Swarovski - Free Ringtones - Loans - Loan Consolidation - Flights
PDA

View Full Version : Input Validation

danjapro
Nov 15th 2005, 7:05 am
I need to preform input validation and email database validation: HELP:;7


'*****************
'* SET VARIABLES *
'*****************
'Form variables
strName = Trim(Request.Form("name"))
'strAddress1 = Trim(Request.Form("address1"))
'strAddress2 = Trim(Request.Form("address2"))
strCompany = Trim(Request.Form("company"))
'strCity = Trim(Request.Form("city"))
'strState = Trim(Request.Form("state"))
strCountry = Trim(Request.Form("country"))
'strZip = Trim(Request.Form("zip"))
strTelephone = Trim(Request.Form("telephone"))
strEmail = Trim(Request.Form("email"))
strProduct = Trim(Request.Form("product"))
strMethod = Trim(Request.Form("method"))
strType = Trim(Request.QueryString("type"))
'Data variables
Set conn = Server.CreateObject("ADODB.Connection")
Set objRS = Server.CreateObject("ADODB.Recordset")



'*************
'* UPDATE DB *
'*************
'Build SQL
strSQL = "INSERT INTO downloadInfo (" & _
"name, company," & _


"country," & _
"telephone, email," & _
"product, method" & _
") VALUES (" & _
EncodeSQLStringEx(strName) & "," & EncodeSQLStringEx(strCompany) & "," & _
EncodeSQLStringEx(strCountry) & "," & _
EncodeSQLStringEx(strTelephone) & "," & EncodeSQLStringEx(strEmail) & "," & _
EncodeSQLStringEx(strProduct) & "," & EncodeSQLStringEx(strMethod) & _
");"
'Response.Write strSQL

'Execute SQL
conn.Open "DSN=nse;"
conn.Execute strSQL
conn.Close
Set conn = Nothing


'***********************
'* SEND EMAIL TO ADMIN *
'***********************
'Build message body
strBody = "<html>"
strBody = strBody & "<head>"
strBody = strBody & "<style><!--"
strBody = strBody & " TD.normal {font-family:'Arial';font-size:10.0pt;color:black;}"
strBody = strBody & " TD.slogan {font-family:'Times New Roman';font-size:11.0pt;color:teal;font-weight:bold;font-style:italic;}"
strBody = strBody & " TD.disclaimer {font-family:'Times New Roman';font-size:7.0pt;color:gray;}"
strBody = strBody & "--></style>"
strBody = strBody & "</head>"
strBody = strBody & "<body>"
strBody = strBody & "<TABLE>"
strBody = strBody & "<TR><TD class='normal'>A new product download has occurred: " & strProduct & "</TD></TR>"
strBody = strBody & "</TABLE>"
strBody = strBody & "<TABLE>"
'...User details
strBody = strBody & "<TR><TD class='normal' width='120'><B>Name:</B></TD><TD class='normal'>" & strName & "</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Company:</B></TD><TD class='normal'>" & strCompany & "</TD></TR>"
'strBody = strBody & "<TR><TD class='normal' width='120'><B>Address1:</B></TD><TD class='normal'>" & strAddress1 & "</TD></TR>"
'strBody = strBody & "<TR><TD class='normal' width='120'><B>Address2:</B></TD><TD class='normal'>" & strAddress2 & "</TD></TR>"
'strBody = strBody & "<TR><TD class='normal' width='120'><B>City:</B></TD><TD class='normal'>" & strCity & "</TD></TR>"
'strBody = strBody & "<TR><TD class='normal' width='120'><B>State:</B></TD><TD class='normal'>" & strState & "</TD></TR>"
'strBody = strBody & "<TR><TD class='normal' width='120'><B>Zip:</B></TD><TD class='normal'>" & strZip & "</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Country:</B></TD><TD class='normal'>" & strCountry & "</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Telephone:</B></TD><TD class='normal'>" & strTelephone & "</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B><u>Email:</u></B></TD><TD class='normal'>" & strEmail & "</TD></TR>"
strBody = strBody & "<TR><TD>&nbsp;</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Product:</B></TD><TD class='normal'>" & strProduct & "</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Method:</B></TD><TD class='normal'>" & strMethod & "</TD></TR>"
strBody = strBody & "<TR><TD>&nbsp;</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Timestamp:</B></TD><TD class='normal'>" & Now() & "</TD></TR>"
strBody = strBody & "</TABLE></TD></TR>"
strBody = strBody & "</TABLE>"
strBody = strBody & "</body>"
strBody = strBody & "</html>"
'Send mail
'call SendMail("michel.gilbert@nse.com","michelgilbert@yahoo.com","NSE: Product Downloaded - " & strProduct,strBody)

call SendMail("spmanager@nse.com","Marketing@nse.com","NSE: Product Downloaded - " & strProduct,strBody)
'call SendMail("spmanager@nse.com","dan@nse.com","NSE: Product Downloaded - " & strProduct,strBody)
FastBuffalo
Nov 15th 2005, 8:55 am
Can you validate the user input using javascript on your form?
J.D.
Nov 15th 2005, 8:59 am
I need to preform input validation and email database validation: HELPUse RegExp object to validate input:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/vsobjRegExp.asp

Also, use parameter binding and you won't have to escape your SQL.

J.D.
danjapro
Nov 15th 2005, 9:49 am
Tried that it does not allow the page to display
vectorgraphx
Nov 15th 2005, 10:26 am
Re: fastbuffalo: don't rely on javascript validation for value cleansing... it is easily bypassable. input cleansing should be done server-side to avoid sql injection.

Javascript, i.e. client-side, validation is nice, however, to guide your users to properly fill out your forms, but should NEVER be relied on.
J.D.
Nov 15th 2005, 10:47 am
Tried that it does not allow the page to displayTry again. That's the way.
alph
Nov 15th 2005, 12:49 pm
Tried that it does not allow the page to display

Be sure and turn off "Show Friendly Error Messages" in IE.