1

I have a web portal based upon a SQL database, that we use to update progress. When a record has been updated in the queue the web form is supposed to send an email message.

Currently the web portal is not sending the message, and I am not sure of the point of failure. The portal itself is being updated as I can see the updated record in the SQL table. Just not receiving the email.

Update 04/27/18

So I am trying to attack this from a new avenue, and it is working kind of....

What I have done, is sent the form off to an external website using php, and it will send an email.

What I am wondering is how can I pass variables? I have been reading instructions for an hour, and it just doesn't make sense to me.

Essentially I want to pass one variable from the following query

thequery = "SELECT loginemail FROM users WHERE referrerId = " & request.Form("referrerID")  & ""
objRS.open thequery, objConn, adOpenStatic, adLockReadOnly

and then pass it with something like this

<form action="https://xxxxxx.com/hello.php?loginemail" method="post" name="updateclientform" id="updateclientform">

On the php form side send the email based upon the variable "loginemail"

$to = trim(objRS("loginemail"));

Anyone help? PLEASE

John
  • 4,658
  • 2
  • 14
  • 23
Thomas Strubinger
  • 11
  • 2
  • When in doubt, look at your data. Start with `objRS.recordcount`. Also, if the web page is classic ASP, tag it as such to expand your list of potential answerers, – Dan Bracuk Apr 25 '18 at 16:23
  • I am sorry, but I am not a DBA, I am pretty green when it comes to this stuff... Can you clarify what you are stating I should do? – Thomas Strubinger Apr 25 '18 at 16:58
  • Is this VB.NET? Or is it classic ASP? Looks like it's not ASP.NET to me. – mason Apr 25 '18 at 20:01
  • This is crazy-vulnerable to sql injection attacks :( – Joel Coehoorn Apr 26 '18 at 00:54
  • I inherited it.... after more research last night I believe it to be classic ASP. I also found out, that Microsoft no longer supports CDO I need to convert this to SmtpClient Class, any help? – Thomas Strubinger Apr 26 '18 at 12:00
  • 1
    This is Classic ASP and CDO is the standard way of sending emails with Classic ASP. SmtpClient Class is .net, so short of rewriting the entire script in ASP.net you can't convert it. – John Apr 26 '18 at 20:40
  • So I am trying to attack this from a new avenue, and it is working kind of.... What I have done, is sent the form off to an external website using php, and it will send an email. What I am wondering is how can I pass variables? I have been reading instructions for an hour, and it just doesn't make sense to me. – Thomas Strubinger Apr 27 '18 at 13:23
  • As was said earlier, the next step is to look to your data. Make sure your script is getting the values from the database you think it is. Write them to a log file if you have to. And then, before you finish this, go look up how to use [query parameters in classic asp](https://learn.microsoft.com/en-us/sql/ado/reference/ado-api/createparameter-method-ado?view=sql-server-2017). This project isn't done untl that **MASSIVE** sql injection hole is closed. – Joel Coehoorn Apr 27 '18 at 13:41
  • On the php side you would need to use the php equivalent of `request.form` to retrieve your variables. I think it's `$_POST` - you'll need something like `$to = $_POST("loginemail")` but you'll need to ask a php developer to check the syntax here – John Apr 27 '18 at 14:24
  • "Currently the web portal is not sending the message" Does this mean once upon a time it _did_ send a message? The obvious question is: what changed? – Nick.Mc Apr 29 '18 at 10:45

1 Answers1

0

CDO may not be supported by MS anymore - like Classic ASP itself, but it still works. I would look into a setting up a script in your ASP application to send the mail using CDO. That way you can better control any SQL injection threats and manage the whole process in one place.

Here is an example CDO mail script.

<%
'* Declare mailobject variables.
Dim validEmail, email_to, objCDOMail, objConf

Sub SetMailObject()

  '* set up CDO config
  Set objConf=Server.CreateObject("CDO.Configuration")
  objConf.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
  objConf.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "mysmtp.server.com"
  objConf.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1
  objConf.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusername") = "myusername"
  objConf.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "mypassword"
  objConf.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
  objConf.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = False
  objConf.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout") = 60
  objConf.Fields.Update

  ' Create an instance of the NewMail object.
  Set objCDOMail = Server.CreateObject("CDO.Message")
  Set objCDOMail.Configuration=objConf
End Sub

Sub sendLoginEmail(email_to)

  '* Call Sub to set mail object settings
  SetMailObject()

  '* Set the mail objects
  objCDOMail.From = "myadmin@mydomain.com"
  objCDOMail.To = email_to
  objCDOMail.Bcc = ""
  objCDOMail.Subject = "My mail subject"
  objCDOMail.TextBody = "My email body"

  '* Send the message
  objCDOMail.Send

  '* Set the object to nothing
  Set objCDOMail = Nothing

End Sub

If Request("loginemail") <> "" Then
   validEmail = Request("loginemail")
   '* strongly suggest to perform some cleansing and validation of the email here
   Call sendLoginEmail(validEmail)
End If
%>
Charlie.H
  • 33
  • 6