Input Validation

I need to preform input validation and email database validation: HELP:;7


'*****************
'* SET VARIABLES *
'*****************
'Form variables
strName = Trim(Request.Form("name"))
'strAddress1 = Trim(Request.Form("address1"))
'strAddress2 = Trim(Request.Form("address2"))
strCompany = Trim(Request.Form("company"))
'strCity = Trim(Request.Form("city"))
'strState = Trim(Request.Form("state"))
strCountry = Trim(Request.Form("country"))
'strZip = Trim(Request.Form("zip"))
strTelephone = Trim(Request.Form("telephone"))
strEmail = Trim(Request.Form("email"))
strProduct = Trim(Request.Form("product"))
strMethod = Trim(Request.Form("method"))
strType = Trim(Request.QueryString("type"))
'Data variables
Set conn = Server.CreateObject("ADODB.Connection")
Set objRS = Server.CreateObject("ADODB.Recordset")



'*************
'* UPDATE DB *
'*************
'Build SQL
strSQL = "INSERT INTO downloadInfo (" & _
"name, company," & _


"country," & _
"telephone, email," & _
"product, method" & _
") VALUES (" & _
EncodeSQLStringEx(strName) & "," & EncodeSQLStringEx(strCompany) & "," & _
EncodeSQLStringEx(strCountry) & "," & _
EncodeSQLStringEx(strTelephone) & "," & EncodeSQLStringEx(strEmail) & "," & _
EncodeSQLStringEx(strProduct) & "," & EncodeSQLStringEx(strMethod) & _
");"
'Response.Write strSQL

'Execute SQL
conn.Open "DSN=nse;"
conn.Execute strSQL
conn.Close
Set conn = Nothing


'***********************
'* SEND EMAIL TO ADMIN *
'***********************
'Build message body
strBody = "<html>"
strBody = strBody & "<head>"
strBody = strBody & "<style><!--"
strBody = strBody & " TD.normal {font-family:'Arial';font-size:10.0pt;color:black;}"
strBody = strBody & " TD.slogan {font-family:'Times New Roman';font-size:11.0pt;color:teal;font-weight:bold;font-style:italic;}"
strBody = strBody & " TD.disclaimer {font-family:'Times New Roman';font-size:7.0pt;color:gray;}"
strBody = strBody & "--></style>"
strBody = strBody & "</head>"
strBody = strBody & "<body>"
strBody = strBody & "<TABLE>"
strBody = strBody & "<TR><TD class='normal'>A new product download has occurred: " & strProduct & "</TD></TR>"
strBody = strBody & "</TABLE>"
strBody = strBody & "<TABLE>"
'...User details
strBody = strBody & "<TR><TD class='normal' width='120'><B>Name:</B></TD><TD class='normal'>" & strName & "</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Company:</B></TD><TD class='normal'>" & strCompany & "</TD></TR>"
'strBody = strBody & "<TR><TD class='normal' width='120'><B>Address1:</B></TD><TD class='normal'>" & strAddress1 & "</TD></TR>"
'strBody = strBody & "<TR><TD class='normal' width='120'><B>Address2:</B></TD><TD class='normal'>" & strAddress2 & "</TD></TR>"
'strBody = strBody & "<TR><TD class='normal' width='120'><B>City:</B></TD><TD class='normal'>" & strCity & "</TD></TR>"
'strBody = strBody & "<TR><TD class='normal' width='120'><B>State:</B></TD><TD class='normal'>" & strState & "</TD></TR>"
'strBody = strBody & "<TR><TD class='normal' width='120'><B>Zip:</B></TD><TD class='normal'>" & strZip & "</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Country:</B></TD><TD class='normal'>" & strCountry & "</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Telephone:</B></TD><TD class='normal'>" & strTelephone & "</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B><u>Email:</u></B></TD><TD class='normal'>" & strEmail & "</TD></TR>"
strBody = strBody & "<TR><TD>&nbsp;</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Product:</B></TD><TD class='normal'>" & strProduct & "</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Method:</B></TD><TD class='normal'>" & strMethod & "</TD></TR>"
strBody = strBody & "<TR><TD>&nbsp;</TD></TR>"
strBody = strBody & "<TR><TD class='normal' width='120'><B>Timestamp:</B></TD><TD class='normal'>" & Now() & "</TD></TR>"
strBody = strBody & "</TABLE></TD></TR>"
strBody = strBody & "</TABLE>"
strBody = strBody & "</body>"
strBody = strBody & "</html>"
'Send mail
'call SendMail("michel.gilbert@nse.com","michelgilbert@yahoo.com","NSE: Product Downloaded - " & strProduct,strBody)

call SendMail("spmanager@nse.com","Marketing@nse.com","NSE: Product Downloaded - " & strProduct,strBody)
'call SendMail("spmanager@nse.com","dan@nse.com","NSE: Product Downloaded - " & strProduct,strBody)

 

Can you validate the user input using javascript on your form?

 

Use RegExp object to validate input:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/vsobjRegExp.asp

Also, use parameter binding and you won't have to escape your SQL.

J.D.

 

Tried that it does not allow the page to display

 

Re: fastbuffalo: don't rely on javascript validation for value cleansing... it is easily bypassable. input cleansing should be done server-side to avoid sql injection.

Javascript, i.e. client-side, validation is nice, however, to guide your users to properly fill out your forms, but should NEVER be relied on.

 

Try again. That's the way.

 

Be sure and turn off "Show Friendly Error Messages" in IE.