BUG: Assignment of Multi-Valued Objects in Request Object Causes Corruption in Scripting Dictionary (216825)


The information in this article applies to:

  • Microsoft Active Server Pages
  • Microsoft Visual Basic, Scripting Edition 3.0
  • Microsoft Visual Basic, Scripting Edition 4.0
  • the operating system: Microsoft Windows 98
  • the operating system: Microsoft Windows 95
  • the operating system: Microsoft Windows NT 4.0
This article was previously published under Q216825

SYMPTOMS

If items in the Request.Form or Request.QueryString collections that contain multiple values are assigned to a Scripting Dictionary object stored in the Session object, data corruption may occur. Corrupted data will manifest either as empty fields (that is, blank individual dictionary items) or items that contain garbage text.

A common example of this is a checkbox; checkbox controls can have the same name so that multiple values of a single named item can be returned to the server.

CAUSE

When the assignment of a multi-valued item in the Request.QueryString or Request.Form collections to an item in the Scripting Dictionary object takes place without explicitly using the Item property of the object within the collection, a reference to the actual object is stored in the Scripting Dictionary instead of the intended value. This means that when the item stored in the Scripting Dictionary is referenced again, the Scripting Dictionary will refrence an object in the Request.QueryString or Request.Form collections instead of the intended string or integer values.

RESOLUTION

As described in the following article in the Microsoft Knowledge Base, the best workaround is to be sure that the Item property is used whenever the Request item is assigned to a Session-cached Scripting Dictionary object:

216279 BUG: VBScript Can Corrupt Data Stored in Scripting Dictionary Object

The Item property will then return a semi-colon delimited string of text values. However, there is a twist when it comes to using these strings on the client. The most efficient technique uses the VBScript Split() function to move the strings into array elements. See the code in the More Information section below for details.

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

To reproduce this problem add the following to your Global.asa file
<OBJECT 
	RUNAT=Server 
	SCOPE=Session 
	PROGID="Scripting.Dictionary" 
	ID=objDict>
</OBJECT>
<SCRIPT LANGUAGE=VBScript RUNAT=Server>

Sub Session_OnStart
	Set Session("objDict") = objDict
	Session("objDict").Add "name", "Enter your name"     
	Session("objDict").Add "phone",""
End Sub

</SCRIPT>

Then add the following to a file named Index.asp:
<html>

<head>

<title>Dictionary Corruption Repro</title>

</head>

<body>
<h1>Dictionary Corruption Repro</h1>

<%
If Request.Form("workAround")="on" Then
	fWorkAround="CHECKED"
Else
	fWorkAround=""
End If

If Not isEmpty(Request.Form("update")) Then
	If fWorkAround="CHECKED" Then
		Session("objDict").Item("name")=Request.Form("txtName").Item
		Session("objDict").Item("phone")=Request.Form("phone").Item
	Else
		Session("objDict").Item("name")=Request.Form("txtName")
		Session("objDict").Item("phone")=Request.Form("phone")
	End If
End If
 
Response.Write("Cached name: " & Session("objDict").Item("name") & "<BR>")
if Session("objDict").Item("phone")="" Then
	varPhone=Array("","")
Else
	varPhone=split(Session("objDict").Item("phone"),", ")
	Response.Write("Cached Phone: " & varPhone(0) & "<BR>")
	Response.Write("Cached Phone: " & varPhone(1) & "<BR>")
end if
%>

<BR>
SessionID: <%=Session.SessionID%>
<BR/>

<form id="testForm" method="post" action="<%=Request.ServerVariables("SCRIPT_NAME")%>">
  Name <input name="txtName" maxlength=30 size=30 value="<%=Session("objDict").Item("name")%>" ><BR>
  Phone 1 <input name="phone" value="<%=varPhone(0)%>"><BR>
  Phone 2 <input name="phone" value="<%=varPhone(1)%>"><BR>
  Use Array workaround <input type="checkbox" name="workAround" <%=fWorkAround%>><BR>
  <input type="submit" value="Update" name="update" title="Call this page with updated information.">
  <input type="submit" value="Refresh" name="refresh" title="Call this page with existing cached information.">
</form>

<hr width="600" align="left">

<div style="width:600">
	<h2>Instructions for repro</h2> 
	By default the workaround checkbox is blank. This means that this repro will use 
	the Request object to populate the Dictionary object.
	<BR/>
	
	This will result in corrupted data in the Dictionary object. The most reliable way 
	to demonstrate this unintended result requires the following steps:
	<ol>
	<li> Open this file in Visual InterDev, then View in Browser.
	<li> Fill in this form and press the Update button. 
	<li> Then return to VID and modify this index.asp file by adding a space between 
	the lines of script. 
	<li> View in Browser again (don't save and manually refresh the page in Internet Explorer; you 
	need to make the data in the Request object stale -- if you hit refresh, you're 
	reusing the original Request object).
	</ol>
	
	You will see no (or corrupted) data in the form (meaning the Dictionary has been corrupted).
	<BR/>
	Now fill out the form again; only this time check the Workaround box. Repeat the same 
	steps as above. This time, the data in the Dictionary is intact.
	<BR/>
	<h2>Explanation</h2>
	This workaround does two things. First, it uses the Item property of the Request 
	object when assigning scalars/strings from the Form to the Dictionary. This corrects a 
	problem in VBScript that will Set an object reference in the Dictionary item even 
	though no Set command was used in this reproduction. This object reference is stored in 
	the Dictionary because VBScript is not making the required IDispatch call to fetch 
	the default (string) property of the Request object, the Item property. This 
	workaround also has the added bonus of making the code a tiny bit faster because 
	one less IDispatch call is made.
	<BR/>
	The second workaround uses a twist on the first workaround. As with scalar values, 
	our second workaround assigns the Item property to Dictionary object for Request 
	objects that use the <b>IStringList</b> interface to return multivalued named items 
	such (as the multiple phone numbers in our repro). Using the Item property results 
	in a string value in the Phone Dictionary item. To fetch these multivalued named 
	items from the Dictionary use the VBScript split() function to expand the string 
	into an array and then use that array in the User Interface script as necessary.
	<BR/>
	Again, the key is to <b>store string values only</b> in the Dictionary object.
	<BR/>
	Note: these bugs apply only to VBScript.
	<BR/>
	<h2>Postscript</h2>
	This bug in VBScript has prompted a fix in ASP.dll as well. It is bad form to store 
	ASP intrinsics in Session or Application scope. ASP has a function called 
	CheckForTombstone() that checks for stale data structures in Session or Application 
	objects and returns an error if found. An example of stale data structure is a 
	Request object from a prior form post. If you need to cache this old data in Session 
	scope, store the data, not the stucture that brought the data up to the server.
	<BR/>
	CheckForTombstone() has now been added to the IStringList interface to ensure that 
	intrinsic objects are not stored there. This fix will also preclude the problem 
	with VBScript described above.
</div>
<BR/>

<hr width="600" align="left">

<BR/>&nbsp;<BR/>

</body>
</html>

REFERENCES

Q156223 BUG: VBScript can corrupt data stored in Scripting Dictionary Object
Modification Type:MajorLast Reviewed:11/26/2003
Keywords:kbbug kbpending KB216825 kbAudDeveloper
©2003 Microsoft Corporation. All rights reserved.