I am working on a web application that uses both asp classic and asp.net
pages. We need to validate user input to avoid attacks like sql injection.
Can a component be created that both page types can use? Is that the best
approach? Would I simply use pattern matching to validate strings and/or
remove any unwanted characters?
I have written a function to validate user input, so that it properly returns a valid time if the user inputs 1600 or 16:00 or 4:00 pm the time is properly formatted (it may need a little more tweaking, but you get the idea) This is the function : Code:
View Replies View RelatedI'm using the following code and if someone enters something in the "instructions" field with characters -"', - it causes the SQL statement to change using those characters.
Dim strSQLadd
strSQLadd = "INSERT INTO orders" &_
"(form_number, orig_number, order_loannum, order_date, order_time, order_address, order_city, order_zip," &_
"order_contact, order_lockbox, order_agent, order_homephone, order_workphone, order_cellphone," &_
"order_legal, order_instructions, order_deliver, order_pay, order_altmail, order_appraiser) " &_
"VALUES (" & FormNum & "," & OrigNum & ",'" & CaseNum & "','" & OrderDate & "','" & OrderTime & "','" & pave & "','" & City & "','" &_
Zip & "','" & Owner & "','" & LockBox & "','" & Agents & "','" & BorHmP & "','" & BorWrkP & "','" &_
BorCellP & "','" & Legal & "','" & Instruct & "','" & DeliverType & "','" & Payment & "','" & AltMailType & "','" & AppName &"');"
objconn.Execute (strSQLadd)
Does anyone know if its possible to create and email HTML
forms. Email recipients would then input information to
these forms in the same way that they would on a web
page. Pressing the submit button would mail the form
back, after which it would be separately submitted to an
ASP page on the web server for processing.
The main reason for this is so we don't have all the
issues associated with firewalls and security to deal
with. Our corporate mail servers will strip out viruses
so that not a problem.
I have a form that I am trying to append to include a CAPTCHA validation field.
I have added the CAPTCHA code to the end of the form itself and now I am struggling to make the processor do a couple of things:
***If the CAPTCHA validates as well as all the form input data>>confirmation page and send appropriate email.
***If the form is filled out, but the CAPTCHA authentication is wrong>>go back to the same page, keep the form filled out, and give one more chance to correctly enter the CAPTCHA field.
***If the form is being spammed.......fail and die gracefully.
Here is the processor code thus far: Code:
What is the best way to handle user input into a form which passes info to an .asp application. The problem I have is if somebody enters in "dave's" the asp code breaks because of the ' in the input field. What is the best way to handle this kind of input?
View Replies View RelatedASP without Access database (my webserver does not support this). I'm looking for some ASP code that can show a calendar on a webpage. The people looking at the page should be able to type in a small message and a date and then send the info to the webpage. which then updates itself.
I have a more specific example of my needs. Often when I need to arrange a meeting with friends, then I send out a mail to ex. 10 persons. They can choose between 3 different days and I want to find the day that most people can come.
Instead of getting mails back and evaluate thise, I would like them to make their reservation on the asp-webpage. This way the others can follow the "favorite" day that is accurring when a few people has typed their favorite meetingday. Hope this was understandable.
I have forms and photo upload features in my website. I'm using IIS 5.1 in Windows XP Pro. What do I need to add into my code to validate user input? I had SQL injection attack before, now I use replace function to remove any malicious words such as SELE, DELE, Ad, etc.. to prevent SQL injection attack. Are there any other attacks which it can be triggered in a text input field? What do I need to do to prevent it?
I also have a photo upload feature, it allows user upload photos to my table and the photo will be displayed in the gallery. How can I validate the user upload file is image file only? I mean user might be able to upload malicious scripts, virus to my server. How can I prevent that?
I have a HTML page with a form on it. I have an ASP page that processes what a user has entered into the form (updates a database etc).
I now need a page that fits between these two pages to pre-process�the users input. I need to do it this way because I am not allowed to change either of the two existing pages.
I know how to read what the user has input into the form and I know how to pass control onto the next page.
What I have not been able to work out is how to change the user input and have those changes passed onto the next page as if nothing has happened (that is, the original ASP page just performs its request.form(�item�) calls as it always has but instead of seeing what the user actually typed in, it should see the changed text as created by the new pre process� page)
I have tried using a regular expression replace but can only successfully make this change a variable and not the original form input. Equally I cannot find a way of swapping the original form input string with the output variable from the replace.
Does anyone have any ideas on this one?
I want to add the "Did you mean" - Google feature to searches on my
website.
My website lets users search for a business using different
parameters.
If there is no match, I want to do a spell check on the entered
parameters.
I need to be able to check words with an english dictionary as well as
add words(business names) to the dictionary. Code:
This problem only occur when ppl using NetScape 7.2 I've tested it myself and it works in IE and it DOESN"T work in NetScape 7.2 Here is the code:
View Replies View Relatedwrite a simple function to check the user input from a form. I need to check that the string contains only numbers, has a maximum leght of say 15 and that the first number is zero.
View Replies View RelatedIsn't there some line of code that I can write to tell ASP to treat everything between BLAH and /BLAH as text (including the apostrophe). So that users can type a name of "O'Malley" in a form and I can retrieve it and store it in my database.
View Replies View RelatedWe log hundreds of SQL injection attempts per day -- the type with
CAST(0x44004500... AS VARCHAR(4000)). It amuses me that the last thing the
attack does is DEALLOCATE its cursor. My SQL Server DBA tells me this makes
no difference. So...
Are these hackers cargo cultists? Or am I missing something?
How to select query according to User Input for a WebPage in C#.Net with SQL Server 2000.I am trying to build a web page in C#.NET with SQL Server 2000 using Visual Web Developer 2005. I want to select and execute the query according to user input.
I have a form which has 2 textboxes which gets start date and end date from the user. Based on start/end date my 1st query runs. Now if user does not enter any start/end date I want to run another query which takes default dates from database(which is in varchar:ex. now()/now()-180) according to logged on user's permisstions.
How to select query ?
I have a little code to add multiple items to a shopping cart based
page. This code works perfect, but it adds all of the info to the
same input fields every time it loops. I need it to change the input
names each time it loops. Here is the code:
how to elaborate this problem that i m facing. ok, let say ..i have a URL wit id number such as www.abc.com/memberpage.asp?memberid=12.
when i add the symbol ' at the end of the url (like that:www.abc.com/memberpage.asp?memberid=12'), and enter, it will display error for my page.
But when i try to put a ' at this web page here, it will not display any error, how can i do this with ASP languagE?how can i avoid it using ASP language ?
I'm getting crazy with this. You know that when you install office in your computer it install a plugin for Internet Explorer so when you click in a link to any office document it opens the document inside the explorer instead of asking to save it as normal files.
Do you know how to make internet explorer ask to save the document with HTML or ASP or Javascript?I know that i can disable this option in Internet Explorer options but i don't want to make people do this.I don't want to zip the file neither.
When I use funtion--CreateObject to create an instance of Msword in the client script,
IE security will prevent my script to create. I would not like to alter the security option. how to resolve this problem?
I want to run a query from input. There are 4 input that are optional for user. So what is the simple and fastest way to do it instead of too many if statement and repeating query. What I've done now semilar like this
id = Request.Form("id")
tittle = Request.Form("tittle")
case = Request.Form("case")
desc = Request.Form("desc")
If id <> "" then
Run Query
Else
If tittle <> "" Then.......i have to insert more if statement..how can I make it more easier?
I'm making an application and i need to print a report, the problem is that depending on the browser printer configuration it is printed ok or not. Is there any way to make a document, as pdf or doc, for asp to avoid this problems?
View Replies View RelatedI have sometimes duplicate contents in a comments page because impatient people send the same form twice (they pressing in few seconds the Send button twice) . How can I avoid this?
View Replies View Relatedhow can I avoid the windows authentication screen for viewing a report in Reporting Service.
View Replies View RelatedI am writing a web app using asp.net 1.1 and C#. This web app is launched in another win32 application and this app needs to pass information to my web app. But this win32 application doesn't support long string(Maximum 255)
I hv to use an intermedia plain file and in my web app,usingScripting.FileSystemObject to open the file and read the information in. Each time when I launch the web page, I got a warning message saying "AnActiveX control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction?" Users need to click Yes to proceed.
All applications run in Intranet environment within a corporate network. My question are "Can I avoid this error message?" and "Can I give permission to my particular web app to run Scripting.FileSystemObject?"
I am running IIS5.1. I am invoking an ASP page in ther server continously from the HTML Page, to update some contents of the html page. The ASP page seem to run from the cache sometimes(Not Always). I tried to give the following header to my ASP file.
Response.Expires = 0
Response.AddHeader "pragma","no-cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"
still the contents seem to get cached. how can i avoid this ?
Is there a way to avoid On Error Resume Next for:
cnn.Open strCon
SQL = "EXEC Customer @txtEmail='" & email_address & "'"
set rs = cnn.execute(SQL)
'On error resume next
rs("email_address")
'// This record does not exist thus throwing up an error. I could use On
Error to resume and then do this
'// If rs.eof or rs.bof
'//
.....But I hate this convention as I find debugging a problem. Is there a
better way?
I have a table with "title" field set to unique In PHP I can do this following code to check whether the same input already exist or not:
$query = "insert into table (title) values ('".$title."')";
if (mysql_query($query)) {
echo "Title already exist!!"
} else {
echo "New Title saved!!"
}
My question, is there some similar method to do above operation in ASP? Code:
I am using MS-Access database to display top 10 records containg title and date, and with each record a text named "NEW" is also displaying.
But I want to display "NEW" only with the records which are not older than a week. Is there some way to calculate the present date with the date of each record?
Currently i did 2 pages
form and action pages, where form will have 2 inputs, and action page will insert the data into database.
but the i have tested once i keep refresh the action page, the data will be inserted again and again, anyone know how can i control this matter and avoid sql injection?
I want to avoid client to open a file from my site by typing its path in their address bars . Is there any solution for that?
View Replies View RelatedI would like to know how I can do to avoid that Google index some doc files that are on a specified folder.
View Replies View RelatedI need to provide a way to download a software and its corresponding
manual from a web page.
So far I have done the sign in page where people give their data. I
will then give access to a page with a link allowing to download the
required file(s).
My worry is how to avoid that somebody grabs the URL of the file and
send it to another for downloading directly from the server. What can
I do to avoid this ?
I am working with website in which a user can login and then submit some forms. I want the user to avoid re-submitting the same form twice when he uses the browser refresh or when he goes to another page and then comes back to that same page using the browser back button.
I know of two solutions:
1. Redirect to a different page after form submission - The problem with this approach is that the website has many forms. So redirecting each form to a different one is not a very feasible solution.
2. A token can be stored in session (or somewhere) after each form submission. These tokens can be verified if the form is being resubmitted - The problem with this approach is that the user can submit
one form only once. I want the user to be able to submit the same form multiple times, provided with differetn data.
Is there a suitable solution where a form with same data is submitted only once, but there is no such restriction with different data?
Can the ASP request object be cleared after form submission, so even when refresh button is pressed, Request.Form elements dont have any data? (Storing ALL the information filled in each form during that session and then comparing for resubmit is not a clean solution I think??).