Clearing forms after submission

E

Evan

I have a very simple form on a webpage called "form.htm." When the user
submits, it brings them to an ASP page to confirm their submission
("form.asp"). Then the user hits "confirm" and the submission is complete.

I noticed that if i enter "http://mysite.com/form.asp" that I can actually
see the form results. I realize this is a big security hole. How can I
enter a code so that once the user hits the "Confirm" button, it deletes or
clears the form fields or just lists the default values?
 
A

Andrew Murray

Evan said:
I have a very simple form on a webpage called "form.htm." When the user
submits, it brings them to an ASP page to confirm their submission
("form.asp"). Then the user hits "confirm" and the submission is complete.

I noticed that if i enter "http://mysite.com/form.asp" that I can actually
see the form results. I realize this is a big security hole. How can I
enter a code so that once the user hits the "Confirm" button, it deletes
or
clears the form fields or just lists the default values?


It sounds to me you're using a third-party script that features a "check
your entries" page before clicking the final submit button - this is a
feature of that particular script, not a security issue. If you close the
browser after seeing the final "Thanks" page, it shouldn't be possible to
just browse back to that page with the last submission. If this is a third
party script, you need to contact the author of the script if you're
concerned about the security issue you mention as this really has nothing to
do with FrontPage specifically.

FYI, the Frontpage form processor (server extensions) doesn't have the
middle step of confirming your entries before submitting. All it does have
is an optional "Thank you" page - redirects to a page saying "Your form was
submitted" and you can optionally have it display the data/fields from that
submission - but that's after it's sent, not a "check" before sending.


Can you post a link to the form so we can try it to see if we can replicate
what you're getting?
 
S

Stefan B Rusynko

Details of your problem can't be figured out from your page link at http://kopool.net/process9.asp
- since the server side code is not visible
But you do have a ASP coding vulnerability that exposes the last record entered
Without seeing the code I can't be certain
- but I am relatively sure that on http://kopool.net/process9.asp your server side code is just picking up the last record from
apparently the CSV file (or a DB) to display
- you are apparently writing the data to a CSV file when the form http://kopool.net/submitpicks.htm is submitted, and then
displaying the last record from the CSV on the confirmation page
(bad practice since anyone can see anyone else's last record data)

What you should be doing is using some sort of session variable or temporary variable
(they will be only valid/available for that users session and not to anyone else)

The way to do that is:
- the data from http://kopool.net/submitpicks.htm is not written to the CSV file,
(send the form to process9.asp for processing)
- On the processing page, create session or temporary server side variables which are used to display in the confirmation form
fields on http://kopool.net/process9.asp
- only after the submit on the confirm page, then write them to the CSV (or DB file)
(and them clear the session variables if you use them)

Example of a Temp Variable at the top of process9.asp
<%
full_name=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form use:
<input type ="text" value ="<%=full_name%>">

Example of a Temp Session Variable
<%
Session("full_name")=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form:
<input type ="text" value ="<%=Session("full_name")=%>">


--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
_____________________________________________


| Andrew - Thank you for the quick reply. You are correct so far. Here is the
| link. Hopefully, you can figure this out. The original submission page can
| be found by going to the Submit Picks link.
|
| http://kopool.net/process9.asp
|
|
| "Andrew Murray" wrote:
|
| >
| >
| > | > > I have a very simple form on a webpage called "form.htm." When the user
| > > submits, it brings them to an ASP page to confirm their submission
| > > ("form.asp"). Then the user hits "confirm" and the submission is complete.
| > >
| > > I noticed that if i enter "http://mysite.com/form.asp" that I can actually
| > > see the form results. I realize this is a big security hole. How can I
| > > enter a code so that once the user hits the "Confirm" button, it deletes
| > > or
| > > clears the form fields or just lists the default values?
| >
| >
| > It sounds to me you're using a third-party script that features a "check
| > your entries" page before clicking the final submit button - this is a
| > feature of that particular script, not a security issue. If you close the
| > browser after seeing the final "Thanks" page, it shouldn't be possible to
| > just browse back to that page with the last submission. If this is a third
| > party script, you need to contact the author of the script if you're
| > concerned about the security issue you mention as this really has nothing to
| > do with FrontPage specifically.
| >
| > FYI, the Frontpage form processor (server extensions) doesn't have the
| > middle step of confirming your entries before submitting. All it does have
| > is an optional "Thank you" page - redirects to a page saying "Your form was
| > submitted" and you can optionally have it display the data/fields from that
| > submission - but that's after it's sent, not a "check" before sending.
| >
| >
| > Can you post a link to the form so we can try it to see if we can replicate
| > what you're getting?
| >
| >
 
E

Evan

Thanks Stefan...this looks like quite a bit of work. For the short-term
would an automated page refresh (e.g. after 30 seconds) work? Or would that
just result in the page refreshing but the form results would still show?

Stefan B Rusynko said:
Details of your problem can't be figured out from your page link at http://kopool.net/process9.asp
- since the server side code is not visible
But you do have a ASP coding vulnerability that exposes the last record entered
Without seeing the code I can't be certain
- but I am relatively sure that on http://kopool.net/process9.asp your server side code is just picking up the last record from
apparently the CSV file (or a DB) to display
- you are apparently writing the data to a CSV file when the form http://kopool.net/submitpicks.htm is submitted, and then
displaying the last record from the CSV on the confirmation page
(bad practice since anyone can see anyone else's last record data)

What you should be doing is using some sort of session variable or temporary variable
(they will be only valid/available for that users session and not to anyone else)

The way to do that is:
- the data from http://kopool.net/submitpicks.htm is not written to the CSV file,
(send the form to process9.asp for processing)
- On the processing page, create session or temporary server side variables which are used to display in the confirmation form
fields on http://kopool.net/process9.asp
- only after the submit on the confirm page, then write them to the CSV (or DB file)
(and them clear the session variables if you use them)

Example of a Temp Variable at the top of process9.asp
<%
full_name=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form use:
<input type ="text" value ="<%=full_name%>">

Example of a Temp Session Variable
<%
Session("full_name")=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form:
<input type ="text" value ="<%=Session("full_name")=%>">


--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
_____________________________________________


| Andrew - Thank you for the quick reply. You are correct so far. Here is the
| link. Hopefully, you can figure this out. The original submission page can
| be found by going to the Submit Picks link.
|
| http://kopool.net/process9.asp
|
|
| "Andrew Murray" wrote:
|
| >
| >
| > | > > I have a very simple form on a webpage called "form.htm." When the user
| > > submits, it brings them to an ASP page to confirm their submission
| > > ("form.asp"). Then the user hits "confirm" and the submission is complete.
| > >
| > > I noticed that if i enter "http://mysite.com/form.asp" that I can actually
| > > see the form results. I realize this is a big security hole. How can I
| > > enter a code so that once the user hits the "Confirm" button, it deletes
| > > or
| > > clears the form fields or just lists the default values?
| >
| >
| > It sounds to me you're using a third-party script that features a "check
| > your entries" page before clicking the final submit button - this is a
| > feature of that particular script, not a security issue. If you close the
| > browser after seeing the final "Thanks" page, it shouldn't be possible to
| > just browse back to that page with the last submission. If this is a third
| > party script, you need to contact the author of the script if you're
| > concerned about the security issue you mention as this really has nothing to
| > do with FrontPage specifically.
| >
| > FYI, the Frontpage form processor (server extensions) doesn't have the
| > middle step of confirming your entries before submitting. All it does have
| > is an optional "Thank you" page - redirects to a page saying "Your form was
| > submitted" and you can optionally have it display the data/fields from that
| > submission - but that's after it's sent, not a "check" before sending.
| >
| >
| > Can you post a link to the form so we can try it to see if we can replicate
| > what you're getting?
| >
| >
 
T

Thomas A. Rowe

If your page is set to automatically display the last record saved, then refreshing will always
display the last record, which could be a new record if some else have submitted an application few
second after the first person.

--
==============================================
Thomas A. Rowe
Microsoft MVP - FrontPage
http://www.Ecom-Data.com
==============================================


Evan said:
Thanks Stefan...this looks like quite a bit of work. For the short-term
would an automated page refresh (e.g. after 30 seconds) work? Or would that
just result in the page refreshing but the form results would still show?

Stefan B Rusynko said:
Details of your problem can't be figured out from your page link at
http://kopool.net/process9.asp
- since the server side code is not visible
But you do have a ASP coding vulnerability that exposes the last record entered
Without seeing the code I can't be certain
- but I am relatively sure that on http://kopool.net/process9.asp your server side code is just
picking up the last record from
apparently the CSV file (or a DB) to display
- you are apparently writing the data to a CSV file when the form
http://kopool.net/submitpicks.htm is submitted, and then
displaying the last record from the CSV on the confirmation page
(bad practice since anyone can see anyone else's last record data)

What you should be doing is using some sort of session variable or temporary variable
(they will be only valid/available for that users session and not to anyone else)

The way to do that is:
- the data from http://kopool.net/submitpicks.htm is not written to the CSV file,
(send the form to process9.asp for processing)
- On the processing page, create session or temporary server side variables which are used to
display in the confirmation form
fields on http://kopool.net/process9.asp
- only after the submit on the confirm page, then write them to the CSV (or DB file)
(and them clear the session variables if you use them)

Example of a Temp Variable at the top of process9.asp
<%
full_name=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form use:
<input type ="text" value ="<%=full_name%>">

Example of a Temp Session Variable
<%
Session("full_name")=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form:
<input type ="text" value ="<%=Session("full_name")=%>">


--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
_____________________________________________


| Andrew - Thank you for the quick reply. You are correct so far. Here is the
| link. Hopefully, you can figure this out. The original submission page can
| be found by going to the Submit Picks link.
|
| http://kopool.net/process9.asp
|
|
| "Andrew Murray" wrote:
|
| >
| >
| > | > > I have a very simple form on a webpage called "form.htm." When the user
| > > submits, it brings them to an ASP page to confirm their submission
| > > ("form.asp"). Then the user hits "confirm" and the submission is complete.
| > >
| > > I noticed that if i enter "http://mysite.com/form.asp" that I can actually
| > > see the form results. I realize this is a big security hole. How can I
| > > enter a code so that once the user hits the "Confirm" button, it deletes
| > > or
| > > clears the form fields or just lists the default values?
| >
| >
| > It sounds to me you're using a third-party script that features a "check
| > your entries" page before clicking the final submit button - this is a
| > feature of that particular script, not a security issue. If you close the
| > browser after seeing the final "Thanks" page, it shouldn't be possible to
| > just browse back to that page with the last submission. If this is a third
| > party script, you need to contact the author of the script if you're
| > concerned about the security issue you mention as this really has nothing to
| > do with FrontPage specifically.
| >
| > FYI, the Frontpage form processor (server extensions) doesn't have the
| > middle step of confirming your entries before submitting. All it does have
| > is an optional "Thank you" page - redirects to a page saying "Your form was
| > submitted" and you can optionally have it display the data/fields from that
| > submission - but that's after it's sent, not a "check" before sending.
| >
| >
| > Can you post a link to the form so we can try it to see if we can replicate
| > what you're getting?
| >
| >
 
E

Evan

This was very helpful!! Thank you so much!

But all i need now is to know how to clear the session once the submit
button is hit. I noticed if I close the window, and type in the URL the
fields are blank on process9.asp (like we want it to be). But if I hit the
"Back" button, its still visible. I guess to make this as clean as possible,
is there additional script I should be entering?

Stefan B Rusynko said:
Details of your problem can't be figured out from your page link at http://kopool.net/process9.asp
- since the server side code is not visible
But you do have a ASP coding vulnerability that exposes the last record entered
Without seeing the code I can't be certain
- but I am relatively sure that on http://kopool.net/process9.asp your server side code is just picking up the last record from
apparently the CSV file (or a DB) to display
- you are apparently writing the data to a CSV file when the form http://kopool.net/submitpicks.htm is submitted, and then
displaying the last record from the CSV on the confirmation page
(bad practice since anyone can see anyone else's last record data)

What you should be doing is using some sort of session variable or temporary variable
(they will be only valid/available for that users session and not to anyone else)

The way to do that is:
- the data from http://kopool.net/submitpicks.htm is not written to the CSV file,
(send the form to process9.asp for processing)
- On the processing page, create session or temporary server side variables which are used to display in the confirmation form
fields on http://kopool.net/process9.asp
- only after the submit on the confirm page, then write them to the CSV (or DB file)
(and them clear the session variables if you use them)

Example of a Temp Variable at the top of process9.asp
<%
full_name=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form use:
<input type ="text" value ="<%=full_name%>">

Example of a Temp Session Variable
<%
Session("full_name")=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form:
<input type ="text" value ="<%=Session("full_name")=%>">


--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
_____________________________________________


| Andrew - Thank you for the quick reply. You are correct so far. Here is the
| link. Hopefully, you can figure this out. The original submission page can
| be found by going to the Submit Picks link.
|
| http://kopool.net/process9.asp
|
|
| "Andrew Murray" wrote:
|
| >
| >
| > | > > I have a very simple form on a webpage called "form.htm." When the user
| > > submits, it brings them to an ASP page to confirm their submission
| > > ("form.asp"). Then the user hits "confirm" and the submission is complete.
| > >
| > > I noticed that if i enter "http://mysite.com/form.asp" that I can actually
| > > see the form results. I realize this is a big security hole. How can I
| > > enter a code so that once the user hits the "Confirm" button, it deletes
| > > or
| > > clears the form fields or just lists the default values?
| >
| >
| > It sounds to me you're using a third-party script that features a "check
| > your entries" page before clicking the final submit button - this is a
| > feature of that particular script, not a security issue. If you close the
| > browser after seeing the final "Thanks" page, it shouldn't be possible to
| > just browse back to that page with the last submission. If this is a third
| > party script, you need to contact the author of the script if you're
| > concerned about the security issue you mention as this really has nothing to
| > do with FrontPage specifically.
| >
| > FYI, the Frontpage form processor (server extensions) doesn't have the
| > middle step of confirming your entries before submitting. All it does have
| > is an optional "Thank you" page - redirects to a page saying "Your form was
| > submitted" and you can optionally have it display the data/fields from that
| > submission - but that's after it's sent, not a "check" before sending.
| >
| >
| > Can you post a link to the form so we can try it to see if we can replicate
| > what you're getting?
| >
| >
 
T

Thomas A. Rowe

At the very end of the process9.asp page (after the closing </html> tag add:

<%
Session.abandon
%>

See:
http://www.w3schools.com/asp/asp_ref_session.asp

--
==============================================
Thomas A. Rowe
Microsoft MVP - FrontPage
http://www.Ecom-Data.com
==============================================


Evan said:
This was very helpful!! Thank you so much!

But all i need now is to know how to clear the session once the submit
button is hit. I noticed if I close the window, and type in the URL the
fields are blank on process9.asp (like we want it to be). But if I hit the
"Back" button, its still visible. I guess to make this as clean as possible,
is there additional script I should be entering?

Stefan B Rusynko said:
Details of your problem can't be figured out from your page link at
http://kopool.net/process9.asp
- since the server side code is not visible
But you do have a ASP coding vulnerability that exposes the last record entered
Without seeing the code I can't be certain
- but I am relatively sure that on http://kopool.net/process9.asp your server side code is just
picking up the last record from
apparently the CSV file (or a DB) to display
- you are apparently writing the data to a CSV file when the form
http://kopool.net/submitpicks.htm is submitted, and then
displaying the last record from the CSV on the confirmation page
(bad practice since anyone can see anyone else's last record data)

What you should be doing is using some sort of session variable or temporary variable
(they will be only valid/available for that users session and not to anyone else)

The way to do that is:
- the data from http://kopool.net/submitpicks.htm is not written to the CSV file,
(send the form to process9.asp for processing)
- On the processing page, create session or temporary server side variables which are used to
display in the confirmation form
fields on http://kopool.net/process9.asp
- only after the submit on the confirm page, then write them to the CSV (or DB file)
(and them clear the session variables if you use them)

Example of a Temp Variable at the top of process9.asp
<%
full_name=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form use:
<input type ="text" value ="<%=full_name%>">

Example of a Temp Session Variable
<%
Session("full_name")=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form:
<input type ="text" value ="<%=Session("full_name")=%>">


--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
_____________________________________________


| Andrew - Thank you for the quick reply. You are correct so far. Here is the
| link. Hopefully, you can figure this out. The original submission page can
| be found by going to the Submit Picks link.
|
| http://kopool.net/process9.asp
|
|
| "Andrew Murray" wrote:
|
| >
| >
| > | > > I have a very simple form on a webpage called "form.htm." When the user
| > > submits, it brings them to an ASP page to confirm their submission
| > > ("form.asp"). Then the user hits "confirm" and the submission is complete.
| > >
| > > I noticed that if i enter "http://mysite.com/form.asp" that I can actually
| > > see the form results. I realize this is a big security hole. How can I
| > > enter a code so that once the user hits the "Confirm" button, it deletes
| > > or
| > > clears the form fields or just lists the default values?
| >
| >
| > It sounds to me you're using a third-party script that features a "check
| > your entries" page before clicking the final submit button - this is a
| > feature of that particular script, not a security issue. If you close the
| > browser after seeing the final "Thanks" page, it shouldn't be possible to
| > just browse back to that page with the last submission. If this is a third
| > party script, you need to contact the author of the script if you're
| > concerned about the security issue you mention as this really has nothing to
| > do with FrontPage specifically.
| >
| > FYI, the Frontpage form processor (server extensions) doesn't have the
| > middle step of confirming your entries before submitting. All it does have
| > is an optional "Thank you" page - redirects to a page saying "Your form was
| > submitted" and you can optionally have it display the data/fields from that
| > submission - but that's after it's sent, not a "check" before sending.
| >
| >
| > Can you post a link to the form so we can try it to see if we can replicate
| > what you're getting?
| >
| >
 
E

Evan

Thanks again!!!!

Thomas A. Rowe said:
At the very end of the process9.asp page (after the closing </html> tag add:

<%
Session.abandon
%>

See:
http://www.w3schools.com/asp/asp_ref_session.asp

--
==============================================
Thomas A. Rowe
Microsoft MVP - FrontPage
http://www.Ecom-Data.com
==============================================


Evan said:
This was very helpful!! Thank you so much!

But all i need now is to know how to clear the session once the submit
button is hit. I noticed if I close the window, and type in the URL the
fields are blank on process9.asp (like we want it to be). But if I hit the
"Back" button, its still visible. I guess to make this as clean as possible,
is there additional script I should be entering?

Stefan B Rusynko said:
Details of your problem can't be figured out from your page link at
http://kopool.net/process9.asp
- since the server side code is not visible
But you do have a ASP coding vulnerability that exposes the last record entered
Without seeing the code I can't be certain
- but I am relatively sure that on http://kopool.net/process9.asp your server side code is just
picking up the last record from
apparently the CSV file (or a DB) to display
- you are apparently writing the data to a CSV file when the form
http://kopool.net/submitpicks.htm is submitted, and then
displaying the last record from the CSV on the confirmation page
(bad practice since anyone can see anyone else's last record data)

What you should be doing is using some sort of session variable or temporary variable
(they will be only valid/available for that users session and not to anyone else)

The way to do that is:
- the data from http://kopool.net/submitpicks.htm is not written to the CSV file,
(send the form to process9.asp for processing)
- On the processing page, create session or temporary server side variables which are used to
display in the confirmation form
fields on http://kopool.net/process9.asp
- only after the submit on the confirm page, then write them to the CSV (or DB file)
(and them clear the session variables if you use them)

Example of a Temp Variable at the top of process9.asp
<%
full_name=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form use:
<input type ="text" value ="<%=full_name%>">

Example of a Temp Session Variable
<%
Session("full_name")=Request.Form("full_name")
'..... etc
%>
Then in the confirm page form:
<input type ="text" value ="<%=Session("full_name")=%>">


--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
_____________________________________________


| Andrew - Thank you for the quick reply. You are correct so far. Here is the
| link. Hopefully, you can figure this out. The original submission page can
| be found by going to the Submit Picks link.
|
| http://kopool.net/process9.asp
|
|
| "Andrew Murray" wrote:
|
| >
| >
| > | > > I have a very simple form on a webpage called "form.htm." When the user
| > > submits, it brings them to an ASP page to confirm their submission
| > > ("form.asp"). Then the user hits "confirm" and the submission is complete.
| > >
| > > I noticed that if i enter "http://mysite.com/form.asp" that I can actually
| > > see the form results. I realize this is a big security hole. How can I
| > > enter a code so that once the user hits the "Confirm" button, it deletes
| > > or
| > > clears the form fields or just lists the default values?
| >
| >
| > It sounds to me you're using a third-party script that features a "check
| > your entries" page before clicking the final submit button - this is a
| > feature of that particular script, not a security issue. If you close the
| > browser after seeing the final "Thanks" page, it shouldn't be possible to
| > just browse back to that page with the last submission. If this is a third
| > party script, you need to contact the author of the script if you're
| > concerned about the security issue you mention as this really has nothing to
| > do with FrontPage specifically.
| >
| > FYI, the Frontpage form processor (server extensions) doesn't have the
| > middle step of confirming your entries before submitting. All it does have
| > is an optional "Thank you" page - redirects to a page saying "Your form was
| > submitted" and you can optionally have it display the data/fields from that
| > submission - but that's after it's sent, not a "check" before sending.
| >
| >
| > Can you post a link to the form so we can try it to see if we can replicate
| > what you're getting?
| >
| >
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top