?
Solved

form validation blank space

Posted on 2005-04-17
58
Medium Priority
?
911 Views
Last Modified: 2012-06-27
Hi, pleas can anuone visit this link (is for a university coursework) and let me know how after validation java script someone is still able to add empty blogs?

Basically I do not want empty blogs, but in the blog section I must accept white spaces between words (e.g.: blabla   blabla)

Please note that I am abeginner and therefore I need step by step example.

Please HELP I am having a war with an unknown user...

the link is:   http://www45.brinkster.com/brillox/blogs.asp

please help me to win this war !!
0
Comment
Question by:brillox
  • 31
  • 16
  • 10
57 Comments
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 13801768
Service Unavailable

But you really need to test in your ASP too since anyone can turn JS off or copy the form to another page and remove the javascript
0
 

Author Comment

by:brillox
ID: 13802515
How ?

Please give me a suggestion
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 13802595
first I would use
function checkString(theForm) {
  var strval = theForm.GuestName.value;
  if (!testAlphaNumOnly(strval)) {
    alert("Guest Name is a required field & ONLY alphanumeric entries allowed")
    theForm.GuestName.focus();
    return false
  }
  strval = theForm.GuestSurname.value;
  if (!testAlphaNumOnly(strval)) {
    alert("Guest Surname is a required field & ONLY alphanumeric entries allowed")
    theForm.GuestSurname.focus();
    return false
  }
  strval = theForm.Comment.value;
  if (!testAlphaNumOnly(strval)) {
    alert("Comment is a required field & ONLY alphanumeric entries allowed")
    theForm.Comment.focus();
    return false
  }
  return true
}

and
<form .... onsubmit ="return checkString(this)">

notice the "this"

then in my asp I would do something like

<%
errorText = "";
If Trim(Request.Form("GuestName")) = "" THEN
  errorText = "Please enter a valid guest name"
Elseif Trim(Request.Form("GuestSurname")) = "" THEN
  errorText = "Please enter a valid guest surname"
Elseif Trim(Request.Form("Comment")) = "" THEN
  errorText= "Please enter a Comment"
End if

If errorText = "" THEN saveForm.....
%>
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:brillox
ID: 13802637
thanks mplunjan.

Below my ASP code, can you please show me where you will add your ASP code?

<%@language="VBScript"%>
 
<html>

<head>
<title>Blog added, Thank you</title>
<link rel="stylesheet" type="text/css" href="pageStyle.css">
</head>

<body topmargin="200">
                  <!--start of ASP code-->

           <%
                        Dim myDB, sRootPath, sPath, sProvider

                              Set myDB = Server.CreateObject("ADODB.Connection")
                              
                              'open the database
                              sProvider = "Provider=Microsoft.Jet.OLEDB.4.0;"
                              sRootPath = Server.MapPath("\brillox\db")
                              sPath = "Data Source=" & sRootPath & "\Blog.mdb;"
                              myDB.Open sProvider & sPath
                              
                              Const adOpenKeyset = 1
                              Const adLockOptimistic = 3

                              Dim rsAddBlog
                              Set rsAddBlog = Server.CreateObject("ADODB.Recordset")
           
                    'Initialise the strSQL variable with an SQL statement to query the database with
                    strSQL = "SELECT Blogs.AuthorName, Blogs.AuthorSurname, Blogs.BlogTitle, Blogs.Blog, Blogs.GuestSurname, Blogs.GuestName, Blogs.Comment FROM Blogs"
                              
                              'Open the recordset with the SQL query
                    rsAddBlog.Open strSQL, myDB, adOpenKeyset, adLockOptimistic
                   
                    'Tell the recordset we are adding a new record to it
                              rsAddBlog.AddNew
                              
                              'Add a new record to the recordset
                              rsAddBlog.Fields("AuthorName") = Request.Form("AuthorName")
                              rsAddBlog.Fields("AuthorSurname") = Request.Form("AuthorSurname")
                              rsAddBlog.Fields("BlogTitle") = Request.Form("BlogTitle")
                              rsAddBlog.Fields("Blog") = Request.Form("Blog")
                                                                         
                           'Write the updated recordset to the database
                               rsAddBlog.Update
                              
                    'Reset server variables
                       rsAddBlog.Close
                       Set rsAddBlog = Nothing
                       myDB.close
                       Set myDB = Nothing
                      
                       'Redirect to the AddBlog.htm page
                               'Response.Redirect "AddBlog.htm"
                              

            %>
            <!--END of ASP code-->
           
            <!-- start of few html line of code for page links-->
            <h1 align="center"><font size="5"><b>BRILLOXWEBLOG</b></font></h1>
            <p align="center"><b><font size="4" color="#FFFF00">Blog added, thanks</font></b></p>
            <p align="center"><a title="Add a new Blog" href="AddBlog.htm">Add a new Blog</a></br></br>
            <a title="Show all Blogs" href="Blogs.asp">show all blogs</a></p>

</body>
</html>
            
0
 

Author Comment

by:brillox
ID: 13802641
I also noticed that careless of my above code, someone is stilla ble to add empnty blogs. Is this because they switch off  the jave script in some way or what.. I am going mad trying to stop people adding empty blogs.. they try everything... tab space, <br> &nsbp etc etc
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 13802656
Does not look like we have the same fieldnames...
        <!--start of ASP code-->

           <%
                      Dim myDB, sRootPath, sPath, sProvider, testFields
                      If (Trim(Request.Form("AuthorName"))) ="" OR
                         (Trim(Request.Form("AuthorSurname"))) ="" OR
                         (Trim(Request.Form("BlogTitle"))) ="" OR
                         (Trim(Request.Form("Blog"))) ="" THEN
                             Response.Redirect "AddBlog.htm") ' or error page or show the form with errors
                      Else
                          Set myDB = Server.CreateObject("ADODB.Connection")
                          .
                          .
                          .
                     EndIf
            %>
            <!--END of ASP code-->  
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 13802662
0
 

Author Comment

by:brillox
ID: 13802722
Thanks mplungjan..

Do you ahve any idea how (at the moment) users are still able to enter blank blogs. I tried myself and if I hit the tab or the enter keys or leave the fields blank, the validation works. How this user manage to add new blog. He claim that he have the "POWER" and I hate that...

any idea ... ????
0
 

Author Comment

by:brillox
ID: 13802750
Hi mplungjan, I updated the code as below, but it doesn't work... now when I press submit without adding any value, the form has been accepted.

<script language="javascript">
function testAlphaNumOnly(formFIeldValue)
{
    return       /[a-z0-9]/gi.test(formFIeldValue)
}
function checkString(theForm)
{
  var strval = theForm.GuestName.value;
  if (!testAlphaNumOnly(strval))
  {
    alert("Guest Name is a required field & ONLY alphanumeric entries allowed")
    theForm.GuestName.focus();
    return false
  }
  strval = theForm.GuestSurname.value;
  if (!testAlphaNumOnly(strval))
  {
    alert("Guest Surname is a required field & ONLY alphanumeric entries allowed")
    theForm.GuestSurname.focus();
    return false
  }
  strval = theForm.BlogTitle.value;
   if (!testAlphaNumOnly(strval))
          {
              alert("Blog Title is aRequired Field and tab space or blank space are NOT allowed")
          theform.BlogTitle.focus();
          return false
          }
  strval = theForm.Comment.value;
  if (!testAlphaNumOnly(strval))
  {
    alert("Comment is a required field & ONLY alphanumeric entries allowed")
    theForm.Comment.focus();
    return false
  }
  return true
}
</script>


.....
<form name="theForm"  method=post action="AddOneBlog.asp" onsubmit ="return checkString(this)">
0
 

Author Comment

by:brillox
ID: 13802754
I also added your code in the ASP page as follows... but doesn't work... what Ia m doing wrong??

<!--start of ASP code-->

           <%
                     Dim myDB, sRootPath, sPath, sProvider, testFields
                      If (Trim(Request.Form("AuthorName"))) ="" OR
                         (Trim(Request.Form("AuthorSurname"))) ="" OR
                         (Trim(Request.Form("BlogTitle"))) ="" OR
                         (Trim(Request.Form("Blog"))) ="" THEN
                             Response.Redirect "AddBlog.htm") ' or error page or show the form with errors
                      Else


                              Set myDB = Server.CreateObject("ADODB.Connection")
                              
                              'open the database
                              sProvider = "Provider=Microsoft.Jet.OLEDB.4.0;"
                              sRootPath = Server.MapPath("\brillox\db")
                              sPath = "Data Source=" & sRootPath & "\Blog.mdb;"
                              myDB.Open sProvider & sPath
                              
                              Const adOpenKeyset = 1
                              Const adLockOptimistic = 3

                              Dim rsAddBlog
                              Set rsAddBlog = Server.CreateObject("ADODB.Recordset")
           
                    'Initialise the strSQL variable with an SQL statement to query the database with
                    strSQL = "SELECT Blogs.AuthorName, Blogs.AuthorSurname, Blogs.BlogTitle, Blogs.Blog, Blogs.GuestSurname, Blogs.GuestName, Blogs.Comment FROM Blogs"
                              
                              'Open the recordset with the SQL query
                    rsAddBlog.Open strSQL, myDB, adOpenKeyset, adLockOptimistic
                   
                    'Tell the recordset we are adding a new record to it
                              rsAddBlog.AddNew
                              
                              'Add a new record to the recordset
                              rsAddBlog.Fields("AuthorName") = Request.Form("AuthorName")
                              rsAddBlog.Fields("AuthorSurname") = Request.Form("AuthorSurname")
                              rsAddBlog.Fields("BlogTitle") = Request.Form("BlogTitle")
                              rsAddBlog.Fields("Blog") = Request.Form("Blog")
                                                                         
                           'Write the updated recordset to the database
                               rsAddBlog.Update
                              
                    'Reset server variables
                       rsAddBlog.Close
                       Set rsAddBlog = Nothing
                       myDB.close
                       Set myDB = Nothing
                      
                       'Redirect to the AddBlog.htm page
                               'Response.Redirect "AddBlog.htm"
                               End If
                              
                              

            %>
            <!--END of ASP code-->
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 13804496
Do you have it online somewhere

and what does your asp log tell you goes wrong. I am NOT an asp programmer so whatever I did is asp was for you to correct.
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13804613
You're not checking for invalid characters or only accepting valid ones.  You're only testing if the field is blank and a invisible character will not show but the field will not be blank.

First thing to do is encode the input so invisible characters are easily manipulated if you want to check for invalid characters.

This is very bad for security reasons:

rsAddBlog.Fields("AuthorName") = Request.Form("AuthorName")
rsAddBlog.Fields("AuthorSurname") = Request.Form("AuthorSurname")
rsAddBlog.Fields("BlogTitle") = Request.Form("BlogTitle")
rsAddBlog.Fields("Blog") = Request.Form("Blog")

BTW... I turned off javascript and tested your form and you now have another empty blog entry.  (O:=
So, now let's try to fix it.

See if you can get this to fail:
I tested it with javascript enabled and disabled but I haven't completely looked at SQL injection although currently it's not tied to a database.
http://kiddanger.com/lab/validcharacters.asp

0
 

Author Comment

by:brillox
ID: 13804745
Hi mplugjan,

you can see the web at    http://www45.brinkster.com/brillox/blogs.asp

however now I uploaded the old version of the data validation ( but apparently does not work with java script disabled). with your code, I didn't had any error, the form was justa ccepted with all the field blank.

0
 

Author Comment

by:brillox
ID: 13804791
Hi Kiddanger,

I appreciate your help, at the moment I changed my table in access database and now the blog fields are required and null value are not accepted, therefore also with javascript disabled blank blogs are not accepted. However in this case I receive of these orrible error messages from access database.

 I know that I can use a try catch, but because I am new to this kind of thinks I do not know exactly how to personalize it. ABove you will find a copy of my code. Do you think that this will be a good solution?
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13804929
The link does not provide your code, only the client-side can be seen.  It helps when you show the error.  Have you tested the link I provided to see if you can make it fail?  I'll see if I can enter another blank entry in your blog.

0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13804946
The error you're getting is a javascript error, line 17.
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13804955
BTW...  You shouldn't post that you've solved the issue until this is actually fixed.  I just made another blank entry.  (O:=  You must have posted right after mine.
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13805018
Just to make sure you were posting when I did, since you don't show the time posted, I tried again.  You now have two blank entries.
0
 

Author Comment

by:brillox
ID: 13805333
You are right !!

but if I try to add an empty blog I get this (after changing access db table)

Microsoft JET Database Engine error '80040e21'

Field 'Blogs.AuthorName' cannot be a zero-length string.

/brillox/AddOneBlog.asp, line 46

So How you are able to add new blog?
0
 

Author Comment

by:brillox
ID: 13805342
By the way..

 I cancell empty blogs ( I can accept that the user that I am in war with see another EMPTY BLOG!!)

Please help
0
 

Author Comment

by:brillox
ID: 13805355
I tested your link ad works, but to br really honest... I do not know how to adapt to my code... I am a very very beginner !!
0
 

Author Comment

by:brillox
ID: 13805361
typos... " I cancelled empny blogs ( I can NOT accept...."
0
 

Author Comment

by:brillox
ID: 13805622
Basically (kiddanger) what I do not understand of your code (form) is
 document.getElementById  (where "ById" came from?)

and the way that you design textfields it looks like is not really html)
Please note that this means that is me that I do not understand, not that your code is not clear.
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 13805777
No need to change your script to use document.getelement. it will fail in older browsers

You need to remove the extra
<script language="javascript">


you have in front of
String.prototype.trim = function()

I get
Error: syntax error
Source File: http://www45.brinkster.com/brillox/AddBlog.htm
Line: 18
Source Code:
<script language="javascript">
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13805792
brillox...

You're not looking at my server-side code.  Don't worry about the javascript.  That's just there to keep the server from taking hits.  You still have to validate on the server-side.  I'm going to make my server-side code available so you can see it.  All I'm doing it validating the database because the connection to the database, which I don't have in my code.  I used FF and turned off javascript and tested it the same way I'm able to put blank entries in your blog and it fails on mine, which is what we want.

Ok, go back here:
http://kiddanger.com/lab/ss_validcharacters.asp

There is a link at the bottom on the left to view the source.
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13805887
Sorry.. that's a direct link.
http://kiddanger.com/lab/validcharacters.asp is the form.  The other link just saves a step.
0
 

Author Comment

by:brillox
ID: 13806567
OK Kiddanger, but Do I have to change my form design with yours ( code below)

<form name="blogform" method="post" action="" onsubmit="return isvalid()">
 <table>
 <tr><td class="labels">First Name:</td><td class="values"><input id="blogFirst" name="blogFirst" type="text" value="<%=strFirst%>" /></td></tr>
 <tr><td class="labels">Last Name:</td><td class="values"><input id="blogLast" name="blogLast" type="text" value="<%=strLast%>" /></td></tr>
 <tr><td class="labels">Subject:</td><td class="values"><input id="blogSubject" name="blogSubject" type="text" value="<%=strSubject%>" /></td></tr>
 <tr><td class="labels">Blog:</td><td class="values"><textarea id="blogText" name="blogText" rows="5" cols="40"><%=strText%></textarea></td></tr>
 <input name="postback" type="hidden" value="postback" />
 <tr><td></td><td><input type="submit" value="Blog" /><input type="reset" /></td></tr>
 </table>
 </form>

THIS IS MY FORM..

<form name="form"  method=post action="AddOneBlog.asp" onsubmit ="return checkString();">                  

                       <table border="1" width="100%" bordercolor="#000000" >
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Author Name: </td>
                        <td bgcolor="#C0C0C0">
                        <input type="text" name="AuthorName" maxlength="50" size="30"></td>
                    </tr>
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Author Surname:</td>
                        <td bgcolor="#C0C0C0">
                        <input type="text" name="AuthorSurname" maxlength="50" size="30"></td>
                    </tr>
                   
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Blog Title:</td>
                        <td bgcolor="#C0C0C0">
                        <input type="text" name="BlogTitle" maxlength="50" size="30"></td>
                    </tr>
                   
                   
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Blog:</td>
                        <td bgcolor="#C0C0C0"> <textarea name="Blog" rows="4" cols="50"> </textarea></td>
                    </tr>
                   
                   
                    </table>
               
        <p align="center">
          <input type="submit" name="Submit Form" value="Submit">&nbsp;&nbsp;&nbsp;
                <input type="reset" name=" Reset Form" value="Reset">
                         </p>
                         
                         
                         </form>
0
 

Author Comment

by:brillox
ID: 13806759
GUYS I AM TOTALLY CONFUSED NOW!!

I really need examples with my code. I apologize, but for me as beginner is very hard to adapt someelse code.. can any of you give a working example with my code?
0
 

Author Comment

by:brillox
ID: 13806900
THANKS MPLUNGJAN !!

I could not believe it that I had two times  <script language="javascript">
at least now the code is working... but the question is always.. WHAT IF JAVASRIPT IS TURNED OFF ?

and for this I need a clear example with my code, therefore below the LAST VERSION of the code at the moment;

THIS IS THE CODE OF  http://www45.brinkster.com/brillox/AddBlog.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<html>
<head>
<title> Add a new blog</title>
<meta name="keywords" content=" weblog, Dundee University log, Dundee blog, students blogs">
<meta name="description" content=" this is Massimo Brillante weblog assignment for Dundee University 2nd year">
<meta name="author" content=" Massimo Brillante">
<meta name="copyright" content="Copyright © 2005-2010 Massimo Brillante and ... All Rights Reserved">
<link rel="stylesheet" type="text/css" href="pageStyle.css">

<script language="javascript">

function testAlphaNumOnly(formFIeldValue)
{
    return  /^[a-z0-9 ]+$/gi.test(formFIeldValue)
}

String.prototype.trim = function()    
{
return( (ar=/^\s*([\s\S]*\S+)\s*$/.exec(this)) ? ar[1] : "" );
}  
function checkString()
{
   document.form.AuthorName.value = document.form.AuthorName.value.trim();
   document.form.AuthorSurname.value = document.form.AuthorSurname.value.trim();
   document.form.BlogTitle.value = document.form.BlogTitle.value.trim();
   document.form.Blog.value = document.form.Blog.value.trim();

 var strval = document.form.AuthorName.value;
  if (!testAlphaNumOnly(strval))
     {
     document.form.AuthorName.focus();
     alert(" Author name is aRequired Field & ONLY Aplhanumeric Entries Allowed")
     return false
     }
     strval = document.form.AuthorSurname.value;
       if (!testAlphaNumOnly(strval))
          {
          document.form.AuthorSurname.focus();
          alert("Author Surname is aRequired Field & ONLY Aplhanumeric Entries Allowed")
           return false
          }
     strval = document.form.BlogTitle.value;
       if (!testAlphaNumOnly(strval))
          {
          document.form.BlogTitle.focus();
          alert("Blog Title is aRequired Field & ONLY Aplhanumeric Entries Allowed")
           return false
          }
     strval = document.form.Blog.value;
       if (!testAlphaNumOnly(strval))
          {
          document.form.Blog.focus();
          alert("Blog is aRequired Field & ONLY Aplhanumeric Entries Allowed")
           return false
          }
return true
}
</script>


</head>
<body > 
<noscript>Your browser does not support JavaScript!</noscript>

    <table ALIGN="center" border="0" width="90%">
         <tr>
             <td bgcolor="#000000"><font color="#FFFFFF">
             <img border="0" src="images/tablet.jpg" width="193" height="160" alt="add a new blog" align="left"></font></td>
             <td bgcolor="#000000">
             <h1 align="center">BRILLOX WEB-LOG</h1>
             </td>
             <td bgcolor="#000000"><font color="#FFFFFF">
             <img border="0" src="images/tablet.jpg" width="193" height="160" align="right" alt="add a new blog"></font></td>
         </tr>
     </table>

     <table align="center" border="1" width="90%">
         <tr>
             <td colspan="2" bgcolor="#000000" align="center">
             <h1 align="center">YOU ARE IN &quot;<font color="#FFFF00">ADD A NEW BLOG</font>&quot;
             SECTION</h1>
             </td>
         </tr>
         <tr>
             <td colspan="2" bgcolor="#000000" align="center">
             <h2><font color="#FFFFFF">(Fill in all the form and click on
             submit)</font></h2>
             </td>
         </tr>
             <tr>
             <td bgcolor="#C0C0C0" nowrap valign="top" align="left">
      <p><font size="4" color="#800000">NAVIGATION</font></p>
             
             
      <p><a title="back to the home page" href="index.htm"> Home page</a></p>
      <p><a title="Show all Blogs" href="blogs.asp">Show all Blogs</a></p>
             
             <p>Add Blog</p>
             <p><a title="Add a comment" href="CommentSelect.asp">Add a Comment</a></p>
             <p><a title="Administration area" href="loginAdmin.htm">Admin area</a></p>
             
             <p><a title="Contact us info" href="contactInfo.htm">contact us </a></p>
             
             <p><a title="EMAIL US NOW" href="mailto:mbrillante@computing.dundee.ac.uk">email us</a></p>
             
             </td>
             
             <td align="left" valign="top" bgcolor="#FFFFFF" width="81%">
      <form name="form"  method=post action="AddOneBlog.asp" onsubmit ="return checkString();">                  

                       <table border="1" width="100%" bordercolor="#000000" >
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Author Name: </td>
                        <td bgcolor="#C0C0C0">
                        <input type="text" name="AuthorName" maxlength="50" size="30"></td>
                    </tr>
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Author Surname:</td>
                        <td bgcolor="#C0C0C0">
                        <input type="text" name="AuthorSurname" maxlength="50" size="30"></td>
                    </tr>
                   
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Blog Title:</td>
                        <td bgcolor="#C0C0C0">
                        <input type="text" name="BlogTitle" maxlength="50" size="30"></td>
                    </tr>
                   
                   
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Blog:</td>
                        <td bgcolor="#C0C0C0"> <textarea name="Blog" rows="4" cols="50"> </textarea></td>
                    </tr>
                   
                   
                    </table>
               
        <p align="center">
          <input type="submit" name="Submit Form" value="Submit">&nbsp;&nbsp;&nbsp;
                <input type="reset" name=" Reset Form" value="Reset">
                         </p>
                         
                         
                         </form>
                         </td>
         </tr>
         <tr>
             <td colspan="2" bgcolor="#C0C0C0">Webmaster: Massimo Brillante :
             <font color="#FFFFFF">&nbsp;<a title="EMAIL US NOW" href="mailto:mbrillante@computing.dundee.ac.uk">mbrillante@computing.dundee.ac.uk</a></font></td>
         </tr>
     </table>

</body>
</html>
0
 

Author Comment

by:brillox
ID: 13806916
AND THIS IS THE CODE OF  http://www45.brinkster.com/brillox/AddOneBlog.asp


 <%@language="VBScript"%>
 
<html>

<head>
<title>Blog added, Thank you</title>
<link rel="stylesheet" type="text/css" href="pageStyle.css">
</head>

<body topmargin="200">
                  <!--start of ASP code-->

           <%
                        Dim myDB, sRootPath, sPath, sProvider

                              Set myDB = Server.CreateObject("ADODB.Connection")
                              
                              'open the database
                              sProvider = "Provider=Microsoft.Jet.OLEDB.4.0;"
                              sRootPath = Server.MapPath("\brillox\db")
                              sPath = "Data Source=" & sRootPath & "\Blog.mdb;"
                              myDB.Open sProvider & sPath
                              
                              Const adOpenKeyset = 1
                              Const adLockOptimistic = 3

                              Dim rsAddBlog
                              Set rsAddBlog = Server.CreateObject("ADODB.Recordset")
           
                    'Initialise the strSQL variable with an SQL statement to query the database with
                    strSQL = "SELECT Blogs.AuthorName, Blogs.AuthorSurname, Blogs.BlogTitle, Blogs.Blog, Blogs.GuestSurname, Blogs.GuestName, Blogs.Comment FROM Blogs"
                              
                              'Open the recordset with the SQL query
                    rsAddBlog.Open strSQL, myDB, adOpenKeyset, adLockOptimistic
                   
                    'Tell the recordset we are adding a new record to it
                              rsAddBlog.AddNew
                              
                              'Add a new record to the recordset
                              rsAddBlog.Fields("AuthorName") = Request.Form("AuthorName")
                              rsAddBlog.Fields("AuthorSurname") = Request.Form("AuthorSurname")
                              rsAddBlog.Fields("BlogTitle") = Request.Form("BlogTitle")
                              rsAddBlog.Fields("Blog") = Request.Form("Blog")
                                                                         
                           'Write the updated recordset to the database
                               rsAddBlog.Update
                              
                    'Reset server variables
                       rsAddBlog.Close
                       Set rsAddBlog = Nothing
                       myDB.close
                       Set myDB = Nothing
                      
                       'Redirect to the AddBlog.htm page
                               'Response.Redirect "AddBlog.htm"
                              

            %>
            <!--END of ASP code-->
           
            <!-- start of few html line of code for page links-->
            <h1 align="center"><font size="5"><b>BRILLOXWEBLOG</b></font></h1>
            <p align="center"><b><font size="4" color="#FFFF00">Blog added, thanks</font></b></p>
            <p align="center"><a title="Add a new Blog" href="AddBlog.htm">Add a new Blog</a></br></br>
            <a title="Show all Blogs" href="Blogs.asp">show all blogs</a></p>

</body>
</html>
            
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 13809954
I will let Kid handle that.
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13811288
brillox...

I was doing this with one file.  You're doing it with two.  Do you want to keep it as a 2 page process?
0
 

Author Comment

by:brillox
ID: 13811311
The less I have to change the less mess I'll made !!! (sorry for my english, I am italian)
0
 

Author Comment

by:brillox
ID: 13811316
However I now have another version of addblog.html.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<html>
<head>
<title> Add a new blog</title>
<meta name="keywords" content=" weblog, Dundee University log, Dundee blog, students blogs">
<meta name="description" content=" this is Massimo Brillante weblog assignment for Dundee University 2nd year">
<meta name="author" content=" Massimo Brillante">
<meta name="copyright" content="Copyright © 2005-2010 Massimo Brillante and ... All Rights Reserved">
<link rel="stylesheet" type="text/css" href="pageStyle.css">

<script language="javascript">

function testAlphaNumOnly(formFIeldValue)
{
    return  /^[a-z0-9 ]+$/gi.test(formFIeldValue)
}

String.prototype.trim = function()    
{
return( (ar=/^\s*([\s\S]*\S+)\s*$/.exec(this)) ? ar[1] : "" );
}  
function checkString()
{
   document.form.AuthorName.value = document.form.AuthorName.value.trim();
   document.form.AuthorSurname.value = document.form.AuthorSurname.value.trim();
   document.form.BlogTitle.value = document.form.BlogTitle.value.trim();
   document.form.Blog.value = document.form.Blog.value.trim();

 var strval = document.form.AuthorName.value;
  if (!testAlphaNumOnly(strval))
     {
     document.form.AuthorName.focus();
     alert(" Author name is aRequired Field & ONLY Aplhanumeric Entries Allowed")
     return false
     }
     strval = document.form.AuthorSurname.value;
       if (!testAlphaNumOnly(strval))
          {
          document.form.AuthorSurname.focus();
          alert("Author Surname is aRequired Field & ONLY Aplhanumeric Entries Allowed")
           return false
          }
     strval = document.form.BlogTitle.value;
       if (!testAlphaNumOnly(strval))
          {
          document.form.BlogTitle.focus();
          alert("Blog Title is aRequired Field & ONLY Aplhanumeric Entries Allowed")
           return false
          }
     strval = document.form.Blog.value;
       if (!testAlphaNumOnly(strval))
          {
          document.form.Blog.focus();
          alert("Blog is aRequired Field & ONLY Aplhanumeric Entries Allowed")
           return false
          }
return true
}
</script>


</head>
<body > 
<noscript>Your browser does not support JavaScript!</noscript>

    <table ALIGN="center" border="0" width="90%">
         <tr>
             <td bgcolor="#000000"><font color="#FFFFFF">
             <img border="0" src="images/tablet.jpg" width="193" height="160" alt="add a new blog" align="left"></font></td>
             <td bgcolor="#000000">
             <h1 align="center">BRILLOX WEB-LOG</h1>
             </td>
             <td bgcolor="#000000"><font color="#FFFFFF">
             <img border="0" src="images/tablet.jpg" width="193" height="160" align="right" alt="add a new blog"></font></td>
         </tr>
     </table>

     <table align="center" border="1" width="90%">
         <tr>
             <td colspan="2" bgcolor="#000000" align="center">
             <h1 align="center">YOU ARE IN &quot;<font color="#FFFF00">ADD A NEW BLOG</font>&quot;
             SECTION</h1>
             </td>
         </tr>
         <tr>
             <td colspan="2" bgcolor="#000000" align="center">
             <h2><font color="#FFFFFF">(Fill in all the form and click on
             submit)</font></h2>
             </td>
         </tr>
             <tr>
             <td bgcolor="#C0C0C0" nowrap valign="top" align="left">
      <p><font size="4" color="#800000">NAVIGATION</font></p>
             
             
      <p><a title="back to the home page" href="index.htm"> Home page</a></p>
      <p><a title="Show all Blogs" href="blogs.asp">Show all Blogs</a></p>
             
             <p>Add Blog</p>
             <p><a title="Add a comment" href="CommentSelect.asp">Add a Comment</a></p>
             <p><a title="Administration area" href="loginAdmin.htm">Admin area</a></p>
             
             <p><a title="Contact us info" href="contactInfo.htm">contact us </a></p>
             
             <p><a title="EMAIL US NOW" href="mailto:mbrillante@computing.dundee.ac.uk">email us</a></p>
             
             </td>
             
             <td align="left" valign="top" bgcolor="#FFFFFF" width="81%">
      <form name="form"  method=post action="AddOneBlog.asp" onsubmit ="return checkString();">                  

                       <table border="1" width="100%" bordercolor="#000000" >
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Author Name: </td>
                        <td bgcolor="#C0C0C0">
                        <input type="text" name="AuthorName" maxlength="50" size="30"></td>
                    </tr>
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Author Surname:</td>
                        <td bgcolor="#C0C0C0">
                        <input type="text" name="AuthorSurname" maxlength="50" size="30"></td>
                    </tr>
                   
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Blog Title:</td>
                        <td bgcolor="#C0C0C0">
                        <input type="text" name="BlogTitle" maxlength="50" size="30"></td>
                    </tr>
                   
                   
                    <tr>
                        <td nowrap bgcolor="#C0C0C0">Blog:</td>
                        <td bgcolor="#C0C0C0"> <textarea name="Blog" rows="4" cols="50"> </textarea></td>
                    </tr>
                   
                   
                    </table>
               
        <p align="center">
          <input type="submit" name="Submit Form" value="Submit">&nbsp;&nbsp;&nbsp;
                <input type="reset" name=" Reset Form" value="Reset">
                         </p>
                         
                         
                         </form>
                         </td>
         </tr>
         <tr>
             <td colspan="2" bgcolor="#C0C0C0">Webmaster: Massimo Brillante :
             <font color="#FFFFFF">&nbsp;<a title="EMAIL US NOW" href="mailto:mbrillante@computing.dundee.ac.uk">mbrillante@computing.dundee.ac.uk</a></font></td>
         </tr>
     </table>

</body>
</html>
0
 

Author Comment

by:brillox
ID: 13811328
what do you think... Obviously this is thanks to another member of this beautifull website
0
 
LVL 14

Accepted Solution

by:
kiddanger earned 2000 total points
ID: 13814241
I haven't tested this so save your old page before trying this:

<%@language="VBScript"%>
<%
Option Explicit
Response.Buffer = True

function isvalid(str)
  dim re, result
  set re = new RegExp
  with re
    re.Pattern = "\w+"
    re.Global = true
    re.IgnoreCase = false
  end with
  set result = re.Execute(str)
  if result.count = 0 then
    isvalid = false
  else
    isvalid = true
  end if
end function

dim strName, strSurname, strTitle, strBlog
dim vName, vSurname, vTitle, vBlog

strName = server.HTMLEncode(replace(trim(Request.Form("AuthorName")),"'","''"))
strSurname = server.HTMLEncode(replace(trim(Request.Form("AuthorSurname")),"'","''"))
strTitle = server.HTMLEncode(replace(trim(Request.Form("BlogTitle")),"'","''"))
strBlog = server.HTMLEncode(replace(trim(Request.Form("Blog")),"'","''"))

vName = isvalid(strName)
vSurname = isvalid(strSurname)
vTitle = isvalid(strTitle)
vBlog = isvalid(strBlog)
%>
<html>
<head>
<title>Blog added, Thank you</title>
<link rel="stylesheet" type="text/css" href="pageStyle.css">
</head>
<body topmargin="200">
<%
  if strName = "" or strSurname = "" or strTitle = "" or strBlog = "" then
    with Response
      .Write "Fields cannot be blank..."
      .Write "<a href='http://www45.brinkster.com/brillox/AddBlog.htm'>continue</a>"
      .End
    end with
  elseif vName = false or vSurname = false or vTitle = false or vBlog = false then
    with Response
      .Write "One or more fields have invalid characters..." & vbCrLf
      .Write "<a href='http://www45.brinkster.com/brillox/AddBlog.htm'>continue</a>"
      .End
    end with
  else
    ' everything is ok
    with Response
      .Write "Thank you for blogging..." & vbCrLf
      .Write "<h1 align=""center""><font size=""5""><b>BRILLOXWEBLOG</b></font></h1>"
      .Write "<p align=""center""><b><font size=""4"" color=""#FFFF00"">Blog added, thanks</font></b></p>"
      .Write "<p align=""center""><a href=""AddBlog.htm"" title=""Add a new Blog"">Add a new Blog</a></br /></br />"
      .Write "<a href=""blogs.asp"" title=""Show all Blogs"">Show all blogs</a></p>"
      .End
    end with
  end if
%>
</body>
</html>
<%
Const adOpenKeyset = 1
Const adLockOptimistic = 3
dim conn, rs, connstr
set conn = Server.CreateObject("ADODB.Connection")
connstr = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath("/brillox/db/") & "blog.mdb"
conn.Open connstr
set rs = Server.CreateObject("ADODB.Recordset")
strSQL = "SELECT Blogs.AuthorName, Blogs.AuthorSurname, Blogs.BlogTitle, Blogs.Blog, Blogs.GuestSurname, Blogs.GuestName, Blogs.Comment FROM Blogs"
rs.Open strSQL, conn, adOpenKeyset, adLockOptimistic
rs.AddNew
rs.Fields("AuthorName").Value = strName
rs.Fields("AuthorSurname").Value = strSurname
rs.Fields("BlogTitle").Value = strTitle
rs.Fields("Blog").Value = strBlog
rs.Update
rs.Close
set rs = nothing
conn.close
set conn = nothing
%>
0
 

Author Comment

by:brillox
ID: 13814388
Hi Kiddanger,

I really appreciate your answer and I now realize how it would be more easy to have the db ASP code in the same page of the form ( at Univesrity where I am suggested to split into 2 pages...)

I think that I solved my problem ( I also added a redirection in case of javascript switched off).

However I'll keep your code and if I'll find ANOTHER EMPTY BLOG, I will test your code .

For the effort that you made in writing the WHOLE code, I'll give you my points.

Thanks very much !!
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13814643
Thank you Brillox.  BTW I can still make blank entries.  You have to control this on the server-side.  I can always beat client-side scripting, including META REFRESH.  (O:=

0
 

Author Comment

by:brillox
ID: 13815059
Thank god that is you that added blank entry... I was ready to go at Uni and have a fight with the guy ( I know who is) tahta dd empty blogs without writing how he made it...

Last question I ehard about invisible chararcter that could be added with javascript on. Do you think that this is my case and if so which are the blank characters ??

BTW do youa dded empty blogs with Javascript off ?? (I hope)
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 13818789
The regular expression in the VB server side should filter out all bogus characters.

Michel
0
 

Author Comment

by:brillox
ID: 13818885
thanks mplungjan,

If I receive anu other empty blogs I will post another HELP appeal here. Thanks to all of you

Massimo
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13819827
I actually entered the blank entries with javascript on and off.  You just have more open than you realize.  Perhaps your ghost blogger is not aware of all that can be done and that's a good thing.  Unless you've changed your server-side you're probably also open to SQL injection.
0
 

Author Comment

by:brillox
ID: 13819917
so kiddanger,

Sorry kiddanger, I did not understand what really you mean... ( not because you are not clear, but because my emglish is not so good) can you please explait  to me ?

Do you mean that I am still open to EMPTY BLOGS ??

I do not want to change all my code again, but I relly would like to be ghost-blogger proof
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13821573
Il mio italiano non è che buon così orso con me.

Realmente ho fornito le entrate in bianco con il Javascript in funzione e a riposo. Vi fate appena realizzare più aperti. Forse il vostro blogger del fantasma non è informato di tutto che possa essere fatto e che sia una buona cosa. A meno che cambiate il vostro lato del server siete probabilmente egualmente aperti all'iniezione di SQL.

Ora sto usando un attacco di XSS (luogo trasversale che scripting) per fare le entrate in bianco.
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13821952
I just repeated what I already said in the previous comment and to tell him I was using cross site scripting to make the blank entries.  I'll post English and Italian then if he has trouble understanding what I'm saying anymore.
0
 

Author Comment

by:brillox
ID: 13822869
ALl my compliments for your ITALIAN kiddanger, however I do not have any empty blog

http://www45.brinkster.com/brillox/blogs.asp

and btw what I can do to defend my blog from SQL injection ( which I do not know what they are !!)?

I realized that my problem is not the English, is that I do not have a clou ( clou ??) about what you guys are talking about...

SQL injection... cross site scripting...

for me is abstarct
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 13823543
Clue, abstract ;)

What the Kid means is if you are too permissive or use to evaluate the statements, you can get statements like
 ' INSERT "CRAP" INTO ALL FIELDS WHERE NAME="Massimo"

http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.unixwiz.net/techtips/sql-injection.html
0
 

Author Comment

by:brillox
ID: 13823599
Ok ....

but I am still totally confused. Please bare in mind that I just STARTED to program and what is very easy for you to understand is quite hard form me, therefore can you provide an example of what I should change in my code for this matter. This i snot for me to copy and paste in my code, but is for me to study your solution and understand what it does.
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 13823866
Looking at your code I do not see great risks. Perhaps Kid can
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13826496
brillox...

If you have not modified your server-side code, then you still have issues.  You never said if you changed it since this started.  You have been more concerned with the client-side which in my view is useless re: security.  Client-side validation is only to save some hits on the server, so it's for performance reasons.

You are now not allowing javascript to be disabled, ON your site.  However, if the form is not submitted from your site, then there's nothing you can do about it.  That's why client-side script is pointless when it comes to security.

You must cleanse the input data and you must do bounds checking and verification on the server-side to be successful.  If you show your latest server-side I can point out what I see.  I have already offered you server-side script but I have no idea what you're currently using.  If you stated you have changed it, I missed it.
0
 

Author Comment

by:brillox
ID: 13826901
Hi Kiddanger,

No I did not ues your code yet..... I am revsiing for 3 exams within next 2 weeks and I stopped to bother about the weblog, however I am more than happy to have your help. Do you want me to copy and paste the code of the addblogform.htm and addblog.ASP ?

BTW there is a way toa ttach files here instead of paste it ??
0
 

Author Comment

by:brillox
ID: 13826911
PS if you want to chat with me I am on MSN messenger  [*** email removed *** EE Page editor]
0
 

Author Comment

by:brillox
ID: 13826965
On top of this please note that we had ONLY 3 lessons in ASP at UNI and I am not supposed to know all this.

What I mean is that the weblog is a coursework and I am supposed to know what my code does.... If I use something for me that I do not understand I feel like I just copy and paste (and this is not my target).

I appreciate your concern, and I know that the ghost blogger is more advanced than me ( he started to program when he was 14...) I started last year !!  There are SO MANY things to learn that sometimes I do not know where to concentrate.
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13831270
brillox...

Just so you know.  It's not a good idea to put your email address on the web anywhere.  It will increase the amount of spam you get.  I'll help you get your site secured.  Just let me know when you're ready.  I'm going to give you some links to articles that you should read that will show you what can be done and what to do to protect yourself.  It won't show you how but I can do that.

Your blog pest may have started when he was 14 but I started before MSFT existed.  We might have a slight edge.
0
 

Author Comment

by:brillox
ID: 13831531
thanks kiddanger...

I am ready now...

however the email above  is the uni email (their server can get some spam (they deserve that...))
0
 
LVL 14

Expert Comment

by:kiddanger
ID: 13903675
brillox...

I didn't grab the email when you listed it so I made a simple form where you can submit your name and email so I can contact you.

http://kiddanger.com/asp/contacts.asp

It doesn't notify me yet if an entry has been made so you will have to let me know here for now.
0
 

Author Comment

by:brillox
ID: 13903747
Thanks kiddanger,

I submitted the form with my email address

Massimo
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my daily work (mainly using ASP.net), I need to write a lot of JavaScript code. One of the most repetitive tasks I do are the jQuery Ajax calls. You know: (CODE) I don't know if for you it's the same, but for me is soooo tedious to write the …
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question