Wrox Programmer Forums
Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP 3 Classic ASP Active Server Pages 3.0 > Classic ASP Basics
| Search | Today's Posts | Mark Forums Read
Classic ASP Basics For beginner programmers starting with "classic" ASP 3, pre-".NET." NOT for ASP.NET 1.0, 1.1, or 2.0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
  #1 (permalink)  
Old June 5th, 2003, 11:04 PM
Authorized User
 
Join Date: Jun 2003
Location: Melbourne, Victoria, Australia.
Posts: 90
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to tdaustin Send a message via Yahoo to tdaustin
Default Looping through form fields & retriving the values

Hi Everyone,

Great to see everthing is back up and running.

My question is how can i loop though a large application form grabbing the data entered and creating and assigning values to session variables and the session variables will be what the form element name was.

eg
 FirstName = Tim
 LastName = Austin
 lots more fields......

Loop throught and assign

use the Sesssion variables
Session("FirstName")

I think there is an easier solution then going
Session("FirstName") = Request.Form("FirstName")
For every field in the form

Thanks in advance


TDA
__________________
TDA
  #2 (permalink)  
Old June 5th, 2003, 11:15 PM
Friend of Wrox
Points: 2,376, Level: 20
Points: 2,376, Level: 20 Points: 2,376, Level: 20 Points: 2,376, Level: 20
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: , , Australia.
Posts: 596
Thanks: 1
Thanked 3 Times in 3 Posts
Default

Tim,

If you are happy to have every field on the form a session variable then you can loop through the request object.

for each obj in request.form
 session(obj) = request(obj)
next

I use this with dynamic forms and put a prefix to filter out the ones I would like to process.

<input type="text" name="PR_FirstName">
<input type="text" name="PR_LastName">


process with

  for each obj in request.form
    if left(obj) = "PR_" then
      fieldName = right(obj,len(obj)-3)
      session(varname) = request(obj)
    end if
  next

Regards,
Rod
  #3 (permalink)  
Old June 6th, 2003, 12:35 AM
Friend of Wrox
 
Join Date: Jun 2003
Location: Sydney, NSW, Australia.
Posts: 111
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Why do you need to assign all these variables to session variables?
By doing the loop, you (IMHO) expose your application to attacks. I can "overwrite" any session variable I want by creating an appropriately named form field, and then populating it with a value (so, if your site has an "admin" section I could elevate my priveleges simply by setting the appropriate session variables (I create a form on my machine, and set the action="http://www.yourserver.com/yourpage.asp

www.adOpenStatic.com
  #4 (permalink)  
Old June 6th, 2003, 01:02 AM
Friend of Wrox
Points: 2,376, Level: 20
Points: 2,376, Level: 20 Points: 2,376, Level: 20 Points: 2,376, Level: 20
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: , , Australia.
Posts: 596
Thanks: 1
Thanked 3 Times in 3 Posts
Default

Tim,

My appologies for the misleading advise , I use this loop to process the dynamic forms to the database not for session variables, though it would work.
Ken's advise on security takes precedence.

Rod
  #5 (permalink)  
Old June 6th, 2003, 01:23 AM
Friend of Wrox
 
Join Date: Jun 2003
Location: Sydney, NSW, Australia.
Posts: 111
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Even placing things in databases can be dangerous...

If you want to build a robust application, where the end-user is not trusted, then you best practise is to allocate all your values manually to local variables, validate them, and then place them into a database.

Think about how you'd do this if you were programming using VB (or any other programming language). You'd have some kind of class (or similar contrust). You'd have properties that you'd set. Each would have an accessor method, which would validate the data, and then assign the values to private, internal variables. These would be placed into the database.

Sure, it means writing more code upfront, but it saves a lot of work later on.

If you need a methodology for doing this, here's one way:
http://www.adopenstatic.com/resource...Validation.asp

Cheers
Ken

www.adOpenStatic.com
  #6 (permalink)  
Old June 6th, 2003, 02:01 AM
Friend of Wrox
Points: 2,376, Level: 20
Points: 2,376, Level: 20 Points: 2,376, Level: 20 Points: 2,376, Level: 20
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: , , Australia.
Posts: 596
Thanks: 1
Thanked 3 Times in 3 Posts
Default

Sorry Ken I don't quite understand how the request object loop can affect the validation. Can't the field/variable be validated within the loop.
  #7 (permalink)  
Old June 9th, 2003, 06:37 PM
Authorized User
 
Join Date: Jun 2003
Location: Melbourne, Victoria, Australia.
Posts: 90
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to tdaustin Send a message via Yahoo to tdaustin
Default

Thanks for advice guys,

I guess my question is answered that for a quick coding solution is far
outwayed by security and problems that could occur.

For a multipage application form i guess its much better to spend the time
passing variables through via hidden form fields and retrieve through the
request object. and then write to db.

Do think this is the most efficient and sucure way to go?

Thanks
Tim

TDA
  #8 (permalink)  
Old June 9th, 2003, 11:02 PM
Friend of Wrox
 
Join Date: Jun 2003
Location: Sydney, NSW, Australia.
Posts: 111
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Rod,

That kinda means that you need to have some kind of master list of acceptable field-names, and acceptable values. In which case you may as well do it manually (you're not gaining anything by using a loop, since you've hardcoded the list of acceptable fields and their corresponding values into your code).

Either that, or I'm missing the point of what you're saying. :-) Could you post an example of what you mean?

Cheers
Ken

www.adOpenStatic.com
  #9 (permalink)  
Old June 10th, 2003, 03:17 AM
Friend of Wrox
Points: 2,376, Level: 20
Points: 2,376, Level: 20 Points: 2,376, Level: 20 Points: 2,376, Level: 20
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: , , Australia.
Posts: 596
Thanks: 1
Thanked 3 Times in 3 Posts
Default

Ken,

I use theis loop in a situation where the field contents is not well defined. For eg a I have a table of attributes which can be added to a delivery of some kind. The list of attributes is defined by the admin user in a set up page. Then the attributes are assigned to a delivery on the creation of a job. I do not know what the field names or the values they will hold.

so I loop the table to create the form fields which have a prefix appended to the ID for a name

<%= fieldName%>: <input type="text" name="fld_<%= fliendID%>"><BR>

in the ASP processing I loop the request obj, pull out the fields with the prefix, validate as best I can and the do the DB update.

for each obj in request.form
if left(obj,4) = "fld_" then
fieldID = right(obj,len(obj)-4)
fieldValue = request(obj)
call validate()
if valid then
'..do DB stuff
end if
end if
next

sub validate()
 fieldValue = replace(fieldValue,"'","''")
 fieldValue = replace(fieldValue,"--","")
if len(fieldValue) < 1 then
valid = false
'deal with error message
end if
'...any other validation that can be assured like if the BD field has a max size. though I normally limit this in html.
end sub

I grant that the security issue are a problem with this method.
Do you think I should do a search for words that may cause havoc (delete,update,etc) as well as the ' and --.

Or

How do you approach this situation.

Thanks your your time in considering this and sorry Tim, I have taken over your question a little.


Similar Threads
Thread Thread Starter Forum Replies Last Post
Retriving values from html:checkbox skumar Struts 1 July 16th, 2008 04:37 AM
Looping thru Form values posted to a page.. kingroon ASP.NET 2.0 Basics 1 February 13th, 2008 02:07 PM
Looping through Array Values in T-SQL trufla SQL Server ASP 4 April 13th, 2007 06:14 AM
Looping thru fields misterqj Access 8 February 20th, 2005 12:30 PM
Looping through form elements trekmp VS.NET 2002/2003 1 May 11th, 2004 11:01 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.