ASP page crashed if form field has ' and REPLACE word

SABhatti

I have an asp page wich submit two fields, title and contents. Now if user type single code ('), or semi-colon (;) and replace (the word REPLACE) then on submitting the form, page crashes. Any help please.. Note: it is working fine on development server (win 2003) but crashing on production server (win 2000) -----

Guffa

Could you specify "crashes"? Does the page look different? Do you get an error message? Does the web server crash?

--- "Anything that is in the world when you're born is normal and ordinary and is just a natural part of the way the world works. Anything that's invented between when you're fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it. Anything invented after you're thirty-five is against the natural order of things." -- Douglas Adams

SABhatti

well, here is the sample text in text area .... 1) you'll send your blood glucose level up higher than you expected; 2) you'll fill up but without the nutrients that come with vegetables and grains; and 3) you'll gain weight. So, don't pass up a slice of birthday cake. Instead, eat a little less bread or potato, and replace it with the cake. Taking a brisk walk to burn some calories is also always helpful. ... when I post back, it displays page cannot be found (generic error) this is an classic ASP. It does not even go to Request.Form section.. If I remove the single quotes and semi-colons then it works.. OR if remove REPLACE word then also it works..

-----

Guffa

SABhatti wrote:

when I post back, it displays page cannot be found (generic error) this is an classic ASP.

Do you really get an http 404 error? That seems very unlikey, as the existance of the page doesn't change with what you send to it. Could you quote some of the actual error message? Have you disabled "friendly http errors" in the browser so that you see the actual error message?

--- "Anything that is in the world when you're born is normal and ordinary and is just a natural part of the way the world works. Anything that's invented between when you're fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it. Anything invented after you're thirty-five is against the natural order of things." -- Douglas Adams

SABhatti

sorry it says PAGE CANNOT BE DISPLAYED.. click on refresh butoon, check you lan settings etc.. Well one thing that I did is to remote into the web server and browse it locally. Locally it works fine. But when I am trying to browse it from outside, it crashes. -- modified at 15:09 Friday 19th October, 2007

-----

Guffa

I guess it's no on the question about "friendly http errors", then. Fix that, so that you see the actual error message. Without a proper error message, it's just guesswork.

--- "Anything that is in the world when you're born is normal and ordinary and is just a natural part of the way the world works. Anything that's invented between when you're fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it. Anything invented after you're thirty-five is against the natural order of things." -- Douglas Adams

SABhatti

I have checked the configuration on IIS, and option to send detailed script error is selected. As I mentioned before that it is working fine if I browse it from the actual web server using its IP. But it crashes if I access it from outside. I am also going to check with our firewall administrators. Thanks for your help. -- the weird thing is that it is not giving any error, and this is really an old page in classic ASP, and I don't really know how to catch this exception in classic ASP...

-----

Guffa

Have you disabled "friendly http errors" in the browser so that you see the actual error message?

--- "Anything that is in the world when you're born is normal and ordinary and is just a natural part of the way the world works. Anything that's invented between when you're fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it. Anything invented after you're thirty-five is against the natural order of things." -- Douglas Adams

SABhatti

Well, we figured that it is the firewall. When ever user types REPALCE, FIND, or any word that is also a command in firewall, along with any special character like single quote, semi-colon, or double quote. The firwall take it as command injection and block it. It looks weired. Our firewall guys do not want to disable command injection. They said that we might have to use the SSL on the server. I don't know how correct is that. But on SSL enabled server it works fine. Its definitely not how the browser displays the error. It is the firewall because the firewall does not let me catch any error.

-----

Guffa

What kind of firewall is that? What is the purpose of blocking traffic like that? The firewall can't be access directly with an unauthorised request, can it? Is the protection (?) something that the "firewall guys" have come up with themselves?

--- "Anything that is in the world when you're born is normal and ordinary and is just a natural part of the way the world works. Anything that's invented between when you're fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it. Anything invented after you're thirty-five is against the natural order of things." -- Douglas Adams