Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP 3 Classic ASP Active Server Pages 3.0 > Classic ASP Basics
Password Reminder
Register
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
Classic ASP Basics For beginner programmers starting with "classic" ASP 3, pre-".NET." NOT for ASP.NET 1.0, 1.1, or 2.0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Basics section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old June 5th, 2003, 11:04 PM
Authorized User
 
Join Date: Jun 2003
Location: Melbourne, Victoria, Australia.
Posts: 90
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to tdaustin Send a message via Yahoo to tdaustin
Default Looping through form fields & retriving the values

Hi Everyone,

Great to see everthing is back up and running.

My question is how can i loop though a large application form grabbing the data entered and creating and assigning values to session variables and the session variables will be what the form element name was.

eg
 FirstName = Tim
 LastName = Austin
 lots more fields......

Loop throught and assign

use the Sesssion variables
Session("FirstName")

I think there is an easier solution then going
Session("FirstName") = Request.Form("FirstName")
For every field in the form

Thanks in advance


TDA
__________________
TDA
Reply With Quote
  #2 (permalink)  
Old June 5th, 2003, 11:15 PM
Friend of Wrox
Points: 2,376, Level: 20
Points: 2,376, Level: 20 Points: 2,376, Level: 20 Points: 2,376, Level: 20
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: , , Australia.
Posts: 596
Thanks: 1
Thanked 3 Times in 3 Posts
Default

Tim,

If you are happy to have every field on the form a session variable then you can loop through the request object.

for each obj in request.form
 session(obj) = request(obj)
next

I use this with dynamic forms and put a prefix to filter out the ones I would like to process.

<input type="text" name="PR_FirstName">
<input type="text" name="PR_LastName">


process with

  for each obj in request.form
    if left(obj) = "PR_" then
      fieldName = right(obj,len(obj)-3)
      session(varname) = request(obj)
    end if
  next

Regards,
Rod
Reply With Quote
  #3 (permalink)  
Old June 6th, 2003, 12:35 AM
Friend of Wrox
 
Join Date: Jun 2003
Location: Sydney, NSW, Australia.
Posts: 111
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Why do you need to assign all these variables to session variables?
By doing the loop, you (IMHO) expose your application to attacks. I can "overwrite" any session variable I want by creating an appropriately named form field, and then populating it with a value (so, if your site has an "admin" section I could elevate my priveleges simply by setting the appropriate session variables (I create a form on my machine, and set the action="http://www.yourserver.com/yourpage.asp

www.adOpenStatic.com
Reply With Quote
  #4 (permalink)  
Old June 6th, 2003, 01:02 AM
Friend of Wrox
Points: 2,376, Level: 20
Points: 2,376, Level: 20 Points: 2,376, Level: 20 Points: 2,376, Level: 20
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: , , Australia.
Posts: 596
Thanks: 1
Thanked 3 Times in 3 Posts
Default

Tim,

My appologies for the misleading advise , I use this loop to process the dynamic forms to the database not for session variables, though it would work.
Ken's advise on security takes precedence.

Rod
Reply With Quote
  #5 (permalink)  
Old June 6th, 2003, 01:23 AM
Friend of Wrox
 
Join Date: Jun 2003
Location: Sydney, NSW, Australia.
Posts: 111
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Even placing things in databases can be dangerous...

If you want to build a robust application, where the end-user is not trusted, then you best practise is to allocate all your values manually to local variables, validate them, and then place them into a database.

Think about how you'd do this if you were programming using VB (or any other programming language). You'd have some kind of class (or similar contrust). You'd have properties that you'd set. Each would have an accessor method, which would validate the data, and then assign the values to private, internal variables. These would be placed into the database.

Sure, it means writing more code upfront, but it saves a lot of work later on.

If you need a methodology for doing this, here's one way:
http://www.adopenstatic.com/resource...Validation.asp

Cheers
Ken

www.adOpenStatic.com
Reply With Quote
  #6 (permalink)  
Old June 6th, 2003, 02:01 AM
Friend of Wrox
Points: 2,376, Level: 20
Points: 2,376, Level: 20 Points: 2,376, Level: 20 Points: 2,376, Level: 20
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: , , Australia.
Posts: 596
Thanks: 1
Thanked 3 Times in 3 Posts
Default

Sorry Ken I don't quite understand how the request object loop can affect the validation. Can't the field/variable be validated within the loop.
Reply With Quote
  #7 (permalink)  
Old June 9th, 2003, 06:37 PM
Authorized User
 
Join Date: Jun 2003
Location: Melbourne, Victoria, Australia.
Posts: 90
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to tdaustin Send a message via Yahoo to tdaustin
Default

Thanks for advice guys,

I guess my question is answered that for a quick coding solution is far
outwayed by security and problems that could occur.

For a multipage application form i guess its much better to spend the time
passing variables through via hidden form fields and retrieve through the
request object. and then write to db.

Do think this is the most efficient and sucure way to go?

Thanks
Tim

TDA
Reply With Quote
  #8 (permalink)  
Old June 9th, 2003, 11:02 PM
Friend of Wrox
 
Join Date: Jun 2003
Location: Sydney, NSW, Australia.
Posts: 111
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Rod,

That kinda means that you need to have some kind of master list of acceptable field-names, and acceptable values. In which case you may as well do it manually (you're not gaining anything by using a loop, since you've hardcoded the list of acceptable fields and their corresponding values into your code).

Either that, or I'm missing the point of what you're saying. :-) Could you post an example of what you mean?

Cheers
Ken

www.adOpenStatic.com
Reply With Quote
  #9 (permalink)  
Old June 10th, 2003, 03:17 AM
Friend of Wrox
Points: 2,376, Level: 20
Points: 2,376, Level: 20 Points: 2,376, Level: 20 Points: 2,376, Level: 20
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: , , Australia.
Posts: 596
Thanks: 1
Thanked 3 Times in 3 Posts
Default

Ken,

I use theis loop in a situation where the field contents is not well defined. For eg a I have a table of attributes which can be added to a delivery of some kind. The list of attributes is defined by the admin user in a set up page. Then the attributes are assigned to a delivery on the creation of a job. I do not know what the field names or the values they will hold.

so I loop the table to create the form fields which have a prefix appended to the ID for a name

<%= fieldName%>: <input type="text" name="fld_<%= fliendID%>"><BR>

in the ASP processing I loop the request obj, pull out the fields with the prefix, validate as best I can and the do the DB update.

for each obj in request.form
if left(obj,4) = "fld_" then
fieldID = right(obj,len(obj)-4)
fieldValue = request(obj)
call validate()
if valid then
'..do DB stuff
end if
end if
next

sub validate()
 fieldValue = replace(fieldValue,"'","''")
 fieldValue = replace(fieldValue,"--","")
if len(fieldValue) < 1 then
valid = false
'deal with error message
end if
'...any other validation that can be assured like if the BD field has a max size. though I normally limit this in html.
end sub

I grant that the security issue are a problem with this method.
Do you think I should do a search for words that may cause havoc (delete,update,etc) as well as the ' and --.

Or

How do you approach this situation.

Thanks your your time in considering this and sorry Tim, I have taken over your question a little.
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Retriving values from html:checkbox skumar Struts 1 July 16th, 2008 04:37 AM
Looping thru Form values posted to a page.. kingroon ASP.NET 2.0 Basics 1 February 13th, 2008 02:07 PM
Looping through Array Values in T-SQL trufla SQL Server ASP 4 April 13th, 2007 06:14 AM
Looping thru fields misterqj Access 8 February 20th, 2005 12:30 PM
Looping through form elements trekmp VS.NET 2002/2003 1 May 11th, 2004 11:01 AM



All times are GMT -4. The time now is 10:39 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.