Looping through form fields & retriving the values

tdaustin · June 5th, 2003, 11:04 PM

Hi Everyone,

Great to see everthing is back up and running.

My question is how can i loop though a large application form grabbing the data entered and creating and assigning values to session variables and the session variables will be what the form element name was.

eg
FirstName = Tim
LastName = Austin
lots more fields......

Loop throught and assign

use the Sesssion variables
Session("FirstName")

I think there is an easier solution then going
Session("FirstName") = Request.Form("FirstName")
For every field in the form

Thanks in advance

TDA

rodmcleay · June 5th, 2003, 11:15 PM

Tim,

If you are happy to have every field on the form a session variable then you can loop through the request object.

for each obj in request.form
session(obj) = request(obj)
next

I use this with dynamic forms and put a prefix to filter out the ones I would like to process.

<input type="text" name="PR_FirstName">
<input type="text" name="PR_LastName">

process with

  for each obj in request.form
    if left(obj) = "PR_" then
      fieldName = right(obj,len(obj)-3)
      session(varname) = request(obj)
    end if
  next

Regards,
Rod

KenSchaefer · June 6th, 2003, 12:35 AM

Why do you need to assign all these variables to session variables?
By doing the loop, you (IMHO) expose your application to attacks. I can "overwrite" any session variable I want by creating an appropriately named form field, and then populating it with a value (so, if your site has an "admin" section I could elevate my priveleges simply by setting the appropriate session variables (I create a form on my machine, and set the action="http://www.yourserver.com/yourpage.asp

www.adOpenStatic.com

rodmcleay · June 6th, 2003, 01:02 AM

Tim,

My appologies for the misleading advise

, I use this loop to process the dynamic forms to the database not for session variables, though it would work.
Ken's advise on security takes precedence.

Rod

KenSchaefer · June 6th, 2003, 01:23 AM

Even placing things in databases can be dangerous...

If you want to build a robust application, where the end-user is not trusted, then you best practise is to allocate all your values manually to local variables, validate them, and then place them into a database.

Think about how you'd do this if you were programming using VB (or any other programming language). You'd have some kind of class (or similar contrust). You'd have properties that you'd set. Each would have an accessor method, which would validate the data, and then assign the values to private, internal variables. These would be placed into the database.

Sure, it means writing more code upfront, but it saves a lot of work later on.

If you need a methodology for doing this, here's one way:
http://www.adopenstatic.com/resource...Validation.asp

Cheers
Ken

www.adOpenStatic.com

rodmcleay · June 6th, 2003, 02:01 AM

Sorry Ken I don't quite understand how the request object loop can affect the validation. Can't the field/variable be validated within the loop.

tdaustin · June 9th, 2003, 06:37 PM

Thanks for advice guys,

I guess my question is answered that for a quick coding solution is far
outwayed by security and problems that could occur.

For a multipage application form i guess its much better to spend the time
passing variables through via hidden form fields and retrieve through the
request object. and then write to db.

Do think this is the most efficient and sucure way to go?

Thanks
Tim

TDA

KenSchaefer · June 9th, 2003, 11:02 PM

Hi Rod,

That kinda means that you need to have some kind of master list of acceptable field-names, and acceptable values. In which case you may as well do it manually (you're not gaining anything by using a loop, since you've hardcoded the list of acceptable fields and their corresponding values into your code).

Either that, or I'm missing the point of what you're saying. :-) Could you post an example of what you mean?

Cheers
Ken

www.adOpenStatic.com

rodmcleay · June 10th, 2003, 03:17 AM

Ken,

I use theis loop in a situation where the field contents is not well defined. For eg a I have a table of attributes which can be added to a delivery of some kind. The list of attributes is defined by the admin user in a set up page. Then the attributes are assigned to a delivery on the creation of a job. I do not know what the field names or the values they will hold.

so I loop the table to create the form fields which have a prefix appended to the ID for a name

<%= fieldName%>: <input type="text" name="fld_<%= fliendID%>"><BR>

in the ASP processing I loop the request obj, pull out the fields with the prefix, validate as best I can and the do the DB update.

for each obj in request.form
if left(obj,4) = "fld_" then
fieldID = right(obj,len(obj)-4)
fieldValue = request(obj)
call validate()
if valid then
'..do DB stuff
end if
end if
next

sub validate()
fieldValue = replace(fieldValue,"'","''")
fieldValue = replace(fieldValue,"--","")
if len(fieldValue) < 1 then
valid = false
'deal with error message
end if
'...any other validation that can be assured like if the BD field has a max size. though I normally limit this in html.
end sub

I grant that the security issue are a problem with this method.
Do you think I should do a search for words that may cause havoc (delete,update,etc) as well as the ' and --.

Or

How do you approach this situation.

Thanks your your time in considering this and sorry Tim, I have taken over your question a little.