-1

Please excuse me if this question is dumb.

I need to get an input value and pass it in a POST parameter like follow:

SQL = "[proc_Happy]" & Request.Cookies("UserID")& "," & Request.Form("MYINPUTFIELD")

I have tried hardcoding MYINPUTFIELD with (it worked!):

  SQL = "[proc_Happy]" & Request.Cookies("UserID")& "," & 54555152

My input in the asp page looks as follow:

<input type="number" name="MYINPUTFIELD " id="MYINPUTFIELD" value="<%=MYINPUTFIELD%>">

Things I have tried:

Getting the value with JS - failed.

Notes: MYINPUTFIELD is an int

Jon P
  • 19,442
  • 8
  • 49
  • 72
Yosh
  • 21
  • 5
  • 2
    I'd **strongly** suggest reading https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection . Your code is very vulnerable as is. – mjwills Oct 21 '19 at 00:29
  • What errors do you get? What specifically does not work? What do you get if you write your string back to the page? Are you sure you have set the method of the form to POST **not** GET – Jon P Oct 21 '19 at 00:37
  • Thank you @mjwills for the notes, this project is a test, not a production one - thanks! – Yosh Oct 21 '19 at 00:42
  • Hi @JonP, there is no error, the value from the asp page is not being read. – Yosh Oct 21 '19 at 00:43
  • 2
    `this project is a test, not a production one` Test or otherwise, you shouldn't use that code. Doing it properly takes no extra time, and encourages good practices that will help you in future. – mjwills Oct 21 '19 at 00:53
  • Is the field set to `disabled` at any point by javascript? Are there any redirects happening? The code you have provided should work *if the form is set to POST not GET* . Check the length of `Request.Form` to see if anything is being passed back in the Form object/ – Jon P Oct 21 '19 at 00:58
  • I'm with @jon-p here. It looks like `
    ` is missing. @Yosh, check with `Request.QueryString("MYINPUTFIELD")` if the value is present there. I also recognize a trailing space in `name="MYINPUTFIELD "` in your code sample.
     – Hel O'Ween Oct 21 '19 at 14:32
  • 1
    Since he is using stored procedure, parameters are validated. MYINPUTFIELD must be an int. So, code is not really vulnerable. – DanB Oct 21 '19 at 16:48

1 Answers1

0

Is your input field in a form, i.e. is it between <form...> and </form> tags? If no, that's your problem right there. If yes, what does the <form...> tag have in it? Does it say method='get'? If yes, then your inputs are being put in the querystring, not the form object. For Request.Form(...) to work, your form needs to say method='post'.

If you need this code to work with both form methods, you can do something like 

dim MyInputField
MyInputField = Request.Querystring("MyInputField")
If MyInputField = "" Then MyInputField = Request.Form("MyInputField")
'make the "OMGSQLINJECTION!!1!" people just go away already
'(note to such people: he's using a frigging stored procedure.)
If Not Isnumeric(MyInputField) Then 
    MyInputField = 0 
End If
SQL = "[proc_Happy]" & Request.Cookies("UserID")& "," & MyInputField
Martha
  • 3,932
  • 3
  • 33
  • 42