@konithomimoNov 11.2006 — #It seems you have global variables enabled on your server. Most likely the spam bots are entering in the direct URL of the ASP page and sending it the desired info, which is very easy to do. Here is how people do it:
1. Look at the form tag and find the action of the form . . . most likely your asp page . . . for example purposes lets call it updateComment.asp
2. Now they look at the names of the fields that get inserted to the DB. Those names are what gets sent.
3. Enter in the direct URL for the action page . . . in our case updateComment.asp . . . and then add the names of the fields and the values to send, thus evading the JS and entering in scripts.
@konithomimoNov 11.2006 — #Well, I should have been more specific. There are many types of global variables. The ones you are concerned with are called register_globals in PHP . . . I'm not really sure what they are referred to in ASP. Either way, they are controlled in the configuration files for the server, so you would most likely have to contact the server admin to get it fixed. Most professional servers give users control panels that allow them to disable such variables, or they allow the users to controlled them via .htaccess files. however, not all servers allow such conveniences.
@konithomimoNov 11.2006 — #The other thing you can do is make sure that you have your form method set to _POST, and then have the action page check to see if that method is used. _POST passes the data outside of the URL, and _GET passes the data via the URL. If _GET is used then don't go any further, but if it is via _POST then allow it.
@konithomimoNov 12.2006 — #Sorry, the underline is not needed, I am just used to including it because that is how you get the info from a POST method in PHP. As I said, instead of changing your global variables, try using only the POST method. In PHP it is $_POST instead of $_GET, and in ASP it should be request.form()
request.form() gets data from the specified object from a form with method="POST".
If you are using request.querystring() instead then that would be the problem. Simply change it to request.form() and you will not get your data from the querystring, and thus spambots will not work.
@konithomimoNov 12.2006 — #The other thing to remember when getting data from querystrings is that you can prevent a lot of forced data via a direct call by first declaring each variable in your code and giving it an initial value, which can then be changed by request.form()