Forums
This topic is locked
How to secure a 'mail page' after submiting a reco
Posted 21 Dec 2004 02:50:21
1
has voted
21 Dec 2004 02:50:21 Berry van Elk posted:
For different forms I'm using the Smart Mailer component to email the submitted data to different receivers. After submiting the template for this mail page is triggered by a variable in the Querystring URL. Something like mail_page.asp?form_id=3.How can I secure this page, not with a login code but with maybe a good 'If statement' ?
The mail_page can only functioning when the form is submitting, not when someone guesses the URL and requests itself.
Replies
Replied 21 Dec 2004 13:45:41
21 Dec 2004 13:45:41 Lee Diggins replied:
Hi Berry
You'd be best of doing a mixed check for the form_id name/value pair in the querystring and an http_referer check, something like:
<%
Dim strRef, strReferer, strSubmit, strForm, strOut
strReferer = Request.ServerVariables("HTTP_REFERER" ' the calling page URL
strRef = "form.asp" ' you could build the entire URL here using URL servervariable
strForm = Request.Querystring("SubmitMe" ' the form submit button name
strSubmit = "Submit" ' the form button value
If (NOT strForm = strSubmit OR NOT InStr(1,strReferer, strRef,1) > 0 ) Then
Response.Redirect(strRef & "?err=1"
Else
strOut = strReferer & "<BR>" & strForm ' or a call to the db to display the results
End If
%>
This is just an example, the IF statement being the important part here. Try playing with it matching the form items, it'll check that the form has been submitted and check that the submitting page is the one you specify, if it doesn't match both, then the page will redirect back to the form page.
If unsure post back your form code and page name and i'll make the changes for you.
Digga
Sharing Knowledge Saves Valuable Time!!!
You'd be best of doing a mixed check for the form_id name/value pair in the querystring and an http_referer check, something like:
<%
Dim strRef, strReferer, strSubmit, strForm, strOut
strReferer = Request.ServerVariables("HTTP_REFERER" ' the calling page URL
strRef = "form.asp" ' you could build the entire URL here using URL servervariable
strForm = Request.Querystring("SubmitMe" ' the form submit button name
strSubmit = "Submit" ' the form button value
If (NOT strForm = strSubmit OR NOT InStr(1,strReferer, strRef,1) > 0 ) Then
Response.Redirect(strRef & "?err=1"
Else
strOut = strReferer & "<BR>" & strForm ' or a call to the db to display the results
End If
%>
This is just an example, the IF statement being the important part here. Try playing with it matching the form items, it'll check that the form has been submitted and check that the submitting page is the one you specify, if it doesn't match both, then the page will redirect back to the form page.
If unsure post back your form code and page name and i'll make the changes for you.
Digga
Sharing Knowledge Saves Valuable Time!!!
Replied 21 Dec 2004 17:39:14
21 Dec 2004 17:39:14 Berry van Elk replied:
I try'd your example and it worked for a simple form. But when you are using an external mailpage template in Smartmailer it requests something like mailpage.asp?user_id=4.
The problem with the script below is that HTTP_REFERER is empty. I think this has something to do with the way how smartmailer requests the mailpage. Is here another solution for.
On a normal submit page the script is working fine !
The problem with the script below is that HTTP_REFERER is empty. I think this has something to do with the way how smartmailer requests the mailpage. Is here another solution for.
On a normal submit page the script is working fine !