The Form collection retrieves the values of form elements posted to the HTTP request body, with a form using the POST method.
Form input is contained in headers. It is wise to not trust the data that is contained in headers, as this information can be falsified by malicious users. For example, do not rely on data such as cookies to securely identify a user.
As a security precaution, always encode header data or user input before using it. A general method of encoding data is to use Server.HTMLEncode. Alternatively, you can validate header data and user input with a short function such as the one described in Validating User Input to Avoid Attacks. For more detailed information about developing secure Web applications, see chapter 12 of MS Press - Writing Secure Code.
The Form collection is indexed by the names of the parameters in the request body. The value of Request.Form(element) is an array of all the values of element that occur in the request body. You can determine the number of values of a parameter by calling Request.Form(element).Count. If a parameter does not have multiple values associated with it, the count is 1. If the parameter is not found, the count is 0.
To reference a single value of a form element that has multiple values, you must specify a value for the index parameter. The index parameter may be any number between 1 and Request.Form(element).Count. If you reference one of multiple form parameters without specifying a value for index, the data is returned as a comma-delimited string.
When you use parameters with Request.Form, the Web server parses the HTTP request body and returns the specified data. If your application requires unparsed data from the form, you can access it by calling Request.Form without any parameters.
When using ASP and posting large amounts of data more than 100 KB, Request.Form cannot be used. If your application requires posting data greater than this limit, a component can be written that uses the Request.BinaryRead method.
You can iterate through all the data values in a form request. For example, if a user filled out a form by specifying two values, Chocolate and Butterscotch, for the FavoriteFlavor element, you could retrieve those values by using the following script.
<% For i = 1 To Request.Form("FavoriteFlavor").Count Response.Write Request.Form("FavoriteFlavor")(i) & "<BR>" Next %>
The preceding script would display the following.
You can use this technique to display the parameter name, as shown in the following script:
<% For i = 1 to Request.Form("FavoriteFlavor").count %> Request.Form(FavoriteFlavor) = <%= Request.Form("FavoriteFlavor")(i)_ %> <BR> <% Next %>
This script displays the following in the browser.
Request.Form(FavoriteFlavor) = Chocolate Request.Form(FavoriteFlavor) = Butterscotch
Consider the following HTML form:
<FORM ACTION = "/scripts/submit.asp" METHOD = "post"> <P>Your first name: <INPUT NAME = "firstname" SIZE = 48> <P>What is your favorite ice cream flavor: <SELECT NAME = "flavor"> <OPTION>Vanilla <OPTION>Strawberry <OPTION>Chocolate <OPTION>Rocky Road</SELECT> <P><INPUT TYPE = SUBMIT> </FORM>
If your form includes multiple objects with the same name (for example, HTML SELECT tags), the item in the form collection will be a comma-delimited list of all the selected values.
From that form, the following request body could be sent:
The following script can then be used:
Welcome, <%= Request.Form("firstname") %>. Your favorite flavor is <%= Request.Form("flavor") %>.
The following output is the result:
Welcome, James. Your favorite flavor is Rocky Road.
In the example above, the user's input is echoed without validation, which could pose a security risk.
For more information, see MS Press - Writing Secure Code
If the following script is used:
The output would be:
The unparsed form data is: firstname=James&flavor=Rocky+Road
Client: Requires Windows XP Professional, Windows 2000 Professional, or Windows NT Workstation 4.0.
Server: Requires Windows Server 2003, Windows 2000 Server, or Windows NT Server 4.0.