Date:  01/18/2012 08:51:43 PM Msg ID:  004404
From:  Joe Goldsmiith Thread:  004404
Subject:  HTML form hack
Recently I have been checking my website's ASPEmail email log and have been finding errors where someone is trying to input/inject strange code into input boxes. I suppose this is an attempt at SQL injection. When the form is processed the flow takes it to ASPEmail to send email. My email server on another server sends back and ERROR 501 so it seems I am stopping that attempt. Would anyone know a technique to ensure my HTML forms catch these attempts before processing?
I have an HTML input forum using such as for example:
 <FORM NAME=myform METHOD="post" ACTION="myform.fwx">
 <TABLE WIDTH="600" cellpading="0" cellspacing="0" align="center">
             <INPUT TYPE=text NAME="FIRST" SIZE="15" MAXLENGTH="15" VALUE="<%=(M.RFIRST)%>">
             <INPUT TYPE=text NAME="LAST" SIZE="15" MAXLENGTH="15" VALUE="<%=(M.RLAST)%>"><br>
             <INPUT TYPE=text NAME="EMAIL" SIZE="50" MAXLENGTH="50" VALUE="<%=(M.EMAIL)%>">
             <INPUT type="submit" VALUE="SUBMIT" NAME="btnchoice" VALUE="Submit">
When submitted the form recalls the page stopping at Request.FormCount("btnchoice") > 0 when it it processed. During processing I first check to see if there is an empty string and set an error variable to show an alert. If everything is good I store the input into a database using INSERT INTO. The flow then goes to ASPMail to send an email to the visitor and me.
Any thoughts from the forum?