views:

380

answers:

4

Hi there,

I've got a simple form that enables users to enter a promotional code and email address to be signed up to an email as follows. But at present it doesn't validate the email correctly.

There is an include file doreferral.asp that; Checks to see if the code they entered exists in a table of promotional codes and also Checks to see if the email address already exists.

I have added emailValidate to check to see if the email address is valid and if not, and then tell the user in the <%=sys_message%>.

However, it's currently stopping genuine emails so the validation isn't working. :S

My doreferral.asp looks like this;

<%
    Code      = replace(request.Form("Code"),"'","")
    Email  = replace(request.Form("Email"),"'","")

    sys_message = ""
    submission = ""

    ''//Check the submitted code against existing ones in the database
    set conn = server.CreateObject("ADODB.connection")
    conn.open(application("DATABASE"))
    qs = "SELECT COUNT(AgentReferralCode) AS 'CountCodes' FROM Customers WHERE AgentReferralCode = '" & Code & "'"
    set rs = conn.Execute(qs)

    CountCode = rs("CountCodes")

    set rs = nothing
    conn.close
    set conn = nothing

    If(CountCode < 1) Then
     sys_message = sys_message & "<p class='err'>The agent code does not exist.</p>"
    End If

''//Check to see if the email address is valid
Dim emailValidate
emailValidate = 0 'Initializing goby to 0

''//if the len is less than 5 then it can't be an email
''//(i.e.: [email protected]) 
If Len(session("Email")) <= 5 Then
   emailValidate = 1
End If

If InStr(1, session("Email"), "@", 1) < 2 Then
    'If we find one and only one @, then the
    'email address is good to go.
    emailValidate = 1
Else
    If InStr(1,session("Email"), ".", 1) < 4 Then
        'Must have a '.' too
         emailValidate = 1
    End If
End If

If emailValidate <> 0 then 
    sys_message = sys_message & "<p class='err'>The email address is not valid.</p>"
End If

    ''//Check the submitted email against existing ones in the database
    set conn = server.CreateObject("ADODB.connection")
    conn.open(application("DATABASE"))
    qs = "SELECT COUNT(ReferredEmail) AS 'Count' FROM TenantReferral WHERE ReferredEmail = '" & Email & "'"
    set rs = conn.Execute(qs)

    countEmail = rs("Count")

    set rs = nothing
    conn.close
    set conn = nothing

    If(countEmail >= 1) Then
     sys_message = sys_message & "<p class='err'>This email address has already been referred.</p>"
    End If 

    ''//Only Process the SQL if there is no sys_message
    If(sys_message = "") Then

     SQLfields = SQLfields & "ReferredCode, "
     SQLvalues = SQLvalues & "'"& Trim(Code) &"', "
     SQLfields = SQLfields & "ReferredEmail"
     SQLvalues = SQLvalues & "'"& Trim(Email) &"'"

     SQL = SQL & "INSERT into TenantReferral ("& SQLfields &") VALUES ("& SQLvalues &")"
     'response.Write(SQL)

     set conn = server.CreateObject("ADODB.connection")
     conn.open application("DATABASE")
     SET rs = conn.execute(SQL)

     [Send email code]


     sys_message = sys_message & "<p class='ok'>Thank you for your referral.</p>" 
     submission = "ok"
     'response.Redirect("referral.asp")
    End If
%>

I wondered if anyone might be able to help debug the emailValidate functionality to check if the email address is valid?

Thank you.

A: 

Here's a page that has a sample email regular expression validator: http://www.codetoad.com/asp_email_reg_exp.asp. You should be able to use something like that to suit your needs.

And another thing -- you'll want to look at using parameterized SQL queries, currently your command is vulnerable to SQL injection because you just append Code and Email to the query strings.

Kaleb Brasee
+1  A: 

Hi Niel,

please, check this link: Email Address Validation

HTH

Rubens Farias
Thanks Rubens. I've update the question to help find out why the validate code that I have added is not working.
Neil Bradley
+1  A: 

Something like this does basic regex validation. You can get fancier and do dns lookups but for most purposes this is enough:

  Function validate(eaddr)
  dim isValidE
  dim regEx

  isValidE = True
  set regEx = New RegExp

  regEx.IgnoreCase = False

  regEx.Pattern = "^[-+.\w]{1,64}@[-.\w]{1,64}\.[-.\w]{2,6}$"
  isValidE = regEx.Test(eaddr)

  validate= isValidE
  End Function

Regex borrowed from here: http://tiffanybbrown.com/2006/12/12/a-better-regex-pattern-for-matching-e-mail-addresses/

brendan
A: 

There are a few things that concern me here.

  1. You don't explicitly put the form("email") value into session, yet you're trying to use it later in the script. Perhaps you've omitted that part of the code for brevity, I don't know.

  2. You use the variable "emailValidate" and set it to 0 (ie false), but make it 1 (true) when the validation fails. Ths seems like bad variable naming to me. "fail" should be False, "pass" should be True.

  3. As pointed out above, for the love of your database and all those tasty little live email addresses, please refactor your code to avoid SQL injection!

  4. Your comments state that you're looking for just one @ sign, but your code is saying that if you find just one @ sign then emailValidate = 1 (fail (in your code)) -- which leads me to think your own variable naming has confused you!

I don't know how long you've been coding in ASP so I'm loathe to come across as too sanctimonious but this coding approach just isn't right. It's long-winded and confused. The ideal solution has already been suggested using Regex and a little helper function into which you pass the email address and just returns True or False...

Cirieno