PLEASE HELP - Passing Variables in Querystring

[just_the_basix]

I have a very strange problem and I don't know what to do. Any help would be greatly appreciated. I have "search.asp" in which people search for a document in a SQL DB. It displays the results on the "searchresults.asp" page. This list of results contains the document number as well as the text of the document. The docuemnt number is a link to "edit.asp?docid=" of course, the docid depends on the number. This erratically works. If I display the "request" items on the edit.asp page, it should display "docid=1234". Most of the time it does. HOWEVER, sometimes it displays "docid AD0-1234=". As you can see there is nothing after the equal sign so my edit page gives an error because there is no docid to look up. Am I just doing this wrong or has anyone else ever seen this.??:

Thanks in advance for anything,
Brad

[D3mon]

are you using

request("docid")

in your ASP code?

[just_the_basix]

MyVar = request("docid")

to be exact. Is this correct?

[D3mon]

it will work but it is very bad coding practice, as simply using request("") is not specific and will force a check of a very large amount of data (probably why you're getting random errors.)

To avoid this be more specific:

if your data is in the querystring use: MyVar = request.querystring("docid")

if your data has been submitted by form then use: MyVar = request.form("docid")

You'll find this will be more secure too.

[just_the_basix]

Thanks for the response. I tried that. Same Problem. There is no form, just the querystring. I'm glad to see it's not just me. I can't figure out another way to send this info to this page without a form. Any other suggestions.
Thanks,
Brad

[Smokie]

Please post your code so we can see whats actually happening...

It sounds to me like some of the records in your database dont have an ID.

[just_the_basix]

<span style="color:red">Here is the searchresults.asp</span id="red">

Code: Select all

<%
       While Not sqlResults.EOF
       q1 = sqlResults("DBID")
       q2 = sqlResults("OP_Name")
       q3 = sqlResults("equipment")
       q4 = sqlResults("problem")
       q5 = sqlResults("resolution")
       q6 = sqlResults("dateofposting")
       %><tr>
       <td colspan = "2" align = "center">
Document #:
<a href = "../Troubleshooting/edit.asp?docid=<%Response.write (q1)%>">
       <%call Response.write (q1)%></a> * *
       
Eqpt:
       <%call Response.write (q3)%> * * 
Posted By:
       <%call Response.write (q2)%> * * 
Date Posted:
       <%call Response.write (q6)%></td>
       </tr>
       <tr>
         <td valign = "top" width = "30%">Problem:

       <%call Response.write (q4)%></td>
         <td valign = "top" width = "70%">Resolution:

       <%call Response.write (q5)%></td>
       </tr>
       <%
       Call sqlResults.MoveNext()
      Wend
       %>

<span style="color:red">And here is the edit.asp</span id="red">

Code: Select all

MyVar = request.QueryString("docid")
Response.Write(MyVar)

<span style="color:teal">I did some more testing. When I click on the link, I get the error. If I type the URL with the docid, I get the error, BUT if I close IE and reopen it and type in the URL, it works. Any other suggestions?</span id="teal">

Thanks thus far,
Brad

[D3mon]

in ASP 'Call' is assumed, so you wont need to use it quite so often:

<%call Response.write (q5)%> could be just <% Response.write (q5)%>, or in this case, just <%= (q5) %>

[D3mon]

Are you using ASP sessions?

[just_the_basix]

Yes, I am using Sessions for other things. But if I use Sessions for this, I can't figure out how to pass this one variable to another page by clicking on an anchor tag. Should I just give up on my original problem?

Thanks again,
Brad

[Rob]

just_the_basix.... Please use Forum Code tags when pasting CODE.

I edited your post to use these tags, and you have re-edited and removed them....
[*code] [*/code] tags should surround all pasted code (remove asterisks)

We reserve the right to delete any code NOT in these tags, so please make sure you use them.

[just_the_basix]

Oops. I am sorry I didn't use them in the first place, but I didn't go back and edit them out either. I'm not sure how they got removed, but I assure I will use them in the future.

Sorry,
Brad

[D3mon]

Your exisitng sessions may be giving you problems, as when you close and re-open IE, you cancel all your session variables.

[just_the_basix]

Would the sessions being messed up have anything to do with passing variables from one page to another using only the querystring? Just curious.

Thanks,
Brad

[Rob]

Hi Brad.... Sessions and querystrings are not related and do not interact with each other.

[Nick]

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />Originally posted by D3mon
it will work but it is very bad coding practice, as simply using request("") is not specific and will force a check of a very large amount of data (probably why you're getting random errors.)

To avoid this be more specific:

if your data is in the querystring use: MyVar = request.querystring("docid")

if your data has been submitted by form then use: MyVar = request.form("docid")

You'll find this will be more secure too.
<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

Couple of Qs:

- what large amount of data does it check? I thought it was just the .form and .querystring collections.
- how can this lead to 'random errors'?
- How is this less secure?
- In general, is this really considered bad coding practice? Can you point me to any links?

[D3mon]

- It has to check all the ASP collections.
- Random errors might occur due to bad coding practices, not the request method.
- If you have a page that receives data from a form, I could use the querystring to insert un-validated data into your system. This often forms the basis of SQL injection attacks.
- No links, just years of experience.

[Nick]

Thanks for the response - couple of other qs:

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />Originally posted by D3mon
- It has to check all the ASP collections.<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

There are only 5 collections. It checks Querystring and Form first. If you expecting a value, it will end there. And checking a collection has little to no impact on script execution speed.

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />- Random errors might occur due to bad coding practices, not the request method.<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

hmm not sure I understand you. If you could spell it out for me - how could using Request("...") explain the "random errors" that the original poster is experiencing?

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />- If you have a page that receives data from a form, I could use the querystring to insert un-validated data into your system. This often forms the basis of SQL injection attacks.<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

From what I understand, forms are just as insecure. I can easily fake a form. So presuming that a form field can't be SQL injected (or CSS injected, for that matter) is the security risk!

Cookies can also be faked without too much trouble. ClientCertificate and ServerVariables collections are a bit trickier, but doable.

Surely all incoming variables must be treated suspiciously - for SQL and CSS attacks - regardless of their source? Or perhaps I'm missing something?

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />- No links, just years of experience.<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

Ok thanks, I'm very new to ASP, only around 7 years of experience under the old belt. I use this method in a lot of my code, so if I'm opening up security holes here then I'd really like to know!

[Rob]

I have to sort-of agree with both of you.

I will always maintain the opinion that it is 'better coding practice' to request.theCollection("whatIwant"), than to use request("whatIwant") on it's own.

Better coding practice in the fact that you are in total control of the application, rather than the application deciding 'hey, lets ignore these posted form variables, coz we got some info in the querystring with the same names'... whether that is by design or not, it's just doesnt sit right with me.

to quote d3mon <blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />- It has to check all the ASP collections.
- Random errors might occur due to bad coding practices, not the request method.
- If you have a page that receives data from a form, I could use the querystring to insert un-validated data into your system. This often forms the basis of SQL injection attacks.
- No links, just years of experience.<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote"> 1st... it will never check all the ASP collections unless the value you wanted, exists in servervariables and nowhere else. It will check in this order:-
QueryString
Form
Cookies
ClientCertificate
ServerVariables
It will stop at the first occurence of the variable requested.

Random errors due to coding practices.... well, this is an issue, yes. If you are using the 'bad coding practice' I mention and you are expecting form vars, then depending on whether you have pre-empted this or not, a malicous person *could* break the page... this could reveal anything from a harmless piece of information, to a database location.... I dont however think it is a massive security risk, as SQL injection checks should be performed on the data regardless which collection it is coming from.

The upshot of this, is that it *could* be a security risk if using sloppy code, and it *could* lead to broken 500.100 error pages which reveal information (which *could* be harmful).

A good programmer would prevent both of these things, but which ever way you look at it, it really is Bad Coding Practice, in my opinion.

I agree with Nick in the fact that form, querystring, cookies, etc can be faked....
It is up to you, the programmer to make sure your application is secure. Remember that your application lives on the server.... whilst it relies on it's client side user interface, it should not trust it explicitly.

My $0.02

[Nick]

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" /> If you are using the 'bad coding practice' I mention and you are expecting form vars, then depending on whether you have pre-empted this or not, a malicous person *could* break the page... this could reveal anything from a harmless piece of information, to a database location.... I dont however think it is a massive security risk, as SQL injection checks should be performed on the data regardless which collection it is coming from.<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

Sorry but this just doesn't make sense to me.

If you are not checking every incoming variable, regardless of the collection, then you have a security risk. If you are using request.form, and you aren't validating the data, you have a security risk. Yes it's harder to hack a form than a QS, but only slightly. And obscurity != security.

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />is that it *could* be a security risk if using sloppy code<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

I think this is just wrong. The sloppy code is the security risk of not validating incoming data - it was there when the code was request.form("..."). It's no more of a security risk, just (a little) easier to perform. The risk was there before.

So I don't really see how using request("...") poses any greater security risk. If anything it lessens it, because a sloppy programmer can't think "pfft well it's from cookies so I can just presume it's good".

I'm not suggesting using it for everything, but in the cases where you could theoretically get the data from either the form or the querystring now or in the future, I still see absolutely no issue with using it.

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />Better coding practice in the fact that you are in total control of the application, rather than the application deciding 'hey, lets ignore these posted form variables, coz we got some info in the querystring with the same names'... whether that is by design or not, it's just doesnt sit right with me.<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

I don't agree. It has a strict rule - as you note below. It follows an identical pattern each time. It's a little bit more complicated, but you are still in total control, you still know exactly what happened and why. There's no trickery.

This is the same arguement than someone saying "well it's hard to trace a recursive proceedure and you're not in total control, it's all like 'well i think i'm going to call myself' and it just doesn't feel right".

And I'm still interested to see how this can cause "random errors"