Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > malevolent form variables

Reply
Thread Tools

malevolent form variables

 
 
nutso fasst
Guest
Posts: n/a
 
      01-21-2008
OK, I know of bad things that can happen when form variables are displayed
without filtering for HTML tags, but how can the contents of a form variable
take control of VB script code execution and delete a variable that contains
those contents plus other text?

I have a form-processing ASP page (VB script) that emails some form
variables using a component. The gist is something like this:

' build a variable that appears on the page:

items = Request.Form("item1") & "<br>" & Request.Form("item2")

' modify it for the email message:

mailer.body = "Items: " & Replace(items,,"<br>",vbNewLine) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")

Given the above, even if the form is submitted with no data by user at IP
99.99.99.99, the email message should still be:

Items:

99.99.99.99

BUT recently, someone began submitting form data such that I received
totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
thusly:

emailbody = "Items: " & Replace(items,"<br>",vbNewLine) & vbNewLine
mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")

Now when this person submits form data, the email DOES contain the length of
emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
the length of emailbody is ZERO! It sure looks like something in the form
variables is doing some dirty work.

IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
is being submitted from the local form. How can this be happening?

nf




 
Reply With Quote
 
 
 
 
Anthony Jones
Guest
Posts: n/a
 
      01-21-2008

"nutso fasst" wrote:

> OK, I know of bad things that can happen when form variables are displayed
> without filtering for HTML tags, but how can the contents of a form variable
> take control of VB script code execution and delete a variable that contains
> those contents plus other text?
>
> I have a form-processing ASP page (VB script) that emails some form
> variables using a component. The gist is something like this:
>
> ' build a variable that appears on the page:
>
> items = Request.Form("item1") & "<br>" & Request.Form("item2")
>
> ' modify it for the email message:
>
> mailer.body = "Items: " & Replace(items,,"<br>",vbNewLine) & vbNewLine _
> & Request.ServerVariables("REMOTE_ADDR")
>
> Given the above, even if the form is submitted with no data by user at IP
> 99.99.99.99, the email message should still be:
>
> Items:
>
> 99.99.99.99
>
> BUT recently, someone began submitting form data such that I received
> totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
> thusly:
>
> emailbody = "Items: " & Replace(items,"<br>",vbNewLine) & vbNewLine
> mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
> & Request.ServerVariables("REMOTE_ADDR")
>
> Now when this person submits form data, the email DOES contain the length of
> emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
> the length of emailbody is ZERO! It sure looks like something in the form
> variables is doing some dirty work.
>
> IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
> is being submitted from the local form. How can this be happening?
>


Does you code contain this line:-

On Error Resume Next

if so remove it and see if the line it generating an error.

--
Anthony Jones - MVP ASP/ASP.NET

 
Reply With Quote
 
 
 
 
nutso fasst
Guest
Posts: n/a
 
      01-21-2008

"Anthony Jones" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Does you code contain this line:-
>
> On Error Resume Next


Thanks for the suggestion, but there is no On Error statement.

nf


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to retrieve form field value if form is EncType=multipart/form-dataForm? Li Zhang ASP .Net 4 02-27-2009 01:23 AM
Put variables into member variables or function variables? tjumail@gmail.com C++ 9 03-23-2008 04:03 PM
<form>...</form> - how to supress blank space after </form> in IE? rob c Javascript 4 12-30-2005 06:10 PM
How to access variables (form text box values) on same form? News Groups ASP General 1 08-11-2004 01:40 PM
Re: Class public shared Variables vs. Application Variables in ASP.NET avnrao ASP .Net 0 05-07-2004 05:28 AM



Advertisments