This page provides a basic example for handling data from a Web form. This page assumes that you just filled out the form in Client-Side EG, or that you bypassed it. The server-side handling is done with classic ASP using JavaScript on the server-side. It includes my ServerSideValidation.js, which is a tweaked version of my ClientSideValidation.js, both of which can be generically used for most forms. The concepts are similar whether using PHP, PERL, .NET, or whatever.

All the fields submitted DID NOT validate

On a normal form, you would probably log the error because it may be a break-in attempt. You would probably want to redirect the user in a gentle way that gives them minimal security information, but enough to possibly debug the issue if they're a real user. EG: Don't tell them exactly why the attempt failed, but perhaps give a error code that only has meaning in-house. For now, the erring field that was submitted is shown below. When displaying data to users, fight XSS by HTML encoding as needed (EG: Turn characters like < to &lt;).

FieldName: 'UserName' with Value: 'undefined' failed.

Server-side code on this page

Below is the relevant server-side code on this page. It generates everything after the first paragraph and this section. Again it is all Classic ASP written in JavaScript.

<%
function QFieldsOK(){
    //This function validates each field. If not all OK, then return the name of first failed field for logging.
    //  glhValidField(Field, {Allowed:strChars, Blocked:strChars, Choices:strArray, ChoicesMax:int, ChoicesMin:int, Datatype:str, LengthMax:int, LengthMin:int, Required:bln})
    if (!glhValidField(Request.Form("UserName"), {Required:true, Allowed:"A-Ya-y"})) return "UserName";
    if (!glhValidField(Request.Form("Phone"), {Required:true, LengthMin:3, LengthMax:12, Allowed:"0-9&#92;-", Blocked:"-&#92;-"})) return "Phone";
    if (!glhValidField(Request.Form("Number"), {Required:true, LengthMin:1, LengthMax:20, Datatype:"Number"})) return "Number";
    if (!glhValidField(Request.Form("Email"), {Datatype:"Email"})) return "Email";
    if (!glhValidField(Request.Form("Password"), {Required:true, LengthMin:4, Allowed:"A-Za-z0-9_"})) return "Password";
    if (!glhValidField(Request.Form("Hidden"), {Required:true, Choices:["foo","bar"]})) return "Hidden";
    if (!glhValidField(Request.Form("Gender"), {ChoicesMin:1, ChoicesMax:1, Choices:["M","F"]})) return "Gender";
    if (!glhValidField(Request.Form("Pet"), {ChoicesMin:1, ChoicesMax:3, Choices:["Dog","Cat","Bat","Rat"]})) return "Pet";
    if (!glhValidField(Request.Form("Fruit"), {ChoicesMin:0, ChoicesMax:3, Choices:["BananaCUPl","BananaPHMi","OrangeNVNa","OrangeTXTa","OrangeTNTo"]})) return "Fruit";
    if (!glhValidField(Request.Form("Notes"), {Allowed:"A-Za-z0-9 '-.,+&#92;?&#92;!&#92;/&#92;@"})) return "Notes";
    else return "OK";
}
var AFieldsOK=QFieldsOK();
if (AFieldsOK=="OK") {
    Response.Write("<h2>All the fields submitted validated</h2>&#92;r&#92;n");
    Response.Write("<p>On a normal form, you would do the usual stuff on the server-side with the data. For now the values submitted are shown below. When displaying users data, fight XSS by HTML encoding (EG: Turn characters like &lt; to &amp;lt;)..</p>&#92;r&#92;n");
    Response.Write("<ol>&#92;r&#92;n");
    Response.Write("<li>Field 'UserName': with Value: '"+gHTMLEncode(Request.Form("UserName"))+"'. [A-Za-z allowed in CS validation, but A-Ya-y SS. Try entering a z on CS to impersonate someone skipping the form.]</li>&#92;r&#92;n");
    Response.Write("<li>Field 'Phone': with Value: '"+gHTMLEncode(Request.Form("Phone"))+"'. [Max length 16 in CS validation, but 12 SS. Try entering greater than 12 on CS to impersonate someone skipping the form.]</li>&#92;r&#92;n");
    Response.Write("<li>Field 'Number': with Value: '"+gHTMLEncode(Request.Form("Number"))+"'. [Not validated on CS, but validates for number on SS. Try entering a non-number on CS to impersonate someone skipping the form.]</li>&#92;r&#92;n");
    Response.Write("<li>Field 'Email': with Value: '"+gHTMLEncode(Request.Form("Email"))+"'. [Basic email validation used: I'm still looking for a fully RFC 2822 compliant regex.]</li>&#92;r&#92;n");
    Response.Write("<li>Field 'Password': with Value: '"+gHTMLEncode(Request.Form("Password"))+"'. [No CS validation, but is min length is 4 and only A-Za-z0-9_ characters allowed. Try entering weirdo characters to impersonate someone skipping the form. Of course, normally you never display anyone's passwords and on the database it should be hashed and salted anyway.]</li>&#92;r&#92;n");
    Response.Write("<li>Field 'Hidden': with Value: '"+gHTMLEncode(Request.Form("Hidden"))+"'. [Even hidden fields should be validated SS.]</li>&#92;r&#92;n");
    Response.Write("<li>Field 'Gender': with Value: '"+gHTMLEncode(Request.Form("Gender"))+"'. [Even radio fields should be validated SS. 1 required cs and ss.]</li>&#92;r&#92;n");
    Response.Write("<li>Field 'Pet': with Value(s): '"+gHTMLEncode(Request.Form("Pet"))+"'. [Even checkboxes should be validated SS. This one 2+ cs, but 2-3 ss.]</li>&#92;r&#92;n");
    Response.Write("<li>Field 'Fruit': with Value(s): '"+gHTMLEncode(Request.Form("Fruit"))+"'. [Even select/options should be validated SS. This one 0-3 cs and ss. Value 'undefined' if none selected.]</li>&#92;r&#92;n");
    Response.Write("<li>Field 'Notes': with Value: '"+gHTMLEncode(Request.Form("Notes"))+"'. [Since textareas usually allow a lot of content, these must be handled carefully as explained on the form. This field set to allow only some common characters (<code>A-Za-z0-9 '-.,+?!/@</code>).]</li>&#92;r&#92;n");
    Response.Write("</ol>&#92;r&#92;n");
}else{ //Not all fields validated
    Response.Write("<h3>All the fields submitted DID NOT validate</h3>&#92;r&#92;n");
    Response.Write("<p>On a normal form, you would probably log the error because it may be a break-in attempt. You would probably want to redirect the user in a gentle way that gives them minimal security information, but enough to possibly debug the issue if they're a real user. EG: Don't tell them exactly why the attempt failed, but perhaps give a error code that only has meaning in-house. For now, the erring field that was submitted is shown below. When displaying data to users, fight XSS by HTML encoding as needed (EG: Turn characters like &lt; to &amp;lt;).</p>&#92;r&#92;n");
    Response.Write("<p>FieldName: '"+AFieldsOK+"' with Value: '"+gHTMLEncode(Request.Form(AFieldsOK))+"' failed.</p>&#92;r&#92;n");
}
//Response.Write("<p>FieldName: NotInForm with Value: '"+Request.Form("NotInForm")+"'.</p>&#92;r&#92;n"); //Uncomment this to see handling of item not on form at all
%>
            
            

Page Modified: (Hand noted: ) (Auto noted: )