I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form injection attacks? I'm looking for good routines I can reuse on all of my form processing pages.
View RepliesI just wanted to share it with you guys and ask your opinions. Code:
View Replies View RelatedMy client received an email from a user who mentioned that by accident they had been typing (over the querystring I guess), and the url had become:
default.asp?pageid='asd
They then received a SQL Server error message.
My client contacted their webhost, who came back to them promptly and talked of 'SQL Injection', they said that we would need to secure the code as well as the permissions on the database(which I believe they have done)..
This is something I had over looked, and started to write a fix for a couple of nights ago...but I dont think its 100%....
Basically I now do this at the top of my default.asp page ...
Does anyone know how to prevent the browser from automatically adding the password to a form after a user name is entered? I need to be able to over ride the brower setting so turning off the option in IE is not really a solution.
View Replies View RelatedHow do people go about preventing the user from submitting a form for a 2nd time? For example, the user submits a form, clicks on the back button, and the submits the form again. I have used various techniques in the past (depending on circumstances) but I'd be interested in the techniques you guys currently use.
View Replies View Relatedhow can i Create daynamic pages or static pages Automatic .? i have a problem with my website i want Create page asp classic to every member The page name equal the member name www.Micrsoft.com/Ashraf.asp . If i have 3000 members in my website it's possible to generate 3000 pages for everymember Automatic and if it is possible how can i do this ?my Tec. are ASp classic and java script .
View Replies View RelatedI skinned an LMS (Learning Management System) using CSS and Javascript. The forms were skinned with niceforms.js, the site works perfectly in FF, IE 7 and IE6 but in ASP the javascript doesn't replace the images with the skinned elements. All the javascript functions initialize but the images are not placed in. Code:
View Replies View RelatedHow can submit form to two different action pages?
View Replies View RelatedHow can I send the same form inforamtion to two different URL's while only redirecting to one URL.For example, I send the info from a form to page1.asp and page2.asp, but the page redirects to page2.asp?
View Replies View RelatedI'm having a problem with a shared ssl cert from the host. I'm trying to pass 8 fields from an encrypted page to a redirect page that is encrypted and then to the final page which is also encrypted to store the data.
These page names are similar to the setup but are renamed here as: ....
How do I post an HTML form to multiple ASP pages? I need to do two things with my data at the same time and it would be very helpful if I could spawn the processes when the HTML form is posted, not through downstream ASP handling.
View Replies View RelatedAssuming the following code actually worked, I'd like to take data entered from one form and post it to two different locations. Hypothetically, I have a server in NY and one in LA that I want to get the same information.
<form action="http://ny.server.com/test.asp"
action="http://la.server.com/test.asp" method="post">
Name:
<input type="text" name="request" /><br />
<input type="submit" value="Submit">
'''Contents of ny.server.com/test.asp
<%
response.write "Data saved on NY server"
%>
'''Contents of server2.com/test.asp
<%
response.write "Data saved on LA server"
%>
Users enter data using HTML forms and it gets processed by an asp page that enters the data into the database. What I am trying to do is get a "confirm" page set up that will make sure the form was completed properly. If it is completed successfully, then the data from the form needs to be forwarded onto another asp page that will enter the data into the database.
My question is, what is the best way to forward the information on? Currently I am using querystring to handle this, but that doesn't work in some situations especially when one of my forms has a <textarea> box that seems cumbersome to send via querystring.
Is there a method I can use to easily forward the data from the form to subsequent pages after the first one ?
I have downloaded a Image Upload componet and incorporated it into my existing code. It is working great. My issue is that I cannot call a field from another table in SQL.
On insert.htm, I can do this:
ptrack = Clng(Request.QueryString("tracknumber"))
And I can get the tracking number of the specific client.
If I try to do this in insert.asp, it doesn't work. I have read other posts regarding this and I still cant get it to work. Like I mentioned before, it is a tracknumber, so its a numeric. Code:
I am going to have a form on one page that will have a bunch of options(checkboxes, radio buttons, text areas, text fields, etc.) and these options are going to deal with a certain category. Each category will have different options. Now after this form is filled out they will then proceed to another page to fill out contact information. Name, Addy, State, City, etc.
Now, after they fill this contact form out they will submit it and then it will go through a database and depending on what state and county they are in it will email the information from both forms to the email addresses in the database that match that state and county(as well as category). Now dont worry I aint wondering how to actually search the db and all that yet.
All I want to know right now is how do you remember the first forms information while you go to the second page to fill out the contact information? Using cookies? What? I dont want the form input to be displayed on the second page, just remembered.
So I will select all my options from the first form and fill out all the text areas and fields and all that then click on the Next button or whatever, then fill out contact info.
How do I get it to retain BOTH forms information, and for now just display both of them on a third page(like I said I will worry about the db query and email crap later). I hope this makes sense.
I'm using if for when the user deletes a record from the database. People using the website try and delete more than one record at a t time by placing commas between the IDnumber ie. 1,2,5,9 etc.
This creates an error. So instead of this error appearing, how can I get a small alert box telling hte user he/or she has entered the wrong data type?
The code for the form is :-
Is there a script that change email adrdresses to prevent SPAM.
ex: ticul@myprovider.com
I want it to appear like this on my webpage ticul@xxxxxxx.com or something that look like this
I've got multiple pages on the same server that all have the same drop down
boxes in them. It is a list of all our facilities. Every time there is a
change, I have to change it on every page. They are in the format below. Is
there an easy way to store all that data in a text file so I only have to
update it one place?
<option value="fac 1">fac 1</option>
<option value="fac 2">fac 2</option>
<option value="fac 3">fac 3</option>
In ASP classic pages,I want to know if it's possible to prevent
session variables from becoming zero length strings? I have tried
setting the Session.Timeout to a large value, but alwas, after 20
minutes, my session variable times out. I also tried setting the
session timeout in IIS manager to a high value, but this did no good
either.I just want to allow one particular session variable to last a long
time.
I have a permission tracking app that I am working on, and I have made the insert page for it. I am having issues on how to prevent duplicates from getting entered.
Currently the interface for the app has a mixture of select boxes, list boxes and checkboxes. The form submits the page to processAIMR.asp and then does the inserting. I am using a loop to insert a new record for each checkbox checked or listbox entry selected. Code:
I have a form that sends info to a preview page, then to a thank you page. The thank you page gets the data passed from the rpeview page and sends an email.
How can I prevent the user from refreshing the page, so it doesn't send the email again.
I would like to prevent a user from logging in with their user/password combination on a different computer or even a different browser window, if they are already logged in. I have a login page, from which I use a DB check to verify user/password info. Also, I have a bit loggedIN field in the DB, which I use to see if they are currently logged in; if so, I prevent them from logging in a second time.
Unless they click the "Log Out" button, then the DB value does not get changed. Any suggestions as to how I can log them out, even if they simply close the browser window or jump to a different page?
For instance here's a simple select statement Code:
("SELECT a, b,c d, e, f FROM Table WHERE a = "&CInt(j)&" and c= 0")
j is a dimmed variable which is a and it's numeric. Is the above protected against any non numeric instances? Like j=2,345..i've tested this and it works i'm just trying to see if i've covered all my tracks.
Is there a way in ASP to prevent including the same file more than once?
Example:
dbutil.asp needs constants.asp, so I include constants.asp inside dbutil.asp.
transact.asp also needs constants.asp, so I include constants.asp inside transact.asp.
transact.asp doesn't need stuff in dbutil.asp, and dbutil.asp doesn't need stuff in transact.asp.
Then later I might have a main.asp that needs both dbutil.asp and transact.asp. So I include them both. However, the constants.asp will be found to be included twice!
What can I do to creatively prevent multiple inclusion of the same file in ASP? I know how to do it in C and C++, but I can't apply that to ASP, it seems.
I have created an Intranet in my office using ASP (of course). Within it is a booking system, allowing booking of conference rooms, digital camera and other equipment. It works perfectly...almost, as there is no way to prevent double bookings.
I really don't know where to begin with this one. All bookings go to an Access DB, into a single table. The bookings have a start time and an end time (24hr).
I would like it so that when the user submits the form, if there is a clash in times instead of saying, thanks for your booking, to redirect them back to the booking page saying there is already a booking for this time and that I am very sorry!
I guess I have to check some value in access and return the info back to the webpage before it chooses where to redirect the user.
I am developing a Simple ASP Website with a login page. I want to
know how can I change Session ID after login and also Close the current
Session after User closes the Window or gets logged out of the Website. So
that every time user logs in into the website, Session ID will be unique.
We have 2 domains for internal purposes: one for users (have to login
and domain has SSL) and another for sponsors (have to login and domain
does NOT have SSL).
Now when a user logs in and there are pages that have info from the
sponsors domain, users are asked to login again with a warning message
saying if they want to see secure and nonsecure information. How can
I bypass the second login? Is there something I can do in active
directory, IIS, or ASP to not have the second login appear?
How can I prevent this from happening? For example when the asp
application works in a public terminal where we don't want successive
users to know the login password and user name of the previous ones?
I recently built a login page and a friend of mine was working on something similar and said that I need to protect the login from SQL injection. I am not really sure what exactly that is. I think I have a rough idea but can someone explain it to me?
In addition, I will need to obviously protect what I built and am not sure how to go about doing that either.
if anybody has a list of dodgy characters that can be used for sql injection attacks so that i can figure out a way to strip them from user inputs?
Also if somebody was filling in a form, that inserts into a "memo" field in access could this be used to launch such an attack or would whatever they type simply be inserted into the field? i hope that bit is clear.
i have a form field "message" which is a multi line text box, if someone typed into that box
DELETE * FROM Messages WHERE MessageID =1205
or some other command would that simply be inserted in to the database or would the server try and execute the command??
I have heard a lot about SQL Injection. I was wondering how does an injector come to know about the table/column name when they cannot see the asp codes in a website?
View Replies View Relatedhow do i test for SQL injection ?
sdo i do a SELECT statement in my username login?
Is it possible to "intercept" all calls to conn.execute and have them go to
a checking routine that will either let the command go through or terminate
it if it contains some illegal instructions? My clients company has had its
hacker free status revoked due to the possibility of sql injection. I could
put a function before every single conn.execute but we have hundreds of
them. Just wondering if there is some way of telling it to do something else
first. Maybe I can redefine conn.execute somehow?