OK, I know of bad things that can happen when form variables are displayed
without filtering for HTML tags, but how can the contents of a form variable
take control of VB script code execution and delete a variable that contains
those contents plus other text?

I have a form-processing ASP page (VB script) that emails some form
variables using a component. The gist is something like this:

' build a variable that appears on the page:

items = Request.Form("item1") & "<br>" & Request.Form("item2")

' modify it for the email message:

mailer.body = "Items: " & Replace(items,,"<br>",vbNewLine) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")

Given the above, even if the form is submitted with no data by user at IP
99.99.99.99, the email message should still be:

Items:

99.99.99.99

BUT recently, someone began submitting form data such that I received
totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
thusly:

emailbody = "Items: " & Replace(items,"<br>",vbNewLine) & vbNewLine
mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")

Now when this person submits form data, the email DOES contain the length of
emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
the length of emailbody is ZERO! It sure looks like something in the form
variables is doing some dirty work.

IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
is being submitted from the local form. How can this be happening?

nf

"nutso fasst" wrote:

> OK, I know of bad things that can happen when form variables are displayed
> without filtering for HTML tags, but how can the contents of a form variable
> take control of VB script code execution and delete a variable that contains
> those contents plus other text?
>
> I have a form-processing ASP page (VB script) that emails some form
> variables using a component. The gist is something like this:
>
> ' build a variable that appears on the page:
>
> items = Request.Form("item1") & "<br>" & Request.Form("item2")
>
> ' modify it for the email message:
>
> mailer.body = "Items: " & Replace(items,,"<br>",vbNewLine) & vbNewLine _
> & Request.ServerVariables("REMOTE_ADDR")
>
> Given the above, even if the form is submitted with no data by user at IP
> 99.99.99.99, the email message should still be:
>
> Items:
>
> 99.99.99.99
>
> BUT recently, someone began submitting form data such that I received
> totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
> thusly:
>
> emailbody = "Items: " & Replace(items,"<br>",vbNewLine) & vbNewLine
> mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
> & Request.ServerVariables("REMOTE_ADDR")
>
> Now when this person submits form data, the email DOES contain the length of
> emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
> the length of emailbody is ZERO! It sure looks like something in the form
> variables is doing some dirty work.
>
> IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
> is being submitted from the local form. How can this be happening?
>

Does you code contain this line:-

On Error Resume Next

if so remove it and see if the line it generating an error.

--
Anthony Jones - MVP ASP/ASP.NET

"Anthony Jones" <AnthonyJones [at] discussions.microsoft.com> wrote in message
news:10D67E66-E93F-490D-A8AF-4BFF7BB3E2CD [at] microsoft.com...
> Does you code contain this line:-
>
> On Error Resume Next

Thanks for the suggestion, but there is no On Error statement.

nf