0x800A0414, but aspfaq 2115 does not seem to apply

[Mats]

Hi
I run a small business on my own, everything from deliveries to coding
the webshop. This limits the time I can spend on coding, so I hope I'm
not asking to stupid questions.
At present I'm (re)writing "data sanitation" to stop dangerous user
input (from the order form, other input has already been taken care of)
I want some caracters to be removed or changed, like ' which could be
found in some names (Mac'Donald)
So I've started out like this:
--------
dim i,koll,test
For i = 1 to Request.Form.Count
replace(Request.Form(i), "'", "")
if len(Request.Form(i)) > 45 and Request.Form(i) <>
Request.Form("message") or len(Request.Form("message")) > 245 then
session("var") = "order.asp"'to know where in terrlog.asp
Server.Execute("terrlog.asp") 'logs the incident
response.redirect ("terror.htm")'custom error message
end if
Koll = Request.Form(i)&koll'concatenate to later check for unwanted
caracters and if found show terror.htm like above
next
--------
I've tested to use Request.Form.item(i) and in case Request.Form cannot
be changed to put it in a variable
test = Request.Form.item(i)
I've also tested to replace with an x not just with nothing
-------
Invariably this gives the 0x800A0414 error
Microsoft VBScript compilation (0x800A0414)
Cannot use parentheses when calling a Sub
at the replace. Without the replace it works fine.
I don't really see that asfaq 2115 applies here but I've tested to use
Call replace(Request.Form(i), "'", "")
No error - but also no action, the ' is not replaced.
If I get this working a few more caracters and/or words are to be
changed
Any help appreciated.
Mats
PS I posted this before but something went wrong so it did not appear.
In case this appears as a second posting I apologize

 

[Ken Schaefer]

Replace is a function that returns a result - you need to store it
somewhere:

strMyVariable = Replace(Request.Form(i), "'", "")

Cheers
Ken

: Hi
: I run a small business on my own, everything from deliveries to coding
: the webshop. This limits the time I can spend on coding, so I hope I'm
: not asking to stupid questions.
: At present I'm (re)writing "data sanitation" to stop dangerous user
: input (from the order form, other input has already been taken care of)
: I want some caracters to be removed or changed, like ' which could be
: found in some names (Mac'Donald)
: So I've started out like this:
: --------
: dim i,koll,test
: For i = 1 to Request.Form.Count
: replace(Request.Form(i), "'", "")
: if len(Request.Form(i)) > 45 and Request.Form(i) <>
: Request.Form("message") or len(Request.Form("message")) > 245 then
: session("var") = "order.asp"'to know where in terrlog.asp
: Server.Execute("terrlog.asp") 'logs the incident
: response.redirect ("terror.htm")'custom error message
: end if
: Koll = Request.Form(i)&koll'concatenate to later check for unwanted
: caracters and if found show terror.htm like above
: next
: --------
: I've tested to use Request.Form.item(i) and in case Request.Form cannot
: be changed to put it in a variable
: test = Request.Form.item(i)
: I've also tested to replace with an x not just with nothing
: -------
: Invariably this gives the 0x800A0414 error
: Microsoft VBScript compilation (0x800A0414)
: Cannot use parentheses when calling a Sub
: at the replace. Without the replace it works fine.
: I don't really see that asfaq 2115 applies here but I've tested to use
: Call replace(Request.Form(i), "'", "")
: No error - but also no action, the ' is not replaced.
: If I get this working a few more caracters and/or words are to be
: changed
: Any help appreciated.
: Mats
: PS I posted this before but something went wrong so it did not appear.
: In case this appears as a second posting I apologize

 

[Tom B]

Instead of repeatedly calling the Request.Form object, store those variables
temporarily.
Your replace error has already been explained by Ken, but I'd suggest
cleaning up your loop a little.

Dim formItem
Dim message
Dim koll
Dim test
Dim tmpValue

for each formItem in Request.Form
tmpValue=Request(formItem)
tmpValue=Replace(tmpValue,"'","") 'Removes apostrophes. Although I'm
sure People whose names have an apostrophe won't appreciate it.
if (len(tmpValue)>45) AND (formItem <> "message") then
'Do the error logging stuff
end if
next

 

[Mats]

Hi
Thanks for your patience, of cource the value returned by replace has to
be stored somewhere. Pity that my son only knows C and not vbscript....
This is a form for name and adress and the like and the intention is to
purge input of apostophes and some words like insert or drop and some
html-formatting to avoid SQL-insert and other unpleasant input.
I've searched but not found out if it is possible to change
request.form.item, but it seems not to be the case. If so I'd have to
build an array to save the purged values for further use down the line
or is there a simpler solution?
The alternative is just to redirect to the error file if unwanted input
exists, but then I'd have to "tolerate" apostrophes, and maybee more.
Mats

 

[Bob Barrows]

Hi
Thanks for your patience, of cource the value returned by replace has
to be stored somewhere. Pity that my son only knows C and not
vbscript.... This is a form for name and adress and the like and the
intention is to purge input of apostophes and some words like insert
or drop and some html-formatting to avoid SQL-insert and other
unpleasant input.
I've searched but not found out if it is possible to change
request.form.item, but it seems not to be the case. If so I'd have to
build an array to save the purged values for further use down the line
or is there a simpler solution?
The alternative is just to redirect to the error file if unwanted
input exists, but then I'd have to "tolerate" apostrophes, and maybee
more. Mats

Have you read the SQL Injection FAQ at www.sqlsecurity.com? You may be
overdoing your precautions. Really, all you need to do is replace the
apostrophes with two apostrophes and you've prevented injection. Better yet,
use parameterized queries or stored procedures instead of dynamic sql.

Bob Barrows

 

[Mats]

Hi
Bob Barrows wrote "Have you read the SQL Injection FAQ at
www.sqlsecurity.com? snip all you need to do is replace the
apostrophes with two apostrophes and you've prevented injection."
Jep but also
http://www.sitepoint.com/article/794/5

Mats