The Form collection retrieves the values of form elements posted to the HTTP request body, with a form using the POST method.
As a security precaution, always encode form input (or any request data) before using it. A general method of encoding data is to use Server.HTMLEncode. Another method is to write a short function that tests request data for invalid characters. More information can be found by reading chapter 12 of Writing Secure Code, and using Checklist: ASP Security when you create your ASP applications.
Request.Form( element)[( index)|.Count]
The Form collection is indexed by the names of the parameters in the request body. The value of Request.Form( element) is an array of all the values of element that occur in the request body. You can determine the number of values of a parameter by calling Request.Form( element).Count. If a parameter does not have multiple values associated with it, the count is 1. If the parameter is not found, the count is 0.
To reference a single value of a form element that has multiple values, you must specify a value for the index parameter. The index parameter may be any number between 1 and Request.Form( element).Count. If you reference one of multiple form parameters without specifying a value for index, the data is returned as a comma-delimited string.
When you use parameters with Request.Form, the Web server parses the HTTP request body and returns the specified data. If your application requires unparsed data from the form, you can access it by calling Request.Form without any parameters.
Note When using ASP and posting large amounts of data more than 100 KB, Request.Form cannot be used. If your application requires posting data greater than this limit, a component can be written that uses the Request.BinaryRead method.
You can iterate through all the data values in a form request. For example, if a user filled out a form by specifying two values, Chocolate and Butterscotch, for the FavoriteFlavor element, you could retrieve those values by using the following script.
<%
For i =index.html 1 To Request.Form("FavoriteFlavor").Count
Response.Write Request.Form("FavoriteFlavor")(i) & "<BR>"
Next
%>
The preceding script would display the following.
Chocolate Butterscotch
You can use this technique to display the parameter name, as shown in the following script:
<%
For i =index.html 1 to Request.Form("FavoriteFlavor").count %>
Request.Form(FavoriteFlavor) = <%= Request.Form("FavoriteFlavor")(i)_
%> <BR>
<% Next %>
This script displays the following in the browser.
Request.Form(FavoriteFlavor) =index.html Chocolate
Request.Form(FavoriteFlavor) = Butterscotch
Consider the following form:
<FORM ACTION =index.html "/scripts/submit.asp" METHOD = "post">
<P>Your first name: <INPUT NAME = "firstname" SIZE = 48>
<P>What is your favorite ice cream flavor: <SELECT NAME = "flavor">
<OPTION>Vanilla
<OPTION>Strawberry
<OPTION>Chocolate
<OPTION>Rocky Road</SELECT>
<P><INPUT TYPE = SUBMIT>
</FORM>
From that form, the following request body could be sent:
firstname=James&flavor=Rocky+Road
The following script can then be used:
Welcome, <%=index.html Request.Form("firstname") %>.
Your favorite flavor is <%= Request.Form("flavor") %>.
The following output is the result:
Welcome, James. Your favorite flavor is Rocky Road.
Caution In the example above, the user's input is echoed without validation, which could pose a security risk. For more information, see MS Press - Writing Secure Code
If the following script is used:
The unparsed form data is: <%=index.html Request.Form %>
The output would be:
The unparsed form data is: firstname=James&flavor=Rocky+Road
Note If your form includes multiple objects with the same name (for example, HTML SELECT tags), the item in the form collection will be a comma-delimited list of all the selected values.
Platforms: Windows 2000 with IIS 5.0 installed, Windows XP
with IIS 5.1 installed, Windows Server 2003 family with IIS 6.0
installed
Comments:
Questions: