=Submit

Form Variables:
userid = ttest
userpass = 0427
email =
first =
last =
company =
addr1 =
addr2 =
city =
st =
zip =
country =
phone =
referer =
Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('ttest','0427','','','','','','','','','','','','')
==================================================

Clearly something is happening to variables u3 through u14 but I have no clue what it could be!

Please HELP!!!

Thanks,

Phil

Share By Email

Re: Oddest Problem with request.form Posted by WEBMASTER on 4 Mar 2007 at 9:47 AM

hi

Think I got the problem!

<input type=text name=last size="50">

you are using and not " around the type attribute value.

You see that in

The form data referer=&userid=ttest&userpass=0427&passtwo=&%94email%....

Because there's a lot of %94 and those should not be there.

Also, do not use

strSQL = "Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('" &u1 &"','" &u2 &"','" &u4 &"','" &u5 &"','" &u6 &"','" &u7 &"','" &u8 &"','" &u9 &"','" &u10 &"','" &u11 &"','" &u12 &"','" &u13 &"','" &u3 &"','" &u14 &"')"

it is a bad practice because it is a major security risk and
will allow for SQL_injection attacks.
see http://en.wikipedia.org/wiki/SQL_injection

I also usually add a & "" to the request.form statements like

u10 = Trim(Request.Form("state") & "" )

So that if the "state" field is missing in the HTML form, then
you will not get an error/crash. Request.Form("state") returns
null in that case.

/WEBMASTER

Share By Email

Re: Oddest Problem with request.form Posted by ppetree on 5 Mar 2007 at 11:13 PM

Good catch on the quotes... not sure how those got in there but its certainly a good example of the block-copy method of bug propogation! LOL

I'll look closer at the SQL injection issues... thanks for that tip!

Phil
: hi
:
:
: Think I got the problem!
:
: <input type=text name=last size="50">
:
: you are using and not " around the type attribute value.
:
: You see that in
:
: The form data referer=&userid=ttest&userpass=0427&passtwo=&%94email%....
:
: Because there's a lot of %94 and those should not be there.
:
:
:
: Also, do not use
:
: strSQL = "Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('" &u1 &"','" &u2 &"','" &u4 &"','" &u5 &"','" &u6 &"','" &u7 &"','" &u8 &"','" &u9 &"','" &u10 &"','" &u11 &"','" &u12 &"','" &u13 &"','" &u3 &"','" &u14 &"')"
:
:
: it is a bad practice because it is a major security risk and
: will allow for SQL_injection attacks.
: see http://en.wikipedia.org/wiki/SQL_injection
:
:
: I also usually add a & "" to the request.form statements like
:
: u10 = Trim(Request.Form("state") & "" )
:
: So that if the "state" field is missing in the HTML form, then
: you will not get an error/crash. Request.Form("state") returns
: null in that case.
:
:
:
:
:
: /WEBMASTER
:
:

Share By Email

Active Server Pages

Recent Jobs