PDA

View Full Version : asp



pageblair
08-25-2006, 04:43 PM
first time setting up asp form page,I have form submission and results pages set on server still cant get them to jive.looking to send to email,should the form be on the submission page? and should post go to results page?....john

codeexploiter
08-28-2006, 06:31 AM
Hi,

If you want to use a form to accepts the To Address, Message Body, etc from a user through a form, you can do it in two ways:

1. Using a single file that has both ASP code as well as the HTML form code.

2. Using multiple files - In this case there will be an HTML interface (FORM) file through the user will enter their details and when they press submit button then the background file will start the processings for sending the email based on the details entered by the user in the interface file.

I am following the seond approach which is more simple compared to the first one


ASP Code
-------------

'This is the ASP Code for sending a mail which is based on the value coming from an interface file
'This code helps you to send an email using a remote server
'file name - sendMailRemote.asp

<script language="VBScript" runat="server">

'Hope you've performed all the client-side validation in your HTML interface file
Dim from, to, message, subject

'storing the user entered values into variables
from = Request.Form("from")
to = Request.Form("to")
message = Request.Form("message")
subject = Request.Form("subject")

Dim mailObject

Set mailObject= Server.CreateObject("CDO.Message")

mailObject.Subject= subject

mailObject.From = from
mailObject.To = to

'The following line will treat this as a text email message.
'If you want to send an HTML based email then you must use the following line which i commented here
'In HTML email you can have HTML tags on the messages
'mailObject.HTMLBody = message

mailObject.TextBody= message


mailObject.Configuration.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2

'Specify the SMTP server name or its IP Address which you want to use while sending the email
mailObject.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.server.com"

' Specify the Server port on which the SMTP server is listening in the above mentioned server
mailObject.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25

mailObject.Configuration.Fields.Update

mailObject.Send

set mailObject=nothing

</script>

The second script is as follows


<%
'file: sendMail.asp

Dim mailObject
Dim from,to,subject,message

'storing the user entered values into variables
from = Request.Form("from")
to = Request.Form("to")
message = Request.Form("message")
subject = Request.Form("subject")



Set mailObject= Server.CreateObject("CDO.Message")

mailObject.Subject=subject

mailObject.From = from

mailObject.To = to

'The following line will treat this as a text email message.
'If you want to send an HTML based email then you must use the following line which i commented here
'In HTML email you can have HTML tags on the messages
'mailObject.HTMLBody = message

mailObject.TextBody = message

mailObject.Send

set mailObject=nothing
%>
Plz check a skelton of the HTML interface you can use to test this application


<form method="post" action="sendMailRemote.asp">
From <input type="text" name="from"><br>
to <input type="text" name="to"><br>
subject <input type="text" name="subject"><br>
Message<Textarea name="message" rows="10" cols="50"></textarea><br>
<input type="submit" name="submit" value="send">
</form>
Please keep it in mind that you can specify the ASP file name in which you have the mail sending ASP code
Please embed some client-side scripts for the validation of the fields before sending the mail

mwinter
08-28-2006, 11:22 AM
... I have form submission and results pages set on server still cant get them to jive.looking to send to email,should the form be on the submission page? and should post go to results page?

That's the general idea, yes.

Please include a more complete description of the problem (including relevant code) if you're still having problems. Also, please use a better subject next time: you're posting to the ASP forum, so it's a fair guess that that's the language you're using. Something like "Cannot get data from form submission" or "Cannot send e-mails" should be the minimum information.




'Hope you've performed all the client-side validation in your HTML interface file

I'd hope you'd post code that performed server-side validation. As it is, it looks like what you've posted is the perfect spam relay. Then again, I can't find an object that exposes the interface you're trying to use (I have a reference for two CDO versions, and neither has From or To properties).

Mike

codeexploiter
08-28-2006, 11:49 AM
posted by: MWinter
I can't find an object that exposes the interface you're trying to use (I have a reference for two CDO versions, and neither has From or To properties).

CDOSYS is the successor of CDONTS, Microsoft has discontinued CODNTS in Windows XP. So using CDOSYS we can send emails from the web pages. If you want to find more details about this, you can explore MSDN library.

mwinter
08-29-2006, 11:16 AM
CDOSYS is the successor of CDONTS, Microsoft has discontinued CODNTS in Windows XP. So using CDOSYS we can send emails from the web pages. If you want to find more details about this, you can explore MSDN library.

I did have the documentation, I just didn't look quite in the right place. Anyway, that's irrelevant: the only reason I wanted to check was to see what checking Microsoft did, but there is no explicit description. At most, it might check for conformance with the RFC 822 grammar.

The original point remains: anyone that could access this document could use it to send any mail to any recipient.

Mike

codeexploiter
08-30-2006, 06:17 AM
Hi mike,


The original point remains: anyone that could access this document could use it to send any mail to any recipient.

It is very difficult to show how users can send mails using remote servers in ASP without facing that fact i think.

I've mentioned two scripts in my response

One using a a local SMTP server

One using a remote server.

Yes the problem still exists, I agree, But i think anyone who knew how to send mail can perform spamming if they wish i think but the response was just for the sake of information nothing else.

I am very keen to learn a method using which we can prevent spamming using a remote server, if you can provide

mwinter
08-30-2006, 02:59 PM
It is very difficult to show how users can send mails using remote servers in ASP without facing that fact i think.

Particularly when the person asking questions gives as little information as the OP did.



I am very keen to learn a method using which we can prevent spamming using a remote server, if you can provide

Well, a remote SMTP server should protect itself against spamming. It has two choices: authentication, and IP filtering. My ISP used to use the latter, restricting only its own customers (for which it knew the IPs, obviously) from accessing the server. They've now shifted to standard authentication techniques so that the server can be accessed from other machines, and to protect against trojans or virii that might target the machines of ISPs like mine.

What I was actually concerned about was the fact that the code you posted allows the submitting user to specify whatever To and From values they wish. There's also no frequency controls; the user can submit any amount of mail as often as they like.

I wouldn't personally write a form mail system. Modifying an existing, secure package might be a different matter, but I wouldn't like to risk me overlooking an issue and opening up a mail server to attack.

Mike

codeexploiter
08-31-2006, 03:34 AM
posted by MWinter

What I was actually concerned about was the fact that the code you posted allows the submitting user to specify whatever To and From values they wish. There's also no frequency controls; the user can submit any amount of mail as often as they like.


Yes it does allow spamming in this case but it is a reality that anybody with a little knowledge in ASP and messaging systems can perform spamming. But you've mentioned two methods for restricting spammer using SMTP servers in your post.

Thanks a lot for the information since I am working as a developer, not involved with the security mechanisms using for these kind of things.

I would be greatful for these kind of information in the future also.

--Code Exploiter