ASP (not .net) 1.1

A

aspquerrier

Hi, I have a question on ASP (not .NET) I need (due to a strange ASP page
design I am modifying) to pass a value from the querystring (which is
received from the URL calling the form) to a HTML Submit input box so that it
will be passed on to the form itself in a secondary iteration (the form is
used as submitting to itself with many other values in user typed input
fields which are passed succesfully). If I try to pass the querystring to a
variable, and read the variable, it is empty after the user clicks 'submit'.
So the question is, how does one programmatically populate a HTML text field
with a value from the quesrystring (URL)? or, how does one programmatically
pass a querystring value to the form itself if it submits to itself?
Thanks
 
E

Evertjan.

=?Utf-8?B?YXNwcXVlcnJpZXI=?= wrote on 22 nov 2008 in
microsoft.public.inetserver.asp.general:
Hi, I have a question on ASP (not .NET) I need (due to a strange ASP
page design I am modifying) to pass a value from the querystring
(which is received from the URL calling the form) to a HTML Submit
input box so that it will be passed on to the form itself in a
secondary iteration (the form is used as submitting to itself with
many other values in user typed input fields which are passed
succesfully). If I try to pass the querystring to a variable, and read
the variable, it is empty after the user clicks 'submit'. So the
question is, how does one programmatically populate a HTML text field
with a value from the quesrystring (URL)? or, how does one
programmatically pass a querystring value to the form itself if it
submits to itself? Thanks

<input value='<%=request.querystring("myValue")%>' name='myValue'>
 
A

aspquerrier

Thanks it worked beautifully.
Still, I don't understand why just trying to use the request.querystring
didn't work just before the submit to self part. It does work in the earlier
part of the form but later the same statement gives a blank value. (What I
originally tried to do was simly to do this:
<FORM METHOD="post" ACTION="https:/website.com/page.asp?prm=" &
request.querystring("prmname")
I also tried to pass its value to a variable in the early part but the
variable was empty when reaching the above code.

But between the two statements there are alternating html and asp sections,
perhaps variables and the querystring don't keep values between these?
I'd prefer to do it with a variable because it seems more secure than a
hidden textbox.

Thanks again
 
E

Evertjan.

=?Utf-8?B?YXNwcXVlcnJpZXI=?= wrote on 23 nov 2008 in
microsoft.public.inetserver.asp.general:

[Please do not toppost and quote signatures on usenet]
Thanks it worked beautifully.
Still, I don't understand why just trying to use the
request.querystring didn't work just before the submit to self part.
It does work in the earlier part of the form but later the same
statement gives a blank value. (What I originally tried to do was
simly to do this: <FORM METHOD="post"
ACTION="https:/website.com/page.asp?prm=" &
request.querystring("prmname")

You are doing a form-post and a de facto form-get at the same time.
This "works" somewhat but there is not much sense in it.
I also tried to pass its value to a
variable in the early part but the variable was empty when reaching
the above code.

in sound code that is not possible,
a serverside variable does not loose it's value just by accident.
But between the two statements there are alternating html and asp
sections, perhaps variables and the querystring don't keep values
between these?
No.

I'd prefer to do it with a variable because it seems
more secure than a hidden textbox.

Sorry, I do not understand what you mean,
this perhaps:

<%
temp = request.querystring("myValue")
%>
<input value='<%=temp %>' name='myValue'>

That is not more secure. If you send a variable value to the client,
that value is NOT and NEVER secure.

Do you bychance mean a [serverside, of course] session variable?

If you send the value of a session variable to the client,
also that is not secure.

A session variable value in itself is secure on the server!
 
D

Daniel Crichton

Evertjan. wrote on 22 Nov 2008 20:18:12 GMT:
=?Utf-8?B?YXNwcXVlcnJpZXI=?= wrote on 22 nov 2008 in
microsoft.public.inetserver.asp.general:
<input value='<%=request.querystring("myValue")%>' name='myValue'>

I would highly recommend not doing that. At the very least do some basic
handling of the querystring value:

<input value='<%=server.htmlencode(request.querystring("myValue"))%>'
name='myValue'>

Without the server.htmlencode call the browser can pass HTML or script code
into the page and have it rendered within the page on the site, leaving
visitors who follow a malicious link open to potential risk. For instance,
with very little in the value the link could close the form and then open a
new one, so that the form contents are sent to an entirely different server
than the visitor expected.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top