'Oddest Problem with request.form' Thread RSS Feed

Oddest Problem with request.form

Fri, 02 Mar 2007 22:19:14 -0700

I have a form as shown below (I removed all the table tags for clarity):
==================================================
<form name="account_setup" method="POST" action="/customer/register.asp">
<input type="hidden" name="referer" value=>
User id: <input type="text" name="userid" size="20">
Password: <input type="password" name="userpass" size="20">
E-mail address: <input type="text" name=email size="50">
First Name: <input type="text" name=first size="50">
Last Name: <input type=text name=last size="50">
Company: <input type=text name=company size="80">
Street: <input type=text name=address1 size="80">
Suite: <input type=text name=address2 size="50">
City: <input type=text name=city size="80">
State: <input type=text name=state size="2">
Zip: <input type=text name=zip size="10">
Country: <input type=text name=country size="50">
Phone: <input type=text name=night_phone_a size="3">-
<input type=text name=night_phone_b size="3">-
<input type=text name=night_phone_c size="4"></td>
<input type="submit" value="Submit" name="B1" onclick="validate('account_setup');"> <input type="reset" value="Reset" name="B2"></p>
</form>
==================================================

The following is the .asp code which is called when the form is submitted:
==================================================
<%@ Language=VBScript %>

<%
Dim u1 ' Form storage variables
Dim u2
Dim u3
Dim u4
Dim u5
Dim u6
Dim u7
Dim u8
Dim u9
Dim u10
Dim u11
Dim u12
Dim u13
Dim u13b
Dim u13c
Dim u14
%>
The form data <%= Request.Form %>
<br>
<%
If Request.Form("userid") > "" Then
u1 = Trim(Request.Form("userid"))
u2 = Trim(Request.Form("userpass"))
u3 = Trim(Request.Form("email"))
u4 = Trim(Request.Form("first"))
u5 = Trim(Request.Form("last"))
u6 = Trim(Request.Form("company"))
u7 = Trim(Request.Form("address1"))
u8 = Trim(Request.Form("address2"))
u9 = Trim(Request.Form("city"))
u10 = Trim(Request.Form("state"))
u11 = Trim(Request.Form("zip"))
u12 = Trim(Request.Form("country"))
u13 = Trim(Request.Form("night_phone_a"))
u13b = Trim(Request.Form("night_phone_b"))
u13c = Trim(Request.Form("night_phone_c"))
u14 = Trim(Request.Form("referer"))

'combine the phone number into one string
u13 = u13 &u13b &u13c

response.write("Form Variables: <br>" )
response.write("userid = " &u1 &"<br>" )
response.write("userpass = " &u2 &"<br>" )
response.write("email = " &u3 &"<br>" )
response.write("first = " &u4 &"<br>" )
response.write("last = " &u5 &"<br>" )
response.write("company = " &u6 &"<br>" )
response.write("addr1 = " &u7 &"<br>" )
response.write("addr2 = " &u8 &"<br>" )
response.write("city = " &u9 &"<br>" )
response.write("st = " &u10 &"<br>" )
response.write("zip =" &u11 &"<br>" )
response.write("country = " &u12 &"<br>" )
response.write("phone = " &u13 &"<br>" )
response.write("referer = " &u14 &"<br>")

' Build the SQL insert command
strSQL = "Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('" &u1 &"','" &u2 &"','" &u4 &"','" &u5 &"','" &u6 &"','" &u7 &"','" &u8 &"','" &u9 &"','" &u10 &"','" &u11 &"','" &u12 &"','" &u13 &"','" &u3 &"','" &u14 &"')"
response.write(strSQL)
End If
%>
==================================================
The line "The form data <%= Request.Form %>" will print all the form data while the lines:
response.write("Form Variables: <br>" )
response.write("userid = " &u1 &"<br>" )
response.write("userpass = " &u2 &"<br>" )
response.write("email = " &u3 &"<br>" )
{snip] all the remaining response.writes
Only print out the userid and userpass (u1 and u2), no other variables will print.

doing a response.write on strSQL shows the sql string but only with u1 and u2, all other uX variables are blank.

Here is the output:
==================================================
The form data referer=&userid=ttest&userpass=0427&passtwo=&%94em ail%94=mailloop@localhost.com&%94first%94=Tim&%94l ast%94=Test&%94company%94=Anycompany%2C+Inc.&%94ad dress1%94=11108+Masters+Way&%94address2%94=C-102&%94city%94=Augusta&%94state%94=GA&%94zip%94=30 342&%94country%94=USA&%94night_phone_a%94=404&%94n ight_phone_b%94=111&%94night_phone_c%94=2222&B1=Su bmit

Form Variables:
userid = ttest
userpass = 0427
email =
first =
last =
company =
addr1 =
addr2 =
city =
st =
zip =
country =
phone =
referer =
Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('ttest','0427','','','','','','','','','','','',' ')
==================================================

Clearly something is happening to variables u3 through u14 but I have no clue what it could be!

Please HELP!!!

Thanks,

Phil

Re: Oddest Problem with request.form

Sun, 04 Mar 2007 09:47:42 -0700

hi

Think I got the problem!

<input type=text name=last size="50">

you are using and not " around the type attribute value.

You see that in

The form data referer=&userid=ttest&userpass=0427&passtwo=&%94em ail%....

Because there's a lot of %94 and those should not be there.

Also, do not use

strSQL = "Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('" &u1 &"','" &u2 &"','" &u4 &"','" &u5 &"','" &u6 &"','" &u7 &"','" &u8 &"','" &u9 &"','" &u10 &"','" &u11 &"','" &u12 &"','" &u13 &"','" &u3 &"','" &u14 &"')"

it is a bad practice because it is a major security risk and
will allow for SQL_injection attacks.
see http://en.wikipedia.org/wiki/SQL_injection

I also usually add a & "" to the request.form statements like

u10 = Trim(Request.Form("state") & "" )

So that if the "state" field is missing in the HTML form, then
you will not get an error/crash. Request.Form("state") returns
null in that case.

/WEBMASTER

Re: Oddest Problem with request.form

Mon, 05 Mar 2007 23:13:42 -0700

Good catch on the quotes... not sure how those got in there but its certainly a good example of the block-copy method of bug propogation! LOL

I'll look closer at the SQL injection issues... thanks for that tip!

Phil
: hi
:
:
: Think I got the problem!
:
: <input type=text name=last size="50">
:
: you are using and not " around the type attribute value.
:
: You see that in
:
: The form data referer=&userid=ttest&userpass=0427&passtwo=&%94em ail%....
:
: Because there's a lot of %94 and those should not be there.
:
:
:
: Also, do not use
:
: strSQL = "Insert INTO users (usr_id, usr_pass, usr_first, usr_last, usr_company, usr_addr1, usr_addr2, usr_city, usr_st, usr_postal, usr_country, usr_phone, usr_email, usr_referer) Values ('" &u1 &"','" &u2 &"','" &u4 &"','" &u5 &"','" &u6 &"','" &u7 &"','" &u8 &"','" &u9 &"','" &u10 &"','" &u11 &"','" &u12 &"','" &u13 &"','" &u3 &"','" &u14 &"')"
:
:
: it is a bad practice because it is a major security risk and
: will allow for SQL_injection attacks.
: see http://en.wikipedia.org/wiki/SQL_injection
:
:
: I also usually add a & "" to the request.form statements like
:
: u10 = Trim(Request.Form("state") & "" )
:
: So that if the "state" field is missing in the HTML form, then
: you will not get an error/crash. Request.Form("state") returns
: null in that case.
:
:
:
:
:
: /WEBMASTER
:
: