Solved: form validation blank space

Service Unavailable

But you really need to test in your ASP too since anyone can turn JS off or copy the form to another page and remove the javascript

brillox

ASKER

How ?

Please give me a suggestion

Michel Plungjan

first I would use
function checkString(theForm) {
var strval = theForm.GuestName.value;
if (!testAlphaNumOnly(strval)) {
alert("Guest Name is a required field & ONLY alphanumeric entries allowed")
theForm.GuestName.focus();
return false
}
strval = theForm.GuestSurname.value;
if (!testAlphaNumOnly(strval)) {
alert("Guest Surname is a required field & ONLY alphanumeric entries allowed")
theForm.GuestSurname.focus();
return false
}
strval = theForm.Comment.value;
if (!testAlphaNumOnly(strval)) {
alert("Comment is a required field & ONLY alphanumeric entries allowed")
theForm.Comment.focus();
return false
}
return true
}

and
<form .... onsubmit ="return checkString(this)">

notice the "this"

then in my asp I would do something like

<%
errorText = "";
If Trim(Request.Form("GuestName")) = "" THEN
errorText = "Please enter a valid guest name"
Elseif Trim(Request.Form("GuestSurname")) = "" THEN
errorText = "Please enter a valid guest surname"
Elseif Trim(Request.Form("Comment")) = "" THEN
errorText= "Please enter a Comment"
End if

If errorText = "" THEN saveForm.....
%>

brillox

ASKER

thanks mplunjan.

Below my ASP code, can you please show me where you will add your ASP code?

<%@language="VBScript"%>

<html>

<head>
<title>Blog added, Thank you</title>
<link rel="stylesheet" type="text/css" href="pageStyle.css">
</head>

<body topmargin="200">
                  

<%
            Dim myDB, sRootPath, sPath, sProvider

                              Set myDB = Server.CreateObject("ADODB.Connection")

                              'open the database
                              sProvider = "Provider=Microsoft.Jet.OLEDB.4.0;"
                              sRootPath = Server.MapPath("\brillox\db")
                              sPath = "Data Source=" & sRootPath & "\Blog.mdb;"
                              myDB.Open sProvider & sPath

                              Const adOpenKeyset = 1
                              Const adLockOptimistic = 3

                              Dim rsAddBlog
                              Set rsAddBlog = Server.CreateObject("ADODB.Recordset")

'Initialise the strSQL variable with an SQL statement to query the database with
strSQL = "SELECT Blogs.AuthorName, Blogs.AuthorSurname, Blogs.BlogTitle, Blogs.Blog, Blogs.GuestSurname, Blogs.GuestName, Blogs.Comment FROM Blogs"

                              'Open the recordset with the SQL query
rsAddBlog.Open strSQL, myDB, adOpenKeyset, adLockOptimistic

'Tell the recordset we are adding a new record to it
                              rsAddBlog.AddNew

                              'Add a new record to the recordset
                              rsAddBlog.Fields("AuthorName") = Request.Form("AuthorName")
                              rsAddBlog.Fields("AuthorSurname") = Request.Form("AuthorSurname")
                              rsAddBlog.Fields("BlogTitle") = Request.Form("BlogTitle")
                              rsAddBlog.Fields("Blog") = Request.Form("Blog")

           'Write the updated recordset to the database
                               rsAddBlog.Update

'Reset server variables
       rsAddBlog.Close
       Set rsAddBlog = Nothing
       myDB.close
       Set myDB = Nothing

       'Redirect to the AddBlog.htm page
                               'Response.Redirect "AddBlog.htm"


%>



<h1 align="center"><font size="5"><b>BRILLOXWEBLOG</b></font></h1>
<p align="center"><b><font size="4" color="#FFFF00">Blog added, thanks</font></b></p>
<p align="center"><a title="Add a new Blog" href="AddBlog.htm">Add a new Blog</a></br></br>
<a title="Show all Blogs" href="Blogs.asp">show all blogs</a></p>

</body>
</html>

brillox

ASKER

I also noticed that careless of my above code, someone is stilla ble to add empnty blogs. Is this because they switch off the jave script in some way or what.. I am going mad trying to stop people adding empty blogs.. they try everything... tab space, <br> &nsbp etc etc

Michel Plungjan

Does not look like we have the same fieldnames...


<%
Dim myDB, sRootPath, sPath, sProvider, testFields
If (Trim(Request.Form("AuthorName"))) ="" OR
(Trim(Request.Form("AuthorSurname"))) ="" OR
(Trim(Request.Form("BlogTitle"))) ="" OR
(Trim(Request.Form("Blog"))) ="" THEN
Response.Redirect "AddBlog.htm") ' or error page or show the form with errors
Else
Set myDB = Server.CreateObject("ADODB.Connection")
.
.
.
EndIf
%>

Michel Plungjan

http://authors.aspalliance.com/stevesmith/articles/removewhitespace.asp

brillox

ASKER

Thanks mplungjan..

Do you ahve any idea how (at the moment) users are still able to enter blank blogs. I tried myself and if I hit the tab or the enter keys or leave the fields blank, the validation works. How this user manage to add new blog. He claim that he have the "POWER" and I hate that...

any idea ... ????

brillox

ASKER

Hi mplungjan, I updated the code as below, but it doesn't work... now when I press submit without adding any value, the form has been accepted.

<script language="javascript">
function testAlphaNumOnly(formFIeldValue)
{
return /[a-z0-9]/gi.test(formFIeldValue)
}
function checkString(theForm)
{
var strval = theForm.GuestName.value;
if (!testAlphaNumOnly(strval))
{
alert("Guest Name is a required field & ONLY alphanumeric entries allowed")
theForm.GuestName.focus();
return false
}
strval = theForm.GuestSurname.value;
if (!testAlphaNumOnly(strval))
{
alert("Guest Surname is a required field & ONLY alphanumeric entries allowed")
theForm.GuestSurname.focus();
return false
}
strval = theForm.BlogTitle.value;
if (!testAlphaNumOnly(strval))
{
alert("Blog Title is aRequired Field and tab space or blank space are NOT allowed")
theform.BlogTitle.focus();
return false
}
strval = theForm.Comment.value;
if (!testAlphaNumOnly(strval))
{
alert("Comment is a required field & ONLY alphanumeric entries allowed")
theForm.Comment.focus();
return false
}
return true
}
</script>

.....
<form name="theForm" method=post action="AddOneBlog.asp" onsubmit ="return checkString(this)">

brillox

ASKER

I also added your code in the ASP page as follows... but doesn't work... what Ia m doing wrong??



<%
Dim myDB, sRootPath, sPath, sProvider, testFields
If (Trim(Request.Form("AuthorName"))) ="" OR
(Trim(Request.Form("AuthorSurname"))) ="" OR
(Trim(Request.Form("BlogTitle"))) ="" OR
(Trim(Request.Form("Blog"))) ="" THEN
Response.Redirect "AddBlog.htm") ' or error page or show the form with errors
Else

                              Set myDB = Server.CreateObject("ADODB.Connection")

                              'open the database
                              sProvider = "Provider=Microsoft.Jet.OLEDB.4.0;"
                              sRootPath = Server.MapPath("\brillox\db")
                              sPath = "Data Source=" & sRootPath & "\Blog.mdb;"
                              myDB.Open sProvider & sPath

                              Const adOpenKeyset = 1
                              Const adLockOptimistic = 3

                              Dim rsAddBlog
                              Set rsAddBlog = Server.CreateObject("ADODB.Recordset")

'Initialise the strSQL variable with an SQL statement to query the database with
strSQL = "SELECT Blogs.AuthorName, Blogs.AuthorSurname, Blogs.BlogTitle, Blogs.Blog, Blogs.GuestSurname, Blogs.GuestName, Blogs.Comment FROM Blogs"

                              'Open the recordset with the SQL query
rsAddBlog.Open strSQL, myDB, adOpenKeyset, adLockOptimistic

'Tell the recordset we are adding a new record to it
                              rsAddBlog.AddNew

                              'Add a new record to the recordset
                              rsAddBlog.Fields("AuthorName") = Request.Form("AuthorName")
                              rsAddBlog.Fields("AuthorSurname") = Request.Form("AuthorSurname")
                              rsAddBlog.Fields("BlogTitle") = Request.Form("BlogTitle")
                              rsAddBlog.Fields("Blog") = Request.Form("Blog")

           'Write the updated recordset to the database
                               rsAddBlog.Update

'Reset server variables
       rsAddBlog.Close
       Set rsAddBlog = Nothing
       myDB.close
       Set myDB = Nothing

       'Redirect to the AddBlog.htm page
                               'Response.Redirect "AddBlog.htm"
                               End If



%>

Michel Plungjan

Do you have it online somewhere

and what does your asp log tell you goes wrong. I am NOT an asp programmer so whatever I did is asp was for you to correct.

kiddanger

You're not checking for invalid characters or only accepting valid ones. You're only testing if the field is blank and a invisible character will not show but the field will not be blank.

First thing to do is encode the input so invisible characters are easily manipulated if you want to check for invalid characters.

This is very bad for security reasons:

rsAddBlog.Fields("AuthorName") = Request.Form("AuthorName")
rsAddBlog.Fields("AuthorSurname") = Request.Form("AuthorSurname")
rsAddBlog.Fields("BlogTitle") = Request.Form("BlogTitle")
rsAddBlog.Fields("Blog") = Request.Form("Blog")

BTW... I turned off javascript and tested your form and you now have another empty blog entry. (O:=
So, now let's try to fix it.

See if you can get this to fail:
I tested it with javascript enabled and disabled but I haven't completely looked at SQL injection although currently it's not tied to a database.
http://kiddanger.com/lab/validcharacters.asp

brillox

ASKER

Hi mplugjan,

you can see the web at http://www45.brinkster.com/brillox/blogs.asp

however now I uploaded the old version of the data validation ( but apparently does not work with java script disabled). with your code, I didn't had any error, the form was justa ccepted with all the field blank.

brillox

ASKER

Hi Kiddanger,

I appreciate your help, at the moment I changed my table in access database and now the blog fields are required and null value are not accepted, therefore also with javascript disabled blank blogs are not accepted. However in this case I receive of these orrible error messages from access database.

I know that I can use a try catch, but because I am new to this kind of thinks I do not know exactly how to personalize it. ABove you will find a copy of my code. Do you think that this will be a good solution?

kiddanger

The link does not provide your code, only the client-side can be seen. It helps when you show the error. Have you tested the link I provided to see if you can make it fail? I'll see if I can enter another blank entry in your blog.

kiddanger

The error you're getting is a javascript error, line 17.

kiddanger

BTW... You shouldn't post that you've solved the issue until this is actually fixed. I just made another blank entry. (O:= You must have posted right after mine.

kiddanger

Just to make sure you were posting when I did, since you don't show the time posted, I tried again. You now have two blank entries.

brillox

ASKER

You are right !!

but if I try to add an empty blog I get this (after changing access db table)

Microsoft JET Database Engine error '80040e21'

Field 'Blogs.AuthorName' cannot be a zero-length string.

/brillox/AddOneBlog.asp, line 46

So How you are able to add new blog?

brillox

ASKER

By the way..

I cancell empty blogs ( I can accept that the user that I am in war with see another EMPTY BLOG!!)

Please help

brillox

ASKER

I tested your link ad works, but to br really honest... I do not know how to adapt to my code... I am a very very beginner !!

brillox

ASKER

typos... " I cancelled empny blogs ( I can NOT accept...."

brillox

ASKER

Basically (kiddanger) what I do not understand of your code (form) is
document.getElementById (where "ById" came from?)

and the way that you design textfields it looks like is not really html)
Please note that this means that is me that I do not understand, not that your code is not clear.

Michel Plungjan

No need to change your script to use document.getelement. it will fail in older browsers

You need to remove the extra
<script language="javascript">

you have in front of
String.prototype.trim = function()

I get
Error: syntax error
Source File: http://www45.brinkster.com/brillox/AddBlog.htm
Line: 18
Source Code:
<script language="javascript">

kiddanger

brillox...

You're not looking at my server-side code. Don't worry about the javascript. That's just there to keep the server from taking hits. You still have to validate on the server-side. I'm going to make my server-side code available so you can see it. All I'm doing it validating the database because the connection to the database, which I don't have in my code. I used FF and turned off javascript and tested it the same way I'm able to put blank entries in your blog and it fails on mine, which is what we want.

Ok, go back here:
http://kiddanger.com/lab/ss_validcharacters.asp

There is a link at the bottom on the left to view the source.

kiddanger

Sorry.. that's a direct link.
http://kiddanger.com/lab/validcharacters.asp is the form. The other link just saves a step.

brillox

ASKER

OK Kiddanger, but Do I have to change my form design with yours ( code below)

<form name="blogform" method="post" action="" onsubmit="return isvalid()">
<table>
<tr><td class="labels">First Name:</td><td class="values"><input id="blogFirst" name="blogFirst" type="text" value="<%=strFirst%>" /></td></tr>
<tr><td class="labels">Last Name:</td><td class="values"><input id="blogLast" name="blogLast" type="text" value="<%=strLast%>" /></td></tr>
<tr><td class="labels">Subject:</td><td class="values"><input id="blogSubject" name="blogSubject" type="text" value="<%=strSubject%>" /></td></tr>
<tr><td class="labels">Blog:</td><td class="values"><textarea id="blogText" name="blogText" rows="5" cols="40"><%=strText%></textarea></td></tr>
<input name="postback" type="hidden" value="postback" />
<tr><td></td><td><input type="submit" value="Blog" /><input type="reset" /></td></tr>
</table>
</form>

THIS IS MY FORM..

<form name="form" method=post action="AddOneBlog.asp" onsubmit ="return checkString();">

                 <table border="1" width="100%" bordercolor="#000000" >
<tr>
<td nowrap bgcolor="#C0C0C0">Author Name: </td>
<td bgcolor="#C0C0C0">
<input type="text" name="AuthorName" maxlength="50" size="30"></td>
</tr>
<tr>
<td nowrap bgcolor="#C0C0C0">Author Surname:</td>
<td bgcolor="#C0C0C0">
<input type="text" name="AuthorSurname" maxlength="50" size="30"></td>
</tr>

<tr>
<td nowrap bgcolor="#C0C0C0">Blog Title:</td>
<td bgcolor="#C0C0C0">
<input type="text" name="BlogTitle" maxlength="50" size="30"></td>
</tr>

<tr>
<td nowrap bgcolor="#C0C0C0">Blog:</td>
<td bgcolor="#C0C0C0"> <textarea name="Blog" rows="4" cols="50"> </textarea></td>
</tr>

</table>

<p align="center">
<input type="submit" name="Submit Form" value="Submit">   
<input type="reset" name=" Reset Form" value="Reset">
                       </p>


                       </form>

brillox

ASKER

GUYS I AM TOTALLY CONFUSED NOW!!

I really need examples with my code. I apologize, but for me as beginner is very hard to adapt someelse code.. can any of you give a working example with my code?

brillox

ASKER

THANKS MPLUNGJAN !!

I could not believe it that I had two times <script language="javascript">
at least now the code is working... but the question is always.. WHAT IF JAVASRIPT IS TURNED OFF ?

and for this I need a clear example with my code, therefore below the LAST VERSION of the code at the moment;

THIS IS THE CODE OF http://www45.brinkster.com/brillox/AddBlog.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title> Add a new blog</title>
<meta name="keywords" content=" weblog, Dundee University log, Dundee blog, students blogs">
<meta name="description" content=" this is Massimo Brillante weblog assignment for Dundee University 2nd year">
<meta name="author" content=" Massimo Brillante">
<meta name="copyright" content="Copyright © 2005-2010 Massimo Brillante and ... All Rights Reserved">
<link rel="stylesheet" type="text/css" href="pageStyle.css">

<script language="javascript">

function testAlphaNumOnly(formFIeldValue)
{
return /^[a-z0-9 ]+$/gi.test(formFIeldValue)
}

String.prototype.trim = function()
{
return( (ar=/^\s*([\s\S]*\S+)\s*$/.exec(this)) ? ar[1] : "" );
}
function checkString()
{
document.form.AuthorName.value = document.form.AuthorName.value.trim();
document.form.AuthorSurname.value = document.form.AuthorSurname.value.trim();
document.form.BlogTitle.value = document.form.BlogTitle.value.trim();
document.form.Blog.value = document.form.Blog.value.trim();

var strval = document.form.AuthorName.value;
if (!testAlphaNumOnly(strval))
{
document.form.AuthorName.focus();
alert(" Author name is aRequired Field & ONLY Aplhanumeric Entries Allowed")
return false
}
strval = document.form.AuthorSurname.value;
if (!testAlphaNumOnly(strval))
{
document.form.AuthorSurname.focus();
alert("Author Surname is aRequired Field & ONLY Aplhanumeric Entries Allowed")
return false
}
strval = document.form.BlogTitle.value;
if (!testAlphaNumOnly(strval))
{
document.form.BlogTitle.focus();
alert("Blog Title is aRequired Field & ONLY Aplhanumeric Entries Allowed")
return false
}
strval = document.form.Blog.value;
if (!testAlphaNumOnly(strval))
{
document.form.Blog.focus();
alert("Blog is aRequired Field & ONLY Aplhanumeric Entries Allowed")
return false
}
return true
}
</script>

</head>
<body >
<noscript>Your browser does not support JavaScript!</noscript>

<table ALIGN="center" border="0" width="90%">
<tr>
<td bgcolor="#000000"><font color="#FFFFFF">
<img border="0" src="images/tablet.jpg" width="193" height="160" alt="add a new blog" align="left"></font></td>
<td bgcolor="#000000">
<h1 align="center">BRILLOX WEB-LOG</h1>
</td>
<td bgcolor="#000000"><font color="#FFFFFF">
<img border="0" src="images/tablet.jpg" width="193" height="160" align="right" alt="add a new blog"></font></td>
</tr>
</table>

<table align="center" border="1" width="90%">
<tr>
<td colspan="2" bgcolor="#000000" align="center">
<h1 align="center">YOU ARE IN "<font color="#FFFF00">ADD A NEW BLOG</font>"
SECTION</h1>
</td>
</tr>
<tr>
<td colspan="2" bgcolor="#000000" align="center">
<h2><font color="#FFFFFF">(Fill in all the form and click on
submit)</font></h2>
</td>
</tr>
             <tr>
<td bgcolor="#C0C0C0" nowrap valign="top" align="left">
<p><font size="4" color="#800000">NAVIGATION</font></p>

<p><a title="back to the home page" href="index.htm"> Home page</a></p>
<p><a title="Show all Blogs" href="blogs.asp">Show all Blogs</a></p>

<p>Add Blog</p>
<p><a title="Add a comment" href="CommentSelect.asp">Add a Comment</a></p>
<p><a title="Administration area" href="loginAdmin.htm">Admin area</a></p>

<p><a title="Contact us info" href="contactInfo.htm">contact us </a></p>

<p><a title="EMAIL US NOW" href="mailto:mbrillante@computing.dundee.ac.uk">email us</a></p>

</td>

<td align="left" valign="top" bgcolor="#FFFFFF" width="81%">
<form name="form" method=post action="AddOneBlog.asp" onsubmit ="return checkString();">

                 <table border="1" width="100%" bordercolor="#000000" >
<tr>
<td nowrap bgcolor="#C0C0C0">Author Name: </td>
<td bgcolor="#C0C0C0">
<input type="text" name="AuthorName" maxlength="50" size="30"></td>
</tr>
<tr>
<td nowrap bgcolor="#C0C0C0">Author Surname:</td>
<td bgcolor="#C0C0C0">
<input type="text" name="AuthorSurname" maxlength="50" size="30"></td>
</tr>

<tr>
<td nowrap bgcolor="#C0C0C0">Blog Title:</td>
<td bgcolor="#C0C0C0">
<input type="text" name="BlogTitle" maxlength="50" size="30"></td>
</tr>

<tr>
<td nowrap bgcolor="#C0C0C0">Blog:</td>
<td bgcolor="#C0C0C0"> <textarea name="Blog" rows="4" cols="50"> </textarea></td>
</tr>

</table>

<p align="center">
<input type="submit" name="Submit Form" value="Submit">   
<input type="reset" name=" Reset Form" value="Reset">
                       </p>


                       </form>
                       </td>
</tr>
<tr>
<td colspan="2" bgcolor="#C0C0C0">Webmaster: Massimo Brillante :
<font color="#FFFFFF"> <a title="EMAIL US NOW" href="mailto:mbrillante@computing.dundee.ac.uk">mbrillante@computing.dundee.ac.uk</a></font></td>
</tr>
</table>

</body>
</html>

brillox

ASKER

AND THIS IS THE CODE OF http://www45.brinkster.com/brillox/AddOneBlog.asp

<%@language="VBScript"%>

<html>

<head>
<title>Blog added, Thank you</title>
<link rel="stylesheet" type="text/css" href="pageStyle.css">
</head>

<body topmargin="200">
                  

<%
            Dim myDB, sRootPath, sPath, sProvider

                              Set myDB = Server.CreateObject("ADODB.Connection")

                              'open the database
                              sProvider = "Provider=Microsoft.Jet.OLEDB.4.0;"
                              sRootPath = Server.MapPath("\brillox\db")
                              sPath = "Data Source=" & sRootPath & "\Blog.mdb;"
                              myDB.Open sProvider & sPath

                              Const adOpenKeyset = 1
                              Const adLockOptimistic = 3

                              Dim rsAddBlog
                              Set rsAddBlog = Server.CreateObject("ADODB.Recordset")

'Initialise the strSQL variable with an SQL statement to query the database with
strSQL = "SELECT Blogs.AuthorName, Blogs.AuthorSurname, Blogs.BlogTitle, Blogs.Blog, Blogs.GuestSurname, Blogs.GuestName, Blogs.Comment FROM Blogs"

                              'Open the recordset with the SQL query
rsAddBlog.Open strSQL, myDB, adOpenKeyset, adLockOptimistic

'Tell the recordset we are adding a new record to it
                              rsAddBlog.AddNew

                              'Add a new record to the recordset
                              rsAddBlog.Fields("AuthorName") = Request.Form("AuthorName")
                              rsAddBlog.Fields("AuthorSurname") = Request.Form("AuthorSurname")
                              rsAddBlog.Fields("BlogTitle") = Request.Form("BlogTitle")
                              rsAddBlog.Fields("Blog") = Request.Form("Blog")

           'Write the updated recordset to the database
                               rsAddBlog.Update

'Reset server variables
       rsAddBlog.Close
       Set rsAddBlog = Nothing
       myDB.close
       Set myDB = Nothing

       'Redirect to the AddBlog.htm page
                               'Response.Redirect "AddBlog.htm"


%>



<h1 align="center"><font size="5"><b>BRILLOXWEBLOG</b></font></h1>
<p align="center"><b><font size="4" color="#FFFF00">Blog added, thanks</font></b></p>
<p align="center"><a title="Add a new Blog" href="AddBlog.htm">Add a new Blog</a></br></br>
<a title="Show all Blogs" href="Blogs.asp">show all blogs</a></p>

</body>
</html>

Michel Plungjan

I will let Kid handle that.

kiddanger

brillox...

I was doing this with one file. You're doing it with two. Do you want to keep it as a 2 page process?

brillox

ASKER

The less I have to change the less mess I'll made !!! (sorry for my english, I am italian)

brillox

ASKER

However I now have another version of addblog.html.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title> Add a new blog</title>
<meta name="keywords" content=" weblog, Dundee University log, Dundee blog, students blogs">
<meta name="description" content=" this is Massimo Brillante weblog assignment for Dundee University 2nd year">
<meta name="author" content=" Massimo Brillante">
<meta name="copyright" content="Copyright © 2005-2010 Massimo Brillante and ... All Rights Reserved">
<link rel="stylesheet" type="text/css" href="pageStyle.css">

<script language="javascript">

function testAlphaNumOnly(formFIeldValue)
{
return /^[a-z0-9 ]+$/gi.test(formFIeldValue)
}

String.prototype.trim = function()
{
return( (ar=/^\s*([\s\S]*\S+)\s*$/.exec(this)) ? ar[1] : "" );
}
function checkString()
{
document.form.AuthorName.value = document.form.AuthorName.value.trim();
document.form.AuthorSurname.value = document.form.AuthorSurname.value.trim();
document.form.BlogTitle.value = document.form.BlogTitle.value.trim();
document.form.Blog.value = document.form.Blog.value.trim();

var strval = document.form.AuthorName.value;
if (!testAlphaNumOnly(strval))
{
document.form.AuthorName.focus();
alert(" Author name is aRequired Field & ONLY Aplhanumeric Entries Allowed")
return false
}
strval = document.form.AuthorSurname.value;
if (!testAlphaNumOnly(strval))
{
document.form.AuthorSurname.focus();
alert("Author Surname is aRequired Field & ONLY Aplhanumeric Entries Allowed")
return false
}
strval = document.form.BlogTitle.value;
if (!testAlphaNumOnly(strval))
{
document.form.BlogTitle.focus();
alert("Blog Title is aRequired Field & ONLY Aplhanumeric Entries Allowed")
return false
}
strval = document.form.Blog.value;
if (!testAlphaNumOnly(strval))
{
document.form.Blog.focus();
alert("Blog is aRequired Field & ONLY Aplhanumeric Entries Allowed")
return false
}
return true
}
</script>

</head>
<body >
<noscript>Your browser does not support JavaScript!</noscript>

<table ALIGN="center" border="0" width="90%">
<tr>
<td bgcolor="#000000"><font color="#FFFFFF">
<img border="0" src="images/tablet.jpg" width="193" height="160" alt="add a new blog" align="left"></font></td>
<td bgcolor="#000000">
<h1 align="center">BRILLOX WEB-LOG</h1>
</td>
<td bgcolor="#000000"><font color="#FFFFFF">
<img border="0" src="images/tablet.jpg" width="193" height="160" align="right" alt="add a new blog"></font></td>
</tr>
</table>

<table align="center" border="1" width="90%">
<tr>
<td colspan="2" bgcolor="#000000" align="center">
<h1 align="center">YOU ARE IN "<font color="#FFFF00">ADD A NEW BLOG</font>"
SECTION</h1>
</td>
</tr>
<tr>
<td colspan="2" bgcolor="#000000" align="center">
<h2><font color="#FFFFFF">(Fill in all the form and click on
submit)</font></h2>
</td>
</tr>
             <tr>
<td bgcolor="#C0C0C0" nowrap valign="top" align="left">
<p><font size="4" color="#800000">NAVIGATION</font></p>

<p><a title="back to the home page" href="index.htm"> Home page</a></p>
<p><a title="Show all Blogs" href="blogs.asp">Show all Blogs</a></p>

<p>Add Blog</p>
<p><a title="Add a comment" href="CommentSelect.asp">Add a Comment</a></p>
<p><a title="Administration area" href="loginAdmin.htm">Admin area</a></p>

<p><a title="Contact us info" href="contactInfo.htm">contact us </a></p>

<p><a title="EMAIL US NOW" href="mailto:mbrillante@computing.dundee.ac.uk">email us</a></p>

</td>

<td align="left" valign="top" bgcolor="#FFFFFF" width="81%">
<form name="form" method=post action="AddOneBlog.asp" onsubmit ="return checkString();">

                 <table border="1" width="100%" bordercolor="#000000" >
<tr>
<td nowrap bgcolor="#C0C0C0">Author Name: </td>
<td bgcolor="#C0C0C0">
<input type="text" name="AuthorName" maxlength="50" size="30"></td>
</tr>
<tr>
<td nowrap bgcolor="#C0C0C0">Author Surname:</td>
<td bgcolor="#C0C0C0">
<input type="text" name="AuthorSurname" maxlength="50" size="30"></td>
</tr>

<tr>
<td nowrap bgcolor="#C0C0C0">Blog Title:</td>
<td bgcolor="#C0C0C0">
<input type="text" name="BlogTitle" maxlength="50" size="30"></td>
</tr>

<tr>
<td nowrap bgcolor="#C0C0C0">Blog:</td>
<td bgcolor="#C0C0C0"> <textarea name="Blog" rows="4" cols="50"> </textarea></td>
</tr>

</table>

<p align="center">
<input type="submit" name="Submit Form" value="Submit">   
<input type="reset" name=" Reset Form" value="Reset">
                       </p>


                       </form>
                       </td>
</tr>
<tr>
<td colspan="2" bgcolor="#C0C0C0">Webmaster: Massimo Brillante :
<font color="#FFFFFF"> <a title="EMAIL US NOW" href="mailto:mbrillante@computing.dundee.ac.uk">mbrillante@computing.dundee.ac.uk</a></font></td>
</tr>
</table>

</body>
</html>

brillox

ASKER

what do you think... Obviously this is thanks to another member of this beautifull website

brillox

ASKER

Hi Kiddanger,

I really appreciate your answer and I now realize how it would be more easy to have the db ASP code in the same page of the form ( at Univesrity where I am suggested to split into 2 pages...)

I think that I solved my problem ( I also added a redirection in case of javascript switched off).

However I'll keep your code and if I'll find ANOTHER EMPTY BLOG, I will test your code .

For the effort that you made in writing the WHOLE code, I'll give you my points.

Thanks very much !!

kiddanger

Thank you Brillox. BTW I can still make blank entries. You have to control this on the server-side. I can always beat client-side scripting, including META REFRESH. (O:=

brillox

ASKER

Thank god that is you that added blank entry... I was ready to go at Uni and have a fight with the guy ( I know who is) tahta dd empty blogs without writing how he made it...

Last question I ehard about invisible chararcter that could be added with javascript on. Do you think that this is my case and if so which are the blank characters ??

BTW do youa dded empty blogs with Javascript off ?? (I hope)

Michel Plungjan

The regular expression in the VB server side should filter out all bogus characters.

Michel

brillox

ASKER

thanks mplungjan,

If I receive anu other empty blogs I will post another HELP appeal here. Thanks to all of you

Massimo

kiddanger

I actually entered the blank entries with javascript on and off. You just have more open than you realize. Perhaps your ghost blogger is not aware of all that can be done and that's a good thing. Unless you've changed your server-side you're probably also open to SQL injection.

brillox

ASKER

so kiddanger,

Sorry kiddanger, I did not understand what really you mean... ( not because you are not clear, but because my emglish is not so good) can you please explait to me ?

Do you mean that I am still open to EMPTY BLOGS ??

I do not want to change all my code again, but I relly would like to be ghost-blogger proof

kiddanger

Il mio italiano non è che buon così orso con me.

Realmente ho fornito le entrate in bianco con il Javascript in funzione e a riposo. Vi fate appena realizzare più aperti. Forse il vostro blogger del fantasma non è informato di tutto che possa essere fatto e che sia una buona cosa. A meno che cambiate il vostro lato del server siete probabilmente egualmente aperti all'iniezione di SQL.

Ora sto usando un attacco di XSS (luogo trasversale che scripting) per fare le entrate in bianco.

kiddanger

I just repeated what I already said in the previous comment and to tell him I was using cross site scripting to make the blank entries. I'll post English and Italian then if he has trouble understanding what I'm saying anymore.

brillox

ASKER

ALl my compliments for your ITALIAN kiddanger, however I do not have any empty blog

http://www45.brinkster.com/brillox/blogs.asp

and btw what I can do to defend my blog from SQL injection ( which I do not know what they are !!)?

I realized that my problem is not the English, is that I do not have a clou ( clou ??) about what you guys are talking about...

SQL injection... cross site scripting...

for me is abstarct

Michel Plungjan

Clue, abstract ;)

What the Kid means is if you are too permissive or use to evaluate the statements, you can get statements like
' INSERT "CRAP" INTO ALL FIELDS WHERE NAME="Massimo"

http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.unixwiz.net/techtips/sql-injection.html

brillox

ASKER

Ok ....

but I am still totally confused. Please bare in mind that I just STARTED to program and what is very easy for you to understand is quite hard form me, therefore can you provide an example of what I should change in my code for this matter. This i snot for me to copy and paste in my code, but is for me to study your solution and understand what it does.

Michel Plungjan

Looking at your code I do not see great risks. Perhaps Kid can

kiddanger

brillox...

If you have not modified your server-side code, then you still have issues. You never said if you changed it since this started. You have been more concerned with the client-side which in my view is useless re: security. Client-side validation is only to save some hits on the server, so it's for performance reasons.

You are now not allowing javascript to be disabled, ON your site. However, if the form is not submitted from your site, then there's nothing you can do about it. That's why client-side script is pointless when it comes to security.

You must cleanse the input data and you must do bounds checking and verification on the server-side to be successful. If you show your latest server-side I can point out what I see. I have already offered you server-side script but I have no idea what you're currently using. If you stated you have changed it, I missed it.

brillox

ASKER

Hi Kiddanger,

No I did not ues your code yet..... I am revsiing for 3 exams within next 2 weeks and I stopped to bother about the weblog, however I am more than happy to have your help. Do you want me to copy and paste the code of the addblogform.htm and addblog.ASP ?

BTW there is a way toa ttach files here instead of paste it ??

brillox

ASKER

PS if you want to chat with me I am on MSN messenger [*** email removed *** EE Page editor]

brillox

ASKER

On top of this please note that we had ONLY 3 lessons in ASP at UNI and I am not supposed to know all this.

What I mean is that the weblog is a coursework and I am supposed to know what my code does.... If I use something for me that I do not understand I feel like I just copy and paste (and this is not my target).

I appreciate your concern, and I know that the ghost blogger is more advanced than me ( he started to program when he was 14...) I started last year !! There are SO MANY things to learn that sometimes I do not know where to concentrate.

kiddanger

brillox...

Just so you know. It's not a good idea to put your email address on the web anywhere. It will increase the amount of spam you get. I'll help you get your site secured. Just let me know when you're ready. I'm going to give you some links to articles that you should read that will show you what can be done and what to do to protect yourself. It won't show you how but I can do that.

Your blog pest may have started when he was 14 but I started before MSFT existed. We might have a slight edge.

brillox

ASKER

thanks kiddanger...

I am ready now...

however the email above is the uni email (their server can get some spam (they deserve that...))

kiddanger

brillox...

I didn't grab the email when you listed it so I made a simple form where you can submit your name and email so I can contact you.

http://kiddanger.com/asp/contacts.asp

It doesn't notify me yet if an entry has been made so you will have to let me know here for now.

brillox

ASKER

Thanks kiddanger,

I submitted the form with my email address

Massimo