Date:  01/25/2012 08:07:56 PM Msg ID:  004413
From:  Joe Goldsmiith Thread:  004404
Subject:  Re: HTML form hack
WOW! Thanks for the insight. Might I impose upon you for an example of using an SQL command to gather user input and an example of macro substitution to gather such information please?I thought I was following an example found in the installation folder from years ago.
 
Joe
Sent by FoxWeb Support on 01/25/2012 12:49:09 PM:
The error 501 you mention is probably returned by the SMTP server. SMTP error 501 means "Syntax error in parameters or arguments" and is often a result of invalid recipient email addresses. Could it be that your users are entering an invalid email address in the form?
 
By the way, unless you are incorporating user input into SQL command strings and then running these command strings via macro substitution, you would not suffer from SQL injection attacks while using FoxWeb (or any other VFP-based framework). 
FoxWeb Support Team
support@foxweb.com email
Sent by Joe Goldsmiith on 01/18/2012 08:51:43 PM:
Recently I have been checking my website's ASPEmail email log and have been finding errors where someone is trying to input/inject strange code into input boxes. I suppose this is an attempt at SQL injection. When the form is processed the flow takes it to ASPEmail to send email. My email server on another server sends back and ERROR 501 so it seems I am stopping that attempt. Would anyone know a technique to ensure my HTML forms catch these attempts before processing?
 
I have an HTML input forum using such as for example:
 
 <FORM NAME=myform METHOD="post" ACTION="myform.fwx">
 <TABLE WIDTH="600" cellpading="0" cellspacing="0" align="center">
    <tr>
        <TD>
             <INPUT TYPE=text NAME="FIRST" SIZE="15" MAXLENGTH="15" VALUE="<%=(M.RFIRST)%>">
             <INPUT TYPE=text NAME="LAST" SIZE="15" MAXLENGTH="15" VALUE="<%=(M.RLAST)%>"><br>
             <INPUT TYPE=text NAME="EMAIL" SIZE="50" MAXLENGTH="50" VALUE="<%=(M.EMAIL)%>">
        </TD>
    </tr>
    <TR>
        <TD>
             <INPUT type="submit" VALUE="SUBMIT" NAME="btnchoice" VALUE="Submit">
        </TD>
   </TR>
</table>
</form>
 
When submitted the form recalls the page stopping at Request.FormCount("btnchoice") > 0 when it it processed. During processing I first check to see if there is an empty string and set an error variable to show an alert. If everything is good I store the input into a database using INSERT INTO. The flow then goes to ASPMail to send an email to the visitor and me.
 
Any thoughts from the forum?
 
Joe