Classic ASP - submitting unknown number and name of fields? - asp-classic

I have a large recordset being displayed to a user. Each record has an edit button which allows users to edit various data in the record. Certain records have more fields than others so the edit form has various different names and number of fields.
For example one record would produce the following if the edit button is clicked:
<form id="frm1" name="frm1" method="post" action="changeJob.asp?jobNo=1101&jQueryID=1" target="_blank">
<input type='text' name='Qty13' value='8' size="3" maxlength="3"/>
<input type="submit" name="btnFrm1" id="button" value="Submit" />
</form>
However another record would generate this:
<form id="frm2" name="frm2" method="post" action="changeJob.asp?jobNo=1102&jQueryID=2" target="_blank">
<input type='text' name='Qty15' value='8' size="3" maxlength="3"/>
<input type='text' name='Qty16' value='8' size="3" maxlength="3"/>
<input type='text' name='Qty17' value='8' size="3" maxlength="3"/>
<input type='text' name='Qty18' value='8' size="3" maxlength="3"/>
<input type="submit" name="btnFrm2" id="button" value="Submit" />
</form>
As above, each of the input fields is assigned its unique name eg "Qty14" and its form has its own name eg "frm2". These need to be unique because I have some jQuery plus and minus buttons which allow users to increment the quantities.
In changeJob.asp how can I determine which fields are being submitted where they have unique names and number? I can get the form name using a hidden field easily enough.
I am trying to achieve something like:
For Each field in frm1
** Do SQL Update ** Next
Any guidance would be most appreciated :)

Just iterate all the form collection and look for keys starting with the desired name:
Dim strSQL, curValue, blnFirst
blnFirst = True
strSQL = "Update MyTable Set "
For Each key In Request.Form
If Left(key, 3)="Qty" Then
'prevent nasty hacking
If IsNumeric(Replace(key, "Qty", "")) Then
curValue = Request.Form(key)
If IsNumeric(curValue) Then
If Not(blnFirst) Then
strSQL = strSQL & ", "
End If
strSQL = strSQL & key & "=" & curValue
blnFirst = False
End If
End If
End If
Next
If blnFirst Then
'no values, show alert of some sort...
Else
strSQL = strSQL & " Where [filter here]"
'...
End If
This will build dynamic query based on the submitted values.
If each value need separate update the code becomes more simple, hope you can change it yourself. :)

I would love to help. Needing just a bit more info because I don't want to tell you stuff you already know. Can you tell me if you have code already to fill the form... as in... is this form for editing new and/or old data or only new records?
Also, have you thought of having one form but then have your server-side code (ASP) generate input boxes dynamically? This is my recommendation because having more than one form in this case (unless I'm missing something) is ... inelegant.
You can download this zip file which has two asp pages in it that demonstrate a more dynamic approach: http://www.oceanmedia.net/files/hk_config.zip

Related

Replicating remote site "attack" by force sending specific form data to a page

I have this simple form:
<form method="post" id="theForm" action="user-password.asp">
<input type="hidden" name="what" value="process" />
<fieldset>
<div>
<label for="email">Username or Email</label>
<input type="text" class="form-control" id="email" name="email" placeholder="Username or Email" />
</div>
<div>
<button type="submit" class="btn btn-success top10">Submit</button>
</div>
</fieldset>
</form>
I have a script which emails me when my Classic ASP pages error - I use this to get all of the form contents:
For ix = 1 to Request.Form.Count
fieldName = Request.Form.Key(ix)
fieldValue = Request.Form.Item(ix)
bb = bb & fieldName & ": " & fieldValue & vbcrlf
Next
bb = newstr(bb)
For the above page, the page errored with:
A trappable error (C0000005) occurred in an external object. The script cannot continue running.
The form contents were like this:
form: email[$acunetix]: 1
what: process
In order to improve the error handling on the page, I'd like to be able to replicate loading the form with whatever it was that was used to generate the form input which made the page error - in the above example the form field name is not email but is email[$acunetix], which seems to have broken the page when it tries to process the form.
However, I don't know what was done to do that. The same IP address spent about 40 minutes forcing all kinds of stuff onto my pages which eventually crashed my site requiring a server reboot.
I realise that is down to me not writing robust enough code - but - I wondered how I can replicate sending the form data shown above to the page, as I'm stuck trying to work out how to do that.

How to pass variable from hidden input box to another page

I am trying to get a value from a hidden input text box to another page, but it doesn't work. How to pass variable from hidden input box to another page?
Page1.asp
<input type="hidden" name="FormID" value="<% objRS("Form_id")%>
...
<input type="hidden" name="FormID" value="<%= nFormID %>">
<input type="button" value="Open Page2" onclick=openwin();"/>
Page2.asp
<%
iFormID = Request.Form("FormID")
sSQL = "select * from Form where Form_id = " & iFormID
When I click on the Button Open Page2, it doesn't get the value of FormID.
How do I fix it to get the FormID from Page1.asp?
Updated: when I tried to add a button with this JS, it won't get the variable from Page1.asp
I added this on page1.asp:
function openwin()
{window.open("Page2.asp","mywindow","width=500,height=400"):}
<input type="hidden" name="FormID" value="<%= nFormID %>">
<input type="button" value="Open Page2" onclick=openwin();"/>
Thanks.
Since it seems like you're trying to open up a pop up window, I've added a second answer, as you are not actually POSTing any data. if you want to use a pop up, the easiest way is to put the data in the query string, like so:
function openwin()
{window.open("Page2.asp?formID=" + document.frmReport.FormID.value, "mywindow","width=500,height=400"):}
now, i notice you're using a loop to generate the formIDs and using the same NAME for each field. so you'll need to loop through the set of fields, grab each ones value, and send it along as one string in the query string:
function openwin() {
var ids = '';
for( var index = 0; index < document.frmReport.FormID.length; index++ ) {
if( ids == '' )
ids += document.frmReport.FormID[ index ].value;
else
ids += ',' + document.frmReport.FormID[ index ].value;
}
window.open("Page2.asp?FormIDs=" + ids,"mywindow","width=500,height=400");
}
and on Page2.asp, you would do:
iFormIDs = Request.QueryString("FormIDs")
sSQL = "select * from Form where Form_id in ( " & iFormIDs & " ) "
You'll notice that I changed the sql to use the IN clause, that way you can get ALL records for a given set of formIDs, even if it's just one. This obviously doesn't take into account any security precautions to prevent sql injection, but this should get you started.
first, make sure your elements are in a form block with a METHOD of POST
second, your element
<input type="hidden" name="FormID" value="<% objRS("Form_id")%>
needs to be
<input type="hidden" name="FormID" value="<%= objRS("Form_id")%>" />
<%= is shorthand for Response.Write
so page1 would look like:
<form name="myForm" method="post" action="page2.asp">
<input type="hidden" name="FormID" value="<%= objRS("Form_id")%>" />
...
<input type="hidden" name="FormID" value="<%= nFormID %>">
<input type="submit" value="Open Page2" />
</form>

Checkbox boolean value Classic ASP

I have a checkbox
<input type="checkbox" name="chkNGI" id="prod_ngi_sn" value="1">
When it is checked I pass the value 1, but when it is not checked any value is passed.
I have to pass the value 0.
I've tried
<input type="checkbox" name="chkNGI" id="prod_ngi_sn" <%if prod_ngi_sn.checked then value="1" else value="0" end if%>>
But didn't work.
tks
Checkboxes only pass values when ticked. You need logic on the server side to accommodate that.
Dim chkNGI
chkNGI = Request("chkNGI") & ""
If chkNGI = "" Then
chkNGI = "0"
End If
<script>
function calcParam() {
var checked = document.getElementById("prod_ngi_sn").checked;
if (checked)
document.getElementById("hiddenNGI").value = "1";
else
document.getElementById("hiddenNGI").value = "0"; }
</script>
<input type="hidden" name="chkNGI" id="hiddenNGI">
<input type="checkbox" name="checkNGI" id="prod_ngi_sn" onClick="calcParam()">
You can try this single line solution
Information: RS=Recordset Object
<input type="checkbox" <%If RS("ColumnName")=True Then Response.Write(" checked='checked' ")%> name="tableColumn" value="1" >
I know this question is old, but I recently had to refactor some legacy code for a company in Classic ASP, and ran into this problem. The existing code used a hidden form field with the same name as the checkbox and looked for either "false" or "false, true" in the results. It felt kludgy, but the code also performed actions based on dynamically named checkbox fields with prefixes, so inferring "false" from a missing field would introduce different complications.
If you want a checkbox to return either "0" or "1", this technique should do the trick. It uses an unnamed checkbox to manipulate a named hidden field.
<html>
<body>
<% If isempty(Request("example")) Then %>
<form>
<input type="hidden" name="example" value="0">
<input type="checkbox" onclick="example.value=example.value=='1'?'0':'1'">
<input type="submit" value="Go">
</form>
<% Else %>
<p>example=<%=Request("example")%></p>
<% End If %>
</body>
</html>
Create a hidden input with the name "chkNGI".
Rename your current checkbox to something different.
Add handled for onClick on the checkbox and using a small javascript function, depending on the state of the checkbox, write 0 or 1 in the hidden input.
As an example,
<script>
function calcParam() {
var checked = document.getElementById("prod_ngi_sn").checked;
if (checked)
document.getElementById("hiddenNGI").value = "1";
else
document.getElementById("hiddenNGI").value = "0";
}
</script>
<input type="hidden" name="chkNGI" id="hiddenNGI">
<input type="checkbox" name="checkNGI" id="prod_ngi_sn" onClick="calcParam()">
Your solution in post to saving page;
save.asp
<%
' connection string bla bla
' RS = Recordset Object
If Request.Form("tableColumn")=1 Then
RS("ColumnName") = 1
Else
RS("ColumnName") = 0
End If
' other columns saving process bla bla bla
%>

Passing a parameter from Radio Button & Check Box, to an email, using an HTML page

I have a form that is HTML, it involves a few string questions, a radio button, and a check box question. After the form is filled out, the info is then passed to an aspx page which sends out an email with the info. I am able to pass the string questions to the email, but am having trouble passing the radio button answer and the check box answers to the aspx and to then to the email. I have the code for the HTML set, I need help with the code for the ASPX page.(it is VB) Here is the code I have so far.
HTML
<form id="form" method="post" action="SendEmail.aspx" enctype="multipart/form-data" name="questions">
<div class="Qblock">Name: <input type="text" class="input" value="" name="contact_name" /></div>
<div class="Qblock">Phone #: <input type="text" class="input" value="" name="contact_phone" /></div>
<div class="Qblock">E-Mail: <input type="text" class="input" value="" name="contact_email" /></div>
<div class="Qblock">How many years have you been in this industry?<input type="text" class="input" value="" name="contact_long" /></div>
<div class="Qblock">What is your specialty?<input type="text" class="input" value="" name="contact_special" /></div>
<div class="Qblock">Do you have a cell phone?
<input type="radio" name="P1" value="Yes" /> Yes <input type="radio" name="p1" value="No" /> No <br /></div>
<div class="Qblock">Can you do any of the following? (check all that apply)<br />
<input type="checkbox" name="ckBox" value="CustSer" /> Handle Customer Service<br />
<input type="checkbox" name="ckBox" value="ReadForm" /> Read Expense Reports<br />
<input type="checkbox" name="ckBox" value="NewCust" /> Sign Up New Customers<br /></div>
ASPX
Protected Sub RetrieveValues()
Dim sTemp As String = String.Empty
sFromName = "asMark#gmail.com"
sToName = "asMarkContent#gmail.com"
sSubject = "Web - Contact Us Inquiry"
sTemp = String.Format("{0}{1}{2}", "<<< Marketing Opportunities >>>", vbCrLf, vbCrLf)
sTemp = String.Format("{0}{1}{2}{3}", sTemp, "Name: ", Request.Params("contact_name"), vbCrLf)
sTemp = String.Format("{0}{1}{2}{3}", sTemp, "Phone: ", Request.Params("contact_phone"), vbCrLf)
sTemp = String.Format("{0}{1}{2}{3}", sTemp, "Email: ", Request.Params("contact_email"), vbCrLf)
sTemp = String.Format("{0}{1}{2}{3}", sTemp, "How many years have you been in this industry? ", Request.Params("contact_long"), vbCrLf)
sTemp = String.Format("{0}{1}{2}{3}", sTemp, "What is your specialty? ", Request.Params("contact_special"), vbCrLf)
End Sub
First, let me introduce you to the StringBuilder which makes code a little easier to read.
Second, radio buttons will come over as a normal name/value pair just like regular text fields so you can process them the same way. Whatever you put in the value on the HTML side will be what's submitted and what you have is good. I would recommend that you make sure the name values both use the same case, however. On the ASPX side you should be fine but its a good practice to assume some things might be case-sensitive. (You have P1 and p1 right now.) You might also want to default one of the radio button to checked, probably the no one. If you don't and someone fills out the form without checking either the email will be empty for that field.
Checkboxes will come over as a comma-separated list so if someone checks all three options you'll get the string CustSer, ReadForm, NewCust. You might want to give the values something a little more descriptive but that's up to you. But you can treat the checkbox the same way as any other form field and just use it by name.
Protected Sub RetrieveValues()
Dim sTemp As New System.Text.StringBuilder()
sTemp.AppendFormat("{0}{1}{1}", "<<< Marketing Opportunities >>>", vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "Name: ", Request.Params("contact_name"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "Phone: ", Request.Params("contact_phone"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "Email: ", Request.Params("contact_email"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "How many years have you been in this industry? ", Request.Params("contact_long"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "What is your specialty? ", Request.Params("contact_special"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "Do you have a cell phone? ", Request.Params("P1"), vbCrLf)
sTemp.AppendFormat("{0}{1}{2}", "Can you do any of the following? ", Request.Params("ckBox"), vbCrLf)
End Sub
Lastly, I would recommend using Request.Form over Request.Params. If someone went to your page and manually added any of the form fields to the query string the form field itself would get ignored. For instance, if they navigated to Form.aspx?contact_name=Bob Dole and filled out Bob Smith in the name field you would see Bob Dole on the server side. This is because the query string is searched for before the form fields. In this case it doesn't really matter that much but in future forms some malicious website could link to your website and pass weird values to the form. I'd recommend just always using Request.Form and Request.QueryString.
Okay, the last paragraph was "lastly" so I guess this is "one more thing". The method you are using is only half of the way to ASP.Net. What you have is more of the conversion from ASP classic/PHP to .Net. It's not wrong at all but you are missing the full power of ASP.Net web controls. There's way more than I can write but to give you an idea you would replace:
<input type="text" class="input" value="" name="contact_special" />
With:
<asp:Textbox runat="server" id="contact_special" />
This would allow you to use a RequiredFieldValidator which would use both javascript and server-side code to make sure that the field was filled out:
<asp:RequiredFieldValidator runat="server" ControlToValidate="contact_special" ErrorMessage="Required" />
Don't make this change for this form probably but going forward I would encourage you to investigate the web controls.

ASP (VBscript) radio buttons not returning value

I have 2 very simple pages, an HTML page and a classic ASP page .. the html page has a form which calls (and sends) the data to the ASP form (which then prints out the data)
The problem is I'm not getting the value of the radio button, I'm simply just getting "on".
Here is the html:
<form action="form.asp" method="post">
<strong>Gender:</strong>
<input type="radio" value"male" name="gender">Man
<input type="radio" value"female" name="gender">Woman<p></p>
<strong>Size:</strong>
<input type="text" width="20" name="size" size="4"><p></p>
<strong>Color:</strong>
<select size="1" name="color">
<option>blue</option>
<option>green</option>
<option>black</option>
</select><p></p>
<input type="submit" value="Send Order">
</form>
and here is the ASP
<%
Dim strgen, strsize, strcol
strgen = Request.form("gender")
intsize = Request.form("size")
strcol = Request.form("color")
Response.write "Your gender: " & strgen & "<br />"
Response.write "Your size: " & intsize & "<br />"
Response.write "The color you ordered: " & strcol & "<br />"
%>
Like I said, all I'm getting for "strgen" is "on" ...
There's typos in your code, missing equals sign.
value"male"
should be
value="male"
Because the value was ignored it was returning the default value of "on"
Try using an html validator as www.htmlvalidator.com. This site offers a free one which is good (I'm using the professional version myself).
This will find such types immediatly (and will save you countless hours of searching).

Resources