form security

Discussion in 'ASP General' started by middletree, Jan 24, 2004.

  1. middletree

    middletree Guest

    I'm doing s simply email form, with just three fields, one each for name,
    email, and the message body of the email. It goes straight to CDO, and takes
    the user to a thank you page.

    What kind of damage can I expect to need to protect myself from? I mean, if
    there were a database involved, I'd need to protect against SQL injection,
    things like that. But in this case, there's no database. I plan to put a
    maxlength on the fields, but is there anything else I should beware of, and
    if so, what can be done about it?
    middletree, Jan 24, 2004
    #1
    1. Advertising

  2. Well, for one, you might want to protect yourself from being accused a
    spammer. Is it easy for me to type in anyone's e-mail address?

    If you explain the purpose of the form, you might get better answers.

    --
    Aaron Bertrand
    SQL Server MVP
    http://www.aspfaq.com/




    "middletree" <> wrote in message
    news:ueEFI#...
    > I'm doing s simply email form, with just three fields, one each for name,
    > email, and the message body of the email. It goes straight to CDO, and

    takes
    > the user to a thank you page.
    >
    > What kind of damage can I expect to need to protect myself from? I mean,

    if
    > there were a database involved, I'd need to protect against SQL injection,
    > things like that. But in this case, there's no database. I plan to put a
    > maxlength on the fields, but is there anything else I should beware of,

    and
    > if so, what can be done about it?
    >
    >
    >
    >
    Aaron Bertrand [MVP], Jan 24, 2004
    #2
    1. Advertising

  3. middletree

    middletree Guest

    Since I don't have the pages on the web yet, I can't show you the finished
    product. But if you go to my web site at www.middletree.net, you'll see by
    clicking the left links that there are several articles--short bible
    studies, really--and I am simply adding a form at the bottom of those pages,
    with two text boxes for name and email address, and a textarea for the
    message that people would put in some message in paragraph form.

    I did this a couple of years ago when I was using FrontPage, but couldn't do
    it in ASP because my host was on Unix. Now, I'm on a Windows host, so I can
    go back to using the forms.

    Yes, I guess anyone can put any email address in there, but often, they will
    want me to reply. I guess that I could remove that field and ask people to
    put their email addy in the textarea, but I'm not sure that would keep me
    from potential spammers.





    "Aaron Bertrand [MVP]" <> wrote in message
    news:...
    > Well, for one, you might want to protect yourself from being accused a
    > spammer. Is it easy for me to type in anyone's e-mail address?
    >
    > If you explain the purpose of the form, you might get better answers.
    >
    > --
    > Aaron Bertrand
    > SQL Server MVP
    > http://www.aspfaq.com/
    >
    >
    >
    >
    > "middletree" <> wrote in message
    > news:ueEFI#...
    > > I'm doing s simply email form, with just three fields, one each for

    name,
    > > email, and the message body of the email. It goes straight to CDO, and

    > takes
    > > the user to a thank you page.
    > >
    > > What kind of damage can I expect to need to protect myself from? I mean,

    > if
    > > there were a database involved, I'd need to protect against SQL

    injection,
    > > things like that. But in this case, there's no database. I plan to put

    a
    > > maxlength on the fields, but is there anything else I should beware of,

    > and
    > > if so, what can be done about it?
    > >
    > >
    > >
    > >

    >
    >
    middletree, Jan 25, 2004
    #3
  4. Oh, see? It wasn't clear to me that the e-mail address they enter was NOT
    the one you were planning on sending to, using CDO.

    --
    Aaron Bertrand
    SQL Server MVP
    http://www.aspfaq.com/




    "middletree" <> wrote in message
    news:...
    > Since I don't have the pages on the web yet, I can't show you the finished
    > product. But if you go to my web site at www.middletree.net, you'll see by
    > clicking the left links that there are several articles--short bible
    > studies, really--and I am simply adding a form at the bottom of those

    pages,
    > with two text boxes for name and email address, and a textarea for the
    > message that people would put in some message in paragraph form.
    >
    > I did this a couple of years ago when I was using FrontPage, but couldn't

    do
    > it in ASP because my host was on Unix. Now, I'm on a Windows host, so I

    can
    > go back to using the forms.
    >
    > Yes, I guess anyone can put any email address in there, but often, they

    will
    > want me to reply. I guess that I could remove that field and ask people

    to
    > put their email addy in the textarea, but I'm not sure that would keep me
    > from potential spammers.
    >
    >
    >
    >
    >
    > "Aaron Bertrand [MVP]" <> wrote in message
    > news:...
    > > Well, for one, you might want to protect yourself from being accused a
    > > spammer. Is it easy for me to type in anyone's e-mail address?
    > >
    > > If you explain the purpose of the form, you might get better answers.
    > >
    > > --
    > > Aaron Bertrand
    > > SQL Server MVP
    > > http://www.aspfaq.com/
    > >
    > >
    > >
    > >
    > > "middletree" <> wrote in message
    > > news:ueEFI#...
    > > > I'm doing s simply email form, with just three fields, one each for

    > name,
    > > > email, and the message body of the email. It goes straight to CDO, and

    > > takes
    > > > the user to a thank you page.
    > > >
    > > > What kind of damage can I expect to need to protect myself from? I

    mean,
    > > if
    > > > there were a database involved, I'd need to protect against SQL

    > injection,
    > > > things like that. But in this case, there's no database. I plan to

    put
    > a
    > > > maxlength on the fields, but is there anything else I should beware

    of,
    > > and
    > > > if so, what can be done about it?
    > > >
    > > >
    > > >
    > > >

    > >
    > >

    >
    >
    Aaron Bertrand [MVP], Jan 25, 2004
    #4
  5. None that I can think of, other then ensuring there is a maxlength (e.g. to
    avoid buffer overrun attempts).

    --
    Aaron Bertrand
    SQL Server MVP
    http://www.aspfaq.com/




    "middletree" <> wrote in message
    news:...
    > Right. I can see where that would be a dumb thing to build into a web

    page.
    >
    > Now, back to the OP: (and yes, I looked at aspfaq.com before posting

    this).
    > Is there anything I should put in there to catch potentially bad stuff,
    > since there is no database involved?
    >
    >
    > "Aaron Bertrand [MVP]" <> wrote in message
    > news:...
    > > Oh, see? It wasn't clear to me that the e-mail address they enter was

    NOT
    > > the one you were planning on sending to, using CDO.
    > >
    > > --
    > > Aaron Bertrand
    > > SQL Server MVP
    > > http://www.aspfaq.com/
    > >
    > >
    > >
    > >
    > > "middletree" <> wrote in message
    > > news:...
    > > > Since I don't have the pages on the web yet, I can't show you the

    > finished
    > > > product. But if you go to my web site at www.middletree.net, you'll

    see
    > by
    > > > clicking the left links that there are several articles--short bible
    > > > studies, really--and I am simply adding a form at the bottom of those

    > > pages,
    > > > with two text boxes for name and email address, and a textarea for the
    > > > message that people would put in some message in paragraph form.
    > > >
    > > > I did this a couple of years ago when I was using FrontPage, but

    > couldn't
    > > do
    > > > it in ASP because my host was on Unix. Now, I'm on a Windows host, so

    I
    > > can
    > > > go back to using the forms.
    > > >
    > > > Yes, I guess anyone can put any email address in there, but often,

    they
    > > will
    > > > want me to reply. I guess that I could remove that field and ask

    people
    > > to
    > > > put their email addy in the textarea, but I'm not sure that would keep

    > me
    > > > from potential spammers.
    > > >
    > > >
    > > >
    > > >
    > > >
    > > > "Aaron Bertrand [MVP]" <> wrote in message
    > > > news:...
    > > > > Well, for one, you might want to protect yourself from being accused

    a
    > > > > spammer. Is it easy for me to type in anyone's e-mail address?
    > > > >
    > > > > If you explain the purpose of the form, you might get better

    answers.
    > > > >
    > > > > --
    > > > > Aaron Bertrand
    > > > > SQL Server MVP
    > > > > http://www.aspfaq.com/
    > > > >
    > > > >
    > > > >
    > > > >
    > > > > "middletree" <> wrote in message
    > > > > news:ueEFI#...
    > > > > > I'm doing s simply email form, with just three fields, one each

    for
    > > > name,
    > > > > > email, and the message body of the email. It goes straight to CDO,

    > and
    > > > > takes
    > > > > > the user to a thank you page.
    > > > > >
    > > > > > What kind of damage can I expect to need to protect myself from? I

    > > mean,
    > > > > if
    > > > > > there were a database involved, I'd need to protect against SQL
    > > > injection,
    > > > > > things like that. But in this case, there's no database. I plan

    to
    > > put
    > > > a
    > > > > > maxlength on the fields, but is there anything else I should

    beware
    > > of,
    > > > > and
    > > > > > if so, what can be done about it?
    > > > > >
    > > > > >
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
    Aaron Bertrand [MVP], Jan 25, 2004
    #5
  6. middletree

    middletree Guest

    Right. I can see where that would be a dumb thing to build into a web page.

    Now, back to the OP: (and yes, I looked at aspfaq.com before posting this).
    Is there anything I should put in there to catch potentially bad stuff,
    since there is no database involved?


    "Aaron Bertrand [MVP]" <> wrote in message
    news:...
    > Oh, see? It wasn't clear to me that the e-mail address they enter was NOT
    > the one you were planning on sending to, using CDO.
    >
    > --
    > Aaron Bertrand
    > SQL Server MVP
    > http://www.aspfaq.com/
    >
    >
    >
    >
    > "middletree" <> wrote in message
    > news:...
    > > Since I don't have the pages on the web yet, I can't show you the

    finished
    > > product. But if you go to my web site at www.middletree.net, you'll see

    by
    > > clicking the left links that there are several articles--short bible
    > > studies, really--and I am simply adding a form at the bottom of those

    > pages,
    > > with two text boxes for name and email address, and a textarea for the
    > > message that people would put in some message in paragraph form.
    > >
    > > I did this a couple of years ago when I was using FrontPage, but

    couldn't
    > do
    > > it in ASP because my host was on Unix. Now, I'm on a Windows host, so I

    > can
    > > go back to using the forms.
    > >
    > > Yes, I guess anyone can put any email address in there, but often, they

    > will
    > > want me to reply. I guess that I could remove that field and ask people

    > to
    > > put their email addy in the textarea, but I'm not sure that would keep

    me
    > > from potential spammers.
    > >
    > >
    > >
    > >
    > >
    > > "Aaron Bertrand [MVP]" <> wrote in message
    > > news:...
    > > > Well, for one, you might want to protect yourself from being accused a
    > > > spammer. Is it easy for me to type in anyone's e-mail address?
    > > >
    > > > If you explain the purpose of the form, you might get better answers.
    > > >
    > > > --
    > > > Aaron Bertrand
    > > > SQL Server MVP
    > > > http://www.aspfaq.com/
    > > >
    > > >
    > > >
    > > >
    > > > "middletree" <> wrote in message
    > > > news:ueEFI#...
    > > > > I'm doing s simply email form, with just three fields, one each for

    > > name,
    > > > > email, and the message body of the email. It goes straight to CDO,

    and
    > > > takes
    > > > > the user to a thank you page.
    > > > >
    > > > > What kind of damage can I expect to need to protect myself from? I

    > mean,
    > > > if
    > > > > there were a database involved, I'd need to protect against SQL

    > > injection,
    > > > > things like that. But in this case, there's no database. I plan to

    > put
    > > a
    > > > > maxlength on the fields, but is there anything else I should beware

    > of,
    > > > and
    > > > > if so, what can be done about it?
    > > > >
    > > > >
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
    middletree, Jan 25, 2004
    #6
  7. middletree

    middletree Guest

    thanks, as always.


    "Aaron Bertrand [MVP]" <> wrote in message
    news:#hh$...
    > None that I can think of, other then ensuring there is a maxlength (e.g.

    to
    > avoid buffer overrun attempts).
    >
    > --
    > Aaron Bertrand
    > SQL Server MVP
    > http://www.aspfaq.com/
    >
    >
    >
    >
    > "middletree" <> wrote in message
    > news:...
    > > Right. I can see where that would be a dumb thing to build into a web

    > page.
    > >
    > > Now, back to the OP: (and yes, I looked at aspfaq.com before posting

    > this).
    > > Is there anything I should put in there to catch potentially bad stuff,
    > > since there is no database involved?
    > >
    > >
    > > "Aaron Bertrand [MVP]" <> wrote in message
    > > news:...
    > > > Oh, see? It wasn't clear to me that the e-mail address they enter was

    > NOT
    > > > the one you were planning on sending to, using CDO.
    > > >
    > > > --
    > > > Aaron Bertrand
    > > > SQL Server MVP
    > > > http://www.aspfaq.com/
    > > >
    > > >
    > > >
    > > >
    > > > "middletree" <> wrote in message
    > > > news:...
    > > > > Since I don't have the pages on the web yet, I can't show you the

    > > finished
    > > > > product. But if you go to my web site at www.middletree.net, you'll

    > see
    > > by
    > > > > clicking the left links that there are several articles--short bible
    > > > > studies, really--and I am simply adding a form at the bottom of

    those
    > > > pages,
    > > > > with two text boxes for name and email address, and a textarea for

    the
    > > > > message that people would put in some message in paragraph form.
    > > > >
    > > > > I did this a couple of years ago when I was using FrontPage, but

    > > couldn't
    > > > do
    > > > > it in ASP because my host was on Unix. Now, I'm on a Windows host,

    so
    > I
    > > > can
    > > > > go back to using the forms.
    > > > >
    > > > > Yes, I guess anyone can put any email address in there, but often,

    > they
    > > > will
    > > > > want me to reply. I guess that I could remove that field and ask

    > people
    > > > to
    > > > > put their email addy in the textarea, but I'm not sure that would

    keep
    > > me
    > > > > from potential spammers.
    > > > >
    > > > >
    > > > >
    > > > >
    > > > >
    > > > > "Aaron Bertrand [MVP]" <> wrote in message
    > > > > news:...
    > > > > > Well, for one, you might want to protect yourself from being

    accused
    > a
    > > > > > spammer. Is it easy for me to type in anyone's e-mail address?
    > > > > >
    > > > > > If you explain the purpose of the form, you might get better

    > answers.
    > > > > >
    > > > > > --
    > > > > > Aaron Bertrand
    > > > > > SQL Server MVP
    > > > > > http://www.aspfaq.com/
    > > > > >
    > > > > >
    > > > > >
    > > > > >
    > > > > > "middletree" <> wrote in message
    > > > > > news:ueEFI#...
    > > > > > > I'm doing s simply email form, with just three fields, one each

    > for
    > > > > name,
    > > > > > > email, and the message body of the email. It goes straight to

    CDO,
    > > and
    > > > > > takes
    > > > > > > the user to a thank you page.
    > > > > > >
    > > > > > > What kind of damage can I expect to need to protect myself from?

    I
    > > > mean,
    > > > > > if
    > > > > > > there were a database involved, I'd need to protect against SQL
    > > > > injection,
    > > > > > > things like that. But in this case, there's no database. I plan

    > to
    > > > put
    > > > > a
    > > > > > > maxlength on the fields, but is there anything else I should

    > beware
    > > > of,
    > > > > > and
    > > > > > > if so, what can be done about it?
    > > > > > >
    > > > > > >
    > > > > > >
    > > > > > >
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
    middletree, Jan 25, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    339
    John C. Bollinger
    Aug 4, 2003
  2. Marco
    Replies:
    1
    Views:
    2,398
    Roedy Green
    Jan 28, 2006
  3. Akram Baig
    Replies:
    0
    Views:
    319
    Akram Baig
    Apr 7, 2011
  4. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    127
    Dinis Cruz
    Oct 11, 2003
  5. Michael Randrup
    Replies:
    3
    Views:
    284
    Henning Krause [MVP]
    Mar 27, 2006
Loading...

Share This Page