ok so we've all read about this but how do we protect ourselves from it??

i have behaviours that can check form fields and make sure only the data we want is allowed to be entered but what about a memo field???

I have a field in my form for users to post a message, now obviously they need to be able to use punctuation in this field and possibly the odd '=' or any other special character so how can i validate that?

Also how can i validate a url parameter? such as in a "go to detail page" link

i'm sure something else will come to mind that needs validating but thats it for now <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>

any thoughts/ideas?

ASP|VBScript|IIS5.1|WinXPPro & WinXPHome

hi

i've found a validation for the message id url parameter used in the "go to detail page" behaviour.

when you set up the recordset on the detail page, instead of simply

Name - MMColParam
Default Value - 1
Run Time Value - Request.QueryString("MessageID"

add a CLng to the run time value like this

CLng (Request.QueryString("MessageID")

this will then only accept long integers as the message id so no one can add anything nasty to the url parameter.

ASP|VBScript|IIS5.1|WinXPPro & WinXPHome

Is there anybody out there???

Does anybody know the dodgy characters that we don't want undesirables adding to urls and querystrings?
I know one of them is the single quote, now would this work and if so where would I put this code?

Replace(Request.Form("txtUsername", "'", "''"

I think this would replace single quotes with 2 single qoutes.

thanks

Dave

ASP|VBScript|IIS5.1|WinXPPro & WinXPHome

Edited by - Davecl on 22 Oct 2002 16:26:35