Microsoft KB Archive/216279

= BUG: FIX: VBScript Can Corrupt Data Stored in Scripting Dictionary Object =

Article ID: 216279

Article Last Modified on 2/12/2007

-

APPLIES TO


 * Microsoft Visual Basic, Scripting Edition 3.0
 * Microsoft Visual Basic, Scripting Edition 4.0
 * Microsoft Active Server Pages 4.0
 * Microsoft Windows 98 Standard Edition
 * Microsoft Windows 95
 * Microsoft Windows NT 4.0

-



This article was previously published under Q216279



SYMPTOMS
If you assign Request.Form or QueryString items in a Scripting Dictionary object cached in Session scope, you will corrupt your data. Corrupted data will manifest either as empty fields (that is, blank individual dictionary items) or as items containing garbage text.



CAUSE
VBScript does not use IDispatch to fetch the Response object's default property. This results in an object reference being assigned to an Item in the Dictionary (even when the assignment in your script does not use the Set statement). When this object reference is then cached with Session scope, a related bug in Active Server Pages (ASP) doesn't catch and block the object reference (see 216825 "BUG: Assignment of Multi-valued Objects in Request Object Causes Corruption in Scripting Dictionary" for details).



RESOLUTION
The solution is to ensure that only string values are stored in Dictionaries. The most reliable way to ensure only strings are used is to explicitly reference the Item property of all elements in a Request object. Special consideration must be given to multivalued named items as described above (see the code in the MORE INFORMATION section below for an example, and reference 216825 "BUG: Assignment of Multi-valued Objects in Request Object Causes Corruption in Scripting Dictionary".



STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. This bug was corrected in Microsoft Internet Explorer 5.



MORE INFORMATION
To reproduce this problem add the following to your Global.asa file

  

Sub Session_OnStart Set Session("objDict") = objDict Session("objDict").Add "name", "Enter your name" Session("objDict").Add "phone","" End Sub 

Then add the following to a file named Index.asp:

Dictionary Corruption Reproduction

Dictionary Corruption Reproduction

<% If Request.Form("workAround")="on" Then fWorkAround="CHECKED" Else fWorkAround="" End If

If Not isEmpty(Request.Form("update")) Then If fWorkAround="CHECKED" Then Session("objDict").Item("name")=Request.Form("txtName").Item Session("objDict").Item("phone")=Request.Form("phone").Item Else Session("objDict").Item("name")=Request.Form("txtName") Session("objDict").Item("phone")=Request.Form("phone") End If End If Response.Write("Cached name: " & Session("objDict").Item("name") & "") if Session("objDict").Item("phone")="" Then varPhone=Array("","") Else varPhone=split(Session("objDict").Item("phone"),", ") Response.Write("Cached Phone: " & varPhone(0) & "") Response.Write("Cached Phone: " & varPhone(1) & "") end if %>

 SessionID: <%=Session.SessionID%> 

"> Name <input name="txtName" maxlength=30 size=30 value="<%=Session("objDict").Item("name")%>" ><BR> Phone 1 <input name="phone" value="<%=varPhone(0)%>"><BR> Phone 2 <input name="phone" value="<%=varPhone(1)%>"><BR> Use Array workaround <input type="checkbox" name="workAround" <%=fWorkAround%>><BR> <input type="submit" value="Update" name="update" title="Call this page with updated information."> <input type="submit" value="Refresh" name="refresh" title="Call this page with existing cached information.">

<hr width="600" align="left">

Instructions for reproduction By default the workaround check box is blank. This means that this reproduction will use the Request object to populate the Dictionary object. This will result in corrupted data in the Dictionary object. The most reliable way to demonstrate this unintended result requires the following steps: <ol> <li> Open this file in Visual InterDev, then View in Browser. <li> Fill in this form and press the Update button. <li> Then return to Visual InterDev and modify this Index.asp file by adding a space between the lines of script. <li> View in Browser again (don't save and manually refresh the page in Internet Explorer; you    need to make the data in the Request object stale -- if you click refresh, you're     reusing the original Request object). </ol> You will see no (or corrupted) data in the form (meaning the Dictionary has been corrupted). Now fill out the form again only this time check the Workaround box. Repeat the same steps as above. This time, the data in the Dictionary is intact. Explanation This workaround does two things. First, it uses the Item property of the Request object when assigning scalars/strings from the Form to the Dictionary. This corrects a    problem in VBScript that will Set an object reference in the Dictionary item even though no Set command was used in this repro. This object reference is stored in    the Dictionary because VBScript is not making the required IDispatch call to fetch the default (string) property of the Request object, the Item property. This workaround also has the added bonus of making the code a tiny bit faster because one less IDispatch call is made. The second workaround uses a twist on the first workaround. As with scalar values, our second workaround assigns the Item property to Dictionary object for Request objects that use the IStringList interface to return multivalued named items such (as the multiple phone numbers in our repro). Using the Item property results in a string value in the Phone Dictionary item. To fetch these multivalued named items from the Dictionary use the VBScript split function to expand the string into an array and then use that array in the User Interface script as necessary. Again, the key is to store string values only in the Dictionary object. Note: these bugs apply only to VBScript. Postscript This bug in VBScript has prompted a fix in Asp.dll as well. It is bad form to store Active Server Pages (ASP) intrinsics in Session or Application scope. ASP has a function called CheckForTombstone that checks for stale data structures in Session or Application objects and returns an error if found. An example of stale data structure is a    Request object from a prior form post. If you need to cache this old data in Session scope, store the data, not the structure that brought the data up to the server. CheckForTombstone has now been added to the IStringList interface to ensure that intrinsic objects are not stored there. This fix will also preclude the problem with VBScript described above.

<hr width="600" align="left">

<div class="references_section">