Posted by david on 2. March 2009 10:43
I’m not sure how all this works … seems like – well javascript can be denied by the browser. that would bypass the injection prevention. KT asked for vbscript to do this … meaning that vb can’t be turned off?
Here’s the answer:
At this point, you should be starting to see the potential of ASP form handling. For example, you can check the validity of form fields with server-side ASP instead of using client-side JavaScript. If the user has a browser that does not support JavaScript or they have it turned off, your ASP web page will still be smart enough to validate their submitted data. ( source )
wondering now about building a side file. a function. it would take a string, check it, return true or false.
I bagged all of the above & just started to rebuild the page from scratch.
2009_03_01_002
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>2009 03 01 002</title>
</head>
<body>
<a href="../../Default.aspx">Project Page</a>
<form action="#" id="form1" name="form1" method="post">
<p>
<textarea name="Bio" id="cmiBio" cols="50" rows="10" onkeyup="limitChars(this, 1000, 'charlimitinfo')"></textarea>
<br /><br />
</p>
<p>
<label>
<input type="submit" id="Submit1" id="Submit1" value="Submit" onclick="Submit1_Click()" />
</label>
</p>
</form>
<br /><br />
<p><strong>Results:</strong></p>
</body>
</html>
no functionality yet, but want to be able to backtrack ….
got button doing something
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>2009 03 01 002</title>
<style type="text/css">
#TextArea1
{
height: 157px;
width: 665px;
}
#ResponseArea
{
height: 124px;
width: 591px;
}
</style>
</head>
<body>
<a href="../../Default.aspx">Project Page</a>
<form action="#" id="form1" name="form1" method="post" >
<p>
<textarea name="Bio" id="cmiBio" cols="50" rows="10" onkeyup="limitChars(this, 1000, 'charlimitinfo')"></textarea>
<br /><br />
</p>
<p>
<label>
<input type="submit" name="Submit1" id="Submit1" value="Submit" onclick="Submit1_Click()" />
</label>
</p>
</form>
<br /><br />
<p><strong>Results:</strong></p>
<p>
<textarea id="ResponseArea" cols="150" name="S1" rows="100"></textarea></p>
</body>
<SCRIPT LANGUAGE = "VBScript">
1:
2:
3: Sub Submit1_Click()
4:
5: MsgBox "Hello world."
6:
7: End Sub
8:
9:
</SCRIPT>
</html>
now how to a) write something intentionally where I want to … & b) how to pull info from the form
just ran across this one:
Filtering SQL injection from Classic ASP - Nazim's IIS Security Blog The Official Microsoft IIS
more vbscript stuff:
ASP 101 - Object Oriented ASP Using Classes in Classic ASP
WDVL VBScript - The Easy Stuff - Page 2
WDVL Why use Functions or Subs - Page 4
WDVL Using ASP for Form Handling
vbscript enclosed in the the < % tags are server side. vbscript enclosed in the <Script tags are client side, unless you stick in a run at server tag.
VBScript is an untyped language, which means
that all variables are variants and don't have an explicit type (such as integer or string).
This was helpful … from (Clark, et al. “Chapter 11 – General Client-Side Web Scripting”. VBScript Programmer’s Reference. Wiley. 2003.)
<HTML>
<HEAD>
<SCRIPT LANGUAGE="VBScript">
1:
2: Function ValidInteger(sNumber, iMin, iMax)Dim iNumber
3: ' Is it a number?
4: If IsNumeric(sNumber) Then
5: ' Is it a whole number (no decimal place)?
6: If InStr(sNumber,".") = 0 Then
7: ' Is it in range?
8: If CLng(sNumber) >= iMin And CLng(sNumber) <= iMax Then
9: ValidInteger = ""
10: Else
11: ValidInteger = "You must enter a number between " _
12: & iMin & " and " & iMax
13: End If
14: Else
15: ValidInteger = "You must enter a whole number"
16: End If
17: Else
18: ValidInteger = "You must enter a number"
19: End If
20: End Function
21:
22: Sub cmdCheckForm_onclick
23: Dim sValidity
24: sValidity = ValidInteger(form1.text1.value,1,10)
25: If sValidity = "" Then
26: MsgBox "Valid"
27: 'form1.submit
28: Else
29: MsgBox sValidity
30: End If
31: End Sub
32:
</SCRIPT>
</HEAD>
<BODY>
<FORM action="myform_handler.asp" method=POST id=form1 name=form1>
<INPUT id=text1 name=text1>
<INPUT type="button" value="Button" id=cmdCheckForm name=cmdCheckForm>
</FORM>
</BODY>
</HTML>
A forum question: with an answer ( with code ) that includes regular expressions
I was wondering how would i go about validating the radio buttons and the textbox. Like if they choose the surname radio button then the textbox must not include any numbers, or if they choose customer number then the textbox must contain numbers only.
Here’s the regex code:
<%
1:
2: dim valnumrgx, isvalidnum
3: function validnum(numstring)
4: set valnumrgx = new regexp
5: valnumrgx.pattern="[0-9]"
6: isvalidnum=valnumrgx.test(numstring)
7: set valnumrgx=nothing
8: end function
%>
<%
1:
2: if request.form("Submit")="Submit" then
3: dim numbers, errorlist
4: errorlist=""
5: numbers=request.form("numbers")
6: validnum(numbers)
7: if isvalidnum=false then
8: errorlist=errorlist & "The value you submitted does not contain all numbers."
9: else
10: response.write("That'a a number all right!")
11: end if
12: end if
%>
<html>
<head>
<title>ASP Form Validation Example</title>
</head>
<body>
Only numbers will validate. Try it.
<%=
<form name="myform" method="post">
<input name="numbers" type="text">
<input type="submit" name="Submit" value="Submit">
</form>
</body>
</html>
Don’t know why line numbers are being inserted into my paste ….. ans: has something to do with the HTML language setting in the Insert Code plugin for LiveWriter. If you are in HTML mode, it adds line numbers to the script section of the code. Like it or not.
Ok – I had been building up 2009_03_01_002 for server side – but not completed … just cleaned up;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script type="text/vbscript">
1:
2:
3: Function DoSomething(strInputContents)
4:
5: End Function
6:
7: Function ValidText(inputtext)
8: ValidText = "True"
9: End Function
10:
11: Sub cmdCheckForm_onclick
12: Dim sValidity
13: sValidity = ValidInteger(form1.text1.value,1,10)
14: If sValidity = "" Then
15: MsgBox "Valid"
16: 'form1.submit
17: Else
18: MsgBox sValidity
19: End If
20: End Sub
21:
</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>2009 03 01 002</title>
</head>
<body>
<a href="../../Default.aspx">Project Page</a>
<form action="" method="post" name="Input_Form">
First Name:
<input type="text" size="30" maxlength="50" name="First_Name">
<br />
Last Name:
<input type="text" size="30" maxlength="50" name="Last_Name">
<br />
<input type="submit" mame="Submit1" value="Submit Form" onClick="DoSomething Me,1">
<!--Insert new form field-->
<input type="hidden" name="isSubmitted" value="yes">
</form>
</body>
</html>
How To Use Regular Expressions to Constrain Input in ASP.NET
ASP Regular Expression Replace Command
Ok – got basic form field validation working … working off of this forum answer – just a little modification:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<%
1:
2: dim valnumrgx, isvalidnum
3: isvalidnum=false
4:
5: function validnum(numstring)
6: set valnumrgx = new regexp
7: valnumrgx.pattern="[0-9]"
8: isvalidnum=valnumrgx.test(numstring)
9: set valnumrgx=nothing
10: end function
11:
%>
<%
1:
2: if request.form("Submit")="Submit" then
3: dim numbers
4:
5: numbers=request.form("numbers")
6: validnum(numbers)
7: if isvalidnum=false then
8: response.write("no number yet")
9: else
10: response.write("That's a number all right!")
11: end if
12: end if
%>
<html>
<head>
<title>2009 03 02 001</title>
</head>
<body>
<a href="../../Default.aspx">Project Page</a> / 2009 03 02 001
<p>
</p>
Only numbers will validate. Try it. Source
<form name="myform" method="post">
<input name="numbers" type="text">
<input type="submit" name="Submit" value="Submit">
</form>
</body>
</html>
I’m going to stop working on this version at this point: 2009 03 02 001