asp script

[ConnerS]

What is the difference bewteen:
http://www.diocesephoenix.org/school/seton_catholic_hs/Alumni/resultsName.asp the code for the search form says: <%=Server.HtmlEncode(Request("ID"))%>
but it sued to say: <%=Request("ID")%> but it works.

Within the same site at
http://www.diocesephoenix.org/school/seton_catholic_hs/Alumni/ResultsYear.asp says: <%=Request("GradYear")%> but it works too.

?

 

[Jens Peter Karlsen [FP-MVP]]

The above HTML encodes the input to protect against SQL Injection
attacks. The other doesn't.
I would guess that the year is taken from a dropdown so people can't
enter it themselves and they therefore thought that they didn't need
to html encode that.

Regards Jens Peter Karlsen. Microsoft MVP - Frontpage.

 

[Stefan B Rusynko]

See
http://www.devguru.com/Technologies/asp/quickref/server_htmlencode.html

FYI
The coding on that site lets anyone edit anyone else's personal information!

The page below lets you find any alumni (by just guessing last names)
http://www.diocesephoenix.org/school/seton_catholic_hs/Alumni/AlumFind.asp
And then reveals the ID (which lets you edit the record) w/o the user knowing the ID at
The ID should not be revealed unless the user knows and enters it!



| What is the difference bewteen:
| http://www.diocesephoenix.org/school/seton_catholic_hs/Alumni/resultsName.asp the code for the search form says:
<%=Server.HtmlEncode(Request("ID"))%>
| but it sued to say: <%=Request("ID")%> but it works.
|
| Within the same site at
| http://www.diocesephoenix.org/school/seton_catholic_hs/Alumni/ResultsYear.asp says: <%=Request("GradYear")%> but it works too.
|
| ?
|
|