Access File System Through Query String Or Parameters?

Feb 11, 2011

I have been given a task of reproducing the issue/testing the unauthorized access to file system through request.param and query string.

For instance i have something like this. request.querystring("blah");

How could somebody pass "../../../b1/b2" in the query string and access file system.

This may be related to cross site scripting.

View 1 Replies


Similar Messages:

C# - FormMethod - Get And Query String Parameters?

May 28, 2010

I am working on a website in asp.net mvc. I have to show a view where user put some search values like tags and titles to search. I want to use the same Index method for that. I have make my form to use formMehod.Get to send the parameters as querystring.

[HttpGet]
public ActionResult Index(string title, string tags, int? page)
{
if (string.IsNullOrEmpty(title)
return View(null);
[code]...

View 3 Replies

Query String Parameters With No Values?

Jun 28, 2010

I am trying to set up a page that has two behaviors. I'm seperating them by URL: One behavior is accessed via /some-controller/some-action, the other is via /some-controller/some-action?customize. It doesn't look like the Request.QueryString object contains anything, though, when I visit the second URL...I mean, the keys collection has one element in it, but it's null, not 'customize'. Anyone have any ideas about this or how to enable this. I'd like to avoid manually parsing the query string at all costs :).

View 2 Replies

Web Forms :: How To ReturnUrl With Query String Parameters

Dec 29, 2010

I am trying to redirect the user to login page with ReturnUrl and with querystring parameters which are already in the url there.But it is getting only first querystring parameter and not others. here is the code:Response.Redirect("~/login.aspx?ReturnUrl="+Request.RawUrl);it is showing correct in login.aspx after redirect but not returning as per querystring parametersI ave also tried other methods e.g.:

Response.Redirect("~/login.aspx?ReturnUrl="+Request.AppRelativeCurrentExecutionFilePath+"?"+Request.QueryString);

View 2 Replies

How To Encrypt Query String Parameters In .NET Website

Jul 13, 2010

In one of my ASP.Net websites, I have to provide a link to the user in which all query string parameters should be encrypted.What I am thinking is to use the command "aspnet_regiis" (as used to encrypt web.config data), pass output as a query string inside published url.When the user clicks that link, I first decrypt the string and then fetch the original data for the query string.Am right in doing this? Is there any good technique to encrypt and decrypt query strings?

View 4 Replies

MVC :: Query String Parameters And View Model Fields?

Feb 15, 2010

i just noticed that if my controller has a parameter with a name that matches the name of a field in my view model, and the view emits the value of the model's field, the value emitted is that passed in the query string, not the one set by the controller. is this by design?

here is what i mean:

my view model:

public class MyViewModel
{
int id;
string name; [code]....

sending a request to "create?id=1234" emits "1234" in the hidden field instead of "1".

View 5 Replies

WCF / ASMX :: Webservice With Repeating Parameters In Query String

Mar 3, 2011

I am consuming a web service in .aspx with a added web reference that links to http://www.webservicex.net/stockquote.asmx After this, I can get the result from
ebServiceX.StockQuote ws = new WebServiceX.StockQuote();String xmlString = s.GetQuote("XOM"); I am wondering how I can call the web service like GET, http://www.webservicex.net/stockquote.asmx/GetQuote?symbol=XOM+BAC

View 1 Replies

Web Forms :: Query String Parameters Make App At Risk?

Feb 1, 2010

I'm writing an Asp.Net WebForms app where I am calling an edit page an passing in the data about the record to be edited using query string parameters in the URL.Like:

http://myapp.path/QuoteItemEdit.aspx?PK=1234&DeviceType=12&Mode=Edit

On a previous page in the app, I have presented the user with a GridView of screened items he can edit based on his account privileges, and I call the edit page with these above parameter list, and the page know what to do.

View 6 Replies

Query String Parameters Make Application At Risk?

Feb 1, 2010

I'm writing an Asp.Net WebForms app where I am calling an edit page an passing in the data about the record to be edited using query string parameters in the URL.Like:http://myapp.path/QuoteItemEdit.aspx?PK=1234&DeviceType=12&Mode=EditOn a previous page in the app, I have presented the user with a GridView of screened items he can edit based on his account privileges, and I call the edit page with these above parameter list, and the page know what to do. I do NOT do any additional checking on the target page to validate whether the user has access to the passed in PK record value as I planned to rely on the previous page to filter the list down and I would be fine

View 7 Replies

Forms Data Controls :: How To Add Optional Parameters In Query String

Jan 30, 2010

I have a data grid with a lot of information on it - to easily filter the data, I would like to be able to pass parameters to it. My problem is that I do not want the parameters to be required. So if I just put 1 or 2 of them in the query string, I would like for it to return all of the data related to those two parameters.I am using a data grid & stored procedures:My Stored Procedure looks like this:

[Code]...

View 1 Replies

Ignoring Specific Query String Parameters In Custom Sitemapprovider

Nov 15, 2010

I've written my own staticsitemapprovider which builds a dynamic site map. The problem I have is that sometimes pages will have additional parameters in the query string which I need to ignore. Public Overrides Function FindSiteMapNode(ByVal rawUrl As String) As SiteMapNode

Dim startpos As Integer = 0
Dim endpos As Integer = 0
If rawUrl.Contains("pagetype=") Then
startpos = rawUrl.IndexOf("pagetype=")
endpos = rawUrl.IndexOf("&", startpos) + 1
[code]...

View 1 Replies

Make Permanent 301 Redirect Work When There Are Parameters In The Query String?

Jul 22, 2010

I moved some of my old asp pages to new aspx website. In all of the old pages i used (for file example.asp):

Response.Status = "301 Moved Permanently";
Response.AddHeader("Location","http://www.domain.com/example.aspx");

The problem is that when the page domain.com/example.asp?param=value&param2=value2 is requested - the redirect ain't working...

View 1 Replies

Web Forms :: How To Encrypt And Decrypt Query String Parameters In Web Application

Jun 19, 2012

I amĀ passing value from one page to another page using query string so tell me easy way to implement the encrypted query string .

View 1 Replies

Access :: Linking Of Ms Access Db With Web Application(Syntax Error In String In Query Express)

Jun 7, 2010

i am new to asp.net programming i am trying to connect asp.net web application with ms access 2007 database. i have taken with two text boxes and when i enter some data in it and press submit button the data must load in access db i created with same fields.

my code is :

[code]....

Syntax error in string in query expression what is the correct way of inserting data into access db and what is the Syntax error in string in query expression.

View 3 Replies

Web Forms :: Bind Multiple Query String Parameters From Database When Working With Eval

Aug 26, 2012

I have the following Repeater, I need to bind multiple querystring parameter inĀ  HREF

<li class="current">
<a href="house.aspx?H_name=all"></a>
<ul>
<asp:Repeater ID="rptMenu" runat="server">
<ItemTemplate>

[code]...

View 1 Replies

Access Query Requires % Char In Like String?

Jan 11, 2010

I am building a page which has to search an access table with the text input entered by the user. The thing that is puzzling to me is that the functionality works only when a '%' is explicitly added to the text input at the begginning and end.

If I add '%' programattically in the code behind file, it does not work.
code snippet ( asp page):

<asp:AccessDataSource ID="AccessDataSourcex" runat="server"
DataFile="~/App_Data/company.mdb"
SelectCommand="SELECT [ID], [emp name] AS emp_name, [emp title] AS emp_title FROM [EmpMain] WHERE ([emp name] like [code]...

//the below line is of no use, the % char has to be in the text input

//txtSearch.Text = "%" + txtSearch.Text + "%";

GridView1.DataBind(); <---- this works fine

<--- this does not work, even if I add % chars programatically..


My question is: why does it not work when I programattically add the '%' chars to the search string..

View 3 Replies

No Access To Page When Passing A Query String

Mar 2, 2015

I have a page on my website with access granted to logged in users (I'm using the built in asp.net membership database). This works.

However, when passing a querystring parameter in combination with that url address, the user is denied access.

View 3 Replies

How To Read XML File Using System.IO.Stream With LINQ / Cannot Convert From 'System.IO.Stream' To 'string'

Jul 19, 2010

i will be passing the xml file like this:

[code]....

error:

Error 1 The best overloaded method match for 'System.Xml.Linq.XDocument.Load(string)' has some invalid arguments

cannot convert from 'System.IO.Stream' to 'string'

View 2 Replies

System - Process Can't Access File

Aug 20, 2010

I'm trying to write a text file form my web page, But every time I'm having this error System.IO.IOException: The process cannot access the file '.txt' because it is being used by another process. This is mode code for write file.

Code:

protected void btnSave_Click(object sender, EventArgs e)
{
string serverpath = Server.MapPath("\proactivcust.ini");
string mappath = "";
string qbpath = "";
string archpath = "";
string workpath = "";
try
{
System.IO.StreamReader file = new System.IO.StreamReader(serverpath);

[Code.....]

View 9 Replies

VS 2010 - Access Local File System

Apr 26, 2012

I have an ASP.NET page that I need to have access the local file system. It's an intranet. I need to download a zip file and an executable to a temp location and then run the executable.

Then afterwards, I need to delete the contents via an ASP.NET page.

Is there any way to access the local file system? Generally, I would think this would cause a security concern, but I've seen posts about Silverlight being able to access it.

View 4 Replies

Web Forms :: Read Query String Value In Clsglobal File

Feb 7, 2011

iam having clsglobal file in my application now when user request for some page eg with [URL] now i want to read the usernmae in the clsglobal file when user clicks a button in that page. how i can read

View 1 Replies

DataSource Controls :: SqlDataSource And Parameters Query / Trying To Accomplish Is Building Dynamic Query

Aug 22, 2010

1. I have a GridView on my page and it uses sqldatasource with parameterized query. What I want to do is, on page load (where nothing has been selected so no parameter supplied), I want it to query everything (something like SELECT * FROM [this_table]) but since my SelectCommand is something like

SELECT * FROM [this_table] WHERE [this_column] = @someParameters AND [that_column] = @someParameters.

Can I play around with default value to achieve something like that but how ? Now, when the page loads, it doesn't show anything (No Gridview).

2. On my page, I made something like (username, gender, address, and more) and one single search button. That means, no single control enable auto postback. What I am trying to accomplish is building dynamic query

(if username specifed -> SELECT * FROM [this_table] WHERE [username] LIKE @username).

If both username and gender are specified (SELECT * FROM [this_table] WHERE [username] LIKE @username AND [gender] = @gender) and you know the rest. How can I do this using GridView and SqlDataSource ? To my knowledge, I can only specify one SELECT statement in a sqldatasource.

View 11 Replies

Is It Possible To Output The Songs In The Mp3 Folder To An XML Query String Or Xml File Through SQL Server Management

Nov 12, 2010

If I have an upload control that uploads mp3's to a file on my server and stores user specific information of the uploader in my SQL database, is it possible to output the songs in the mp3 folder to an XML query string or xml file through SQL server management studio?

View 2 Replies

Mobiles :: How To Use Query String With Local Html File In Windows Mobile Web Form

Mar 16, 2010

I am trying to display a local .html file in a web page. The file uses javascript to display some information about my phone. In the executable, I am retrieving two values out of the registry. I would like to pass these values in a query string (I think that is the correct terminology). Something like file://\Program Files\TestTest.html?type=newtype. I have attempted this with using webbrowser.navigate, but that is giving an unhandled exception when it tries to pass the URI string. Obviously, I have no experience with this and am using the wrong method. There has to be a simple way to open a new webpage in a form and pass it this type of string.

how to implement such a function? I have been attempting to implement this with Visual C# using the .net CF for Windows Mobile.

View 2 Replies

DataSource Controls :: Use Is Null In Query Without Using Parameters For It Or Should Use Parameters For This Field Where Value Is NULL

Jan 21, 2010

here is my code for selectiong some records from db table

string strSql = "select * from mtblNBD where SentTo=@SentTo and InternalStatus Is NULL order by DeadLine desc";
SqlCommand com = new SqlCommand(strSql, con);
com.Parameters.Add("@SentTo", SqlDbType.NVarChar, 50).Value = (string)Session["uname"];

here I am using parameters for SenTo field but not for NULL so it is ok... or should I use parameters for this field where value is NULL , if yes then how can I use parameter for this

View 8 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved