[thelist] Possible Bug Form Validation ASP

Wayne wayne at freelance-developer.co.uk
Wed Feb 23 17:40:35 CST 2005


[Just spent 10 minutes figuring out why an update query wasn't working when
using request.querystring("comments") and textareas.]

Thats because a URL is limited to 1024 bytes, this used to be exploited using the ISAPI buffer overlfow hack whereby you could take control of an (IIS(older)) server by sending code in an URL which exceedes that limitation(eventually it would get run). 

w


-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org]On Behalf Of Rob Smith
Sent: 23 February 2005 18:37
To: 'thelist at lists.evolt.org'
Subject: RE: [thelist] Possible Bug Form Validation ASP


<snip author="Matt Warden">
  So, you are saying that the code you posted works, but the following does
not?
 
  <%
   if not request.form("submit") = "" then
     ...
   end if
  %>
  <html>
  <form method="post" action="add.asp"></form>
  </html>
</snip>

That's correct. I even set up a <%="Hello?"%> inside the first test there.
No dice.

<tip type="Mixing Textareas and Method=get">
Don't do it. request.querysting("textarea_name") (and possibly
$_get["textarea_name"]) only retrieves the first line of material. Use
method="post" instead of method="get" when retrieving that info.

Just spent 10 minutes figuring out why an update query wasn't working when
using request.querystring("comments") and textareas. It knew that there was
more, but the information was truncated, along with the null end terminating
character. I hope that made sense. 

...unless someone can prove me wrong.
</tip>

Rob
-- 

* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester 
and archives of thelist go to: http://lists.evolt.org 
Workers of the Web, evolt ! 


More information about the thelist mailing list