Looping Forms Collection Error

[greg]

HI,

I have an asp page that loops through the forms collection gathering data
from input controls that web surfers have entered in. The problem I have is
when I get to the submit button, I get the follow error "Type mismatch:
'[string: "Send Me the Brochure"]' " "send me the brochure" is the text on
the submit button. I don't know how to have the loop skip the submit
button. Any help would be appreciated.

here is the code:

dim x
For x = 1 to Request.Form.Count
'brochure names are prefixed with a b to identify them from the forms
collection
if left(Request.Form.Key(x),1)= "b" then
'check if order count is > 0, if so add it to the orderdetail table
if Request.Form.Item(x) > 0 then
mysql = "INSERT INTO tblOrderDetail (OrderID, BrochureID,
Quanity) VALUES ('" & intOrderID & "','" & right(Request.Form.Key
(x), len(Request.Form.Key(x))-1) & "','" & Request.Form.Item(x) & "')"
'Response.Write(mysql & "<br>")
ConnOrders.Execute mysql
end if
End if

'Response.Write Request.Form.Key(x) & " = "
'Response.Write Request.Form.Item(x) & "<br>"
Next


Greg

 

[slagomite]

The more natural way to do this in ASP.NET would be to loop through the
Page object's Controls collection. For example:

Dim strCtrlValue As String

For Each ctrl As System.Web.UI.Control In Me.Controls
If TypeOf ctrl Is System.Web.UI.WebControls.TextBox Then
strCtrlValue = CType(ctrl, TextBox).Text
' (do your work now using the strCtrlValue variable,
' or just use CType(ctrl, TextBox).Text directly)
End If
Next

(I'm not a 100% on the VB syntax since I use C#...)
This way, you're explicitly checking that the type of the form control
is a TextBox (or whatever type of control(s) you're looking for), and
thus your submit button won't be used.

As a very important aside -- the way you're creating your SQL query
string is *extremely* dangerous. It can easily be exploited by
hackers. For example, if a hacker was to type in the following for one
of the form fields:

) DELETE tblOrderDetail --

Your entire tblOrderDetail table would be wiped out. (This is called
"sql injection".) You should look into using the ADO.NET command
object, and parameterized queries.

HTH
Luke

 

[slagomite]

Also, to check for "b" at the beginning of the control's ID, you should
use:

If ctrl.ClientID.StartsWith("b") Then
...
End If

(Do this after you check the type of ctrl).

Luke

 

[greg]

Luke,

thank you for your reply, I am not familiar with AD0.NET. Would this be a
lot of work to set up?

Greg

 

[greg]

these pages will reside on a Microsoft 2003 server with IIS 6.0

 

[slagomite]

Oh... You're using classic ASP, not ASP.NET? You're in the wrong
newsgroup... Sorry, you'll have to disregard (most of) my response.
The SQL injection stuff definitely still applies, though.

Try the ASP newsgroup:
microsoft.public.inetserver.asp.general

Luke