Access File System Through Query String Or Parameters?
Feb 11, 2011
I have been given a task of reproducing the issue/testing the unauthorized access to file system through request.param and query string.
For instance i have something like this. request.querystring("blah");
How could somebody pass "../../../b1/b2" in the query string and access file system.
This may be related to cross site scripting.
View 1 Replies
Similar Messages:
May 28, 2010
I am working on a website in asp.net mvc. I have to show a view where user put some search values like tags and titles to search. I want to use the same Index method for that. I have make my form to use formMehod.Get to send the parameters as querystring.
[HttpGet]
public ActionResult Index(string title, string tags, int? page)
{
if (string.IsNullOrEmpty(title)
return View(null);
[code]...
View 3 Replies
Jun 28, 2010
I am trying to set up a page that has two behaviors. I'm seperating them by URL: One behavior is accessed via /some-controller/some-action, the other is via /some-controller/some-action?customize. It doesn't look like the Request.QueryString object contains anything, though, when I visit the second URL...I mean, the keys collection has one element in it, but it's null, not 'customize'. Anyone have any ideas about this or how to enable this. I'd like to avoid manually parsing the query string at all costs :).
View 2 Replies
Dec 29, 2010
I am trying to redirect the user to login page with ReturnUrl and with querystring parameters which are already in the url there.But it is getting only first querystring parameter and not others. here is the code:Response.Redirect("~/login.aspx?ReturnUrl="+Request.RawUrl);it is showing correct in login.aspx after redirect but not returning as per querystring parametersI ave also tried other methods e.g.:
Response.Redirect("~/login.aspx?ReturnUrl="+Request.AppRelativeCurrentExecutionFilePath+"?"+Request.QueryString);
View 2 Replies
Jul 13, 2010
In one of my ASP.Net websites, I have to provide a link to the user in which all query string parameters should be encrypted.What I am thinking is to use the command "aspnet_regiis" (as used to encrypt web.config data), pass output as a query string inside published url.When the user clicks that link, I first decrypt the string and then fetch the original data for the query string.Am right in doing this? Is there any good technique to encrypt and decrypt query strings?
View 4 Replies
Feb 15, 2010
i just noticed that if my controller has a parameter with a name that matches the name of a field in my view model, and the view emits the value of the model's field, the value emitted is that passed in the query string, not the one set by the controller. is this by design?
here is what i mean:
my view model:
public class MyViewModel
{
int id;
string name; [code]....
sending a request to "create?id=1234" emits "1234" in the hidden field instead of "1".
View 5 Replies
Mar 3, 2011
I am consuming a web service in .aspx with a added web reference that links to http://www.webservicex.net/stockquote.asmx After this, I can get the result from
ebServiceX.StockQuote ws = new WebServiceX.StockQuote();String xmlString = s.GetQuote("XOM"); I am wondering how I can call the web service like GET, http://www.webservicex.net/stockquote.asmx/GetQuote?symbol=XOM+BAC
View 1 Replies
Feb 1, 2010
I'm writing an Asp.Net WebForms app where I am calling an edit page an passing in the data about the record to be edited using query string parameters in the URL.Like:
http://myapp.path/QuoteItemEdit.aspx?PK=1234&DeviceType=12&Mode=Edit
On a previous page in the app, I have presented the user with a GridView of screened items he can edit based on his account privileges, and I call the edit page with these above parameter list, and the page know what to do.
View 6 Replies
Feb 1, 2010
I'm writing an Asp.Net WebForms app where I am calling an edit page an passing in the data about the record to be edited using query string parameters in the URL.Like:http://myapp.path/QuoteItemEdit.aspx?PK=1234&DeviceType=12&Mode=EditOn a previous page in the app, I have presented the user with a GridView of screened items he can edit based on his account privileges, and I call the edit page with these above parameter list, and the page know what to do. I do NOT do any additional checking on the target page to validate whether the user has access to the passed in PK record value as I planned to rely on the previous page to filter the list down and I would be fine
View 7 Replies
Jan 30, 2010
I have a data grid with a lot of information on it - to easily filter the data, I would like to be able to pass parameters to it. My problem is that I do not want the parameters to be required. So if I just put 1 or 2 of them in the query string, I would like for it to return all of the data related to those two parameters.I am using a data grid & stored procedures:My Stored Procedure looks like this:
[Code]...
View 1 Replies
Nov 15, 2010
I've written my own staticsitemapprovider which builds a dynamic site map. The problem I have is that sometimes pages will have additional parameters in the query string which I need to ignore. Public Overrides Function FindSiteMapNode(ByVal rawUrl As String) As SiteMapNode
Dim startpos As Integer = 0
Dim endpos As Integer = 0
If rawUrl.Contains("pagetype=") Then
startpos = rawUrl.IndexOf("pagetype=")
endpos = rawUrl.IndexOf("&", startpos) + 1
[code]...
View 1 Replies
Jul 22, 2010
I moved some of my old asp pages to new aspx website. In all of the old pages i used (for file example.asp):
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location","http://www.domain.com/example.aspx");
The problem is that when the page domain.com/example.asp?param=value¶m2=value2 is requested - the redirect ain't working...
View 1 Replies
Jun 19, 2012
I amĀ passing value from one page to another page using query string so tell me easy way to implement the encrypted query string .
View 1 Replies
Jun 7, 2010
i am new to asp.net programming i am trying to connect asp.net web application with ms access 2007 database. i have taken with two text boxes and when i enter some data in it and press submit button the data must load in access db i created with same fields.
my code is :
[code]....
Syntax error in string in query expression what is the correct way of inserting data into access db and what is the Syntax error in string in query expression.
View 3 Replies
Aug 26, 2012
I have the following Repeater, I need to bind multiple querystring parameter inĀ HREF
<li class="current">
<a href="house.aspx?H_name=all"></a>
<ul>
<asp:Repeater ID="rptMenu" runat="server">
<ItemTemplate>
[code]...
View 1 Replies
Jan 11, 2010
I am building a page which has to search an access table with the text input entered by the user. The thing that is puzzling to me is that the functionality works only when a '%' is explicitly added to the text input at the begginning and end.
If I add '%' programattically in the code behind file, it does not work.
code snippet ( asp page):
<asp:AccessDataSource ID="AccessDataSourcex" runat="server"
DataFile="~/App_Data/company.mdb"
SelectCommand="SELECT [ID], [emp name] AS emp_name, [emp title] AS emp_title FROM [EmpMain] WHERE ([emp name] like [code]...
//the below line is of no use, the % char has to be in the text input
//txtSearch.Text = "%" + txtSearch.Text + "%";
GridView1.DataBind(); <---- this works fine
<--- this does not work, even if I add % chars programatically..
My question is: why does it not work when I programattically add the '%' chars to the search string..
View 3 Replies
Mar 2, 2015
I have a page on my website with access granted to logged in users (I'm using the built in asp.net membership database). This works.
However, when passing a querystring parameter in combination with that url address, the user is denied access.
View 3 Replies
Jul 19, 2010
i will be passing the xml file like this:
[code]....
error:
Error 1 The best overloaded method match for 'System.Xml.Linq.XDocument.Load(string)' has some invalid arguments
cannot convert from 'System.IO.Stream' to 'string'
View 2 Replies
Aug 20, 2010
I'm trying to write a text file form my web page, But every time I'm having this error System.IO.IOException: The process cannot access the file '.txt' because it is being used by another process. This is mode code for write file.
Code:
protected void btnSave_Click(object sender, EventArgs e)
{
string serverpath = Server.MapPath("\proactivcust.ini");
string mappath = "";
string qbpath = "";
string archpath = "";
string workpath = "";
try
{
System.IO.StreamReader file = new System.IO.StreamReader(serverpath);
[Code.....]
View 9 Replies
Apr 26, 2012
I have an ASP.NET page that I need to have access the local file system. It's an intranet. I need to download a zip file and an executable to a temp location and then run the executable.
Then afterwards, I need to delete the contents via an ASP.NET page.
Is there any way to access the local file system? Generally, I would think this would cause a security concern, but I've seen posts about Silverlight being able to access it.
View 4 Replies
Feb 7, 2011
iam having clsglobal file in my application now when user request for some page eg with [URL] now i want to read the usernmae in the clsglobal file when user clicks a button in that page. how i can read
View 1 Replies
Aug 22, 2010
1. I have a GridView on my page and it uses sqldatasource with parameterized query. What I want to do is, on page load (where nothing has been selected so no parameter supplied), I want it to query everything (something like SELECT * FROM [this_table]) but since my SelectCommand is something like
SELECT * FROM [this_table] WHERE [this_column] = @someParameters AND [that_column] = @someParameters.
Can I play around with default value to achieve something like that but how ? Now, when the page loads, it doesn't show anything (No Gridview).
2. On my page, I made something like (username, gender, address, and more) and one single search button. That means, no single control enable auto postback. What I am trying to accomplish is building dynamic query
(if username specifed -> SELECT * FROM [this_table] WHERE [username] LIKE @username).
If both username and gender are specified (SELECT * FROM [this_table] WHERE [username] LIKE @username AND [gender] = @gender) and you know the rest. How can I do this using GridView and SqlDataSource ? To my knowledge, I can only specify one SELECT statement in a sqldatasource.
View 11 Replies
Nov 12, 2010
If I have an upload control that uploads mp3's to a file on my server and stores user specific information of the uploader in my SQL database, is it possible to output the songs in the mp3 folder to an XML query string or xml file through SQL server management studio?
View 2 Replies
Mar 16, 2010
I am trying to display a local .html file in a web page. The file uses javascript to display some information about my phone. In the executable, I am retrieving two values out of the registry. I would like to pass these values in a query string (I think that is the correct terminology). Something like file://\Program Files\TestTest.html?type=newtype. I have attempted this with using webbrowser.navigate, but that is giving an unhandled exception when it tries to pass the URI string. Obviously, I have no experience with this and am using the wrong method. There has to be a simple way to open a new webpage in a form and pass it this type of string.
how to implement such a function? I have been attempting to implement this with Visual C# using the .net CF for Windows Mobile.
View 2 Replies
Jan 21, 2010
here is my code for selectiong some records from db table
string strSql = "select * from mtblNBD where SentTo=@SentTo and InternalStatus Is NULL order by DeadLine desc";
SqlCommand com = new SqlCommand(strSql, con);
com.Parameters.Add("@SentTo", SqlDbType.NVarChar, 50).Value = (string)Session["uname"];
here I am using parameters for SenTo field but not for NULL so it is ok... or should I use parameters for this field where value is NULL , if yes then how can I use parameter for this
View 8 Replies