Date:  01/25/2012 12:49:09 PM Msg ID:  004410
From:  FoxWeb Support Thread:  004404
Subject:  Re: HTML form hack
The error 501 you mention is probably returned by the SMTP server. SMTP error 501 means "Syntax error in parameters or arguments" and is often a result of invalid recipient email addresses. Could it be that your users are entering an invalid email address in the form?
By the way, unless you are incorporating user input into SQL command strings and then running these command strings via macro substitution, you would not suffer from SQL injection attacks while using FoxWeb (or any other VFP-based framework). 
FoxWeb Support Team email
Sent by Joe Goldsmiith on 01/18/2012 08:51:43 PM:
Recently I have been checking my website's ASPEmail email log and have been finding errors where someone is trying to input/inject strange code into input boxes. I suppose this is an attempt at SQL injection. When the form is processed the flow takes it to ASPEmail to send email. My email server on another server sends back and ERROR 501 so it seems I am stopping that attempt. Would anyone know a technique to ensure my HTML forms catch these attempts before processing?
I have an HTML input forum using such as for example:
 <FORM NAME=myform METHOD="post" ACTION="myform.fwx">
 <TABLE WIDTH="600" cellpading="0" cellspacing="0" align="center">
             <INPUT TYPE=text NAME="FIRST" SIZE="15" MAXLENGTH="15" VALUE="<%=(M.RFIRST)%>">
             <INPUT TYPE=text NAME="LAST" SIZE="15" MAXLENGTH="15" VALUE="<%=(M.RLAST)%>"><br>
             <INPUT TYPE=text NAME="EMAIL" SIZE="50" MAXLENGTH="50" VALUE="<%=(M.EMAIL)%>">
             <INPUT type="submit" VALUE="SUBMIT" NAME="btnchoice" VALUE="Submit">
When submitted the form recalls the page stopping at Request.FormCount("btnchoice") > 0 when it it processed. During processing I first check to see if there is an empty string and set an error variable to show an alert. If everything is good I store the input into a database using INSERT INTO. The flow then goes to ASPMail to send an email to the visitor and me.
Any thoughts from the forum?