Potential For SQL Injection When Manually Calling Or Pulling Values
Apr 5, 2010
A security review was done against one of our ASP.net applications and returned in the test results was a SQL Injection Exposures considered to be a high risk item. The test that was performed passed a SQL statement as the value of the __EVENTTARGET and the __EVENTARGUMENT. I am wondering since these 2 values are ASP.net auto-generated hidden fields used for the Auto-Postback feature of the framework and hold information specific to the controls initiating the postback, is there really the potential for SQL injection if you are never manually calling and or pulling values out of these parameters in your code behind?
View 2 Replies
Similar Messages:
Sep 10, 2010
I'm using a List Box to get multiple values that will be used in a query.I can loop over the List Box and create the string.i.e. 'blue','red','purple'The string is used in the query: SELECT * FROM TABLE1 WHERE COLOR IN('blue','red','purple'). Is there a way to parametrize multiple values? @COLOR='blue','red','purple'What will be the best practice to prevent SQL injections in this scenario?
View 10 Replies
Jan 24, 2010
I have a FormView control with Two text Boxes. Data source for the Controls is an ObjectDataSource
I want to fetch these values from both text boxes, create a User object and pass it to ObjectDataSource, which has an input method that accept a User object
I think I have to do it in
protected void ObjectDataSourceUsert_Inserting(object sender, ObjectDataSourceMethodEventArgs e)
{
// string _userName = FormViewUserDetails. ?
// string _password = FormViewUserDetails. ?
User user = new User {UserName = _userName, Password = _password};
e.InputParameters.Add(user);
}
View 1 Replies
Feb 1, 2011
Using a class component, an Object data source and a formview I am successfully pulliing data from a SQL database. In some cases the rows contain one or more Null values and I would like them to be ignored completely. My simple code follows:-
<%# Eval("add_1") & ","%>
<%# Eval("Add_2") & ","%>
<%# Eval("Add_3") & ","%>
OUTPUT:-
Rose Cottage, 123 New Road, Margate,
View 2 Replies
Oct 1, 2010
I've 2 servers mirror with a load balancer. I'd like to know the pros and cons of sticking with app cache versus going with something like memcache? I'm very interested in various solutions and especially the types of errors that I could get or limitations by not synchronizing them.
To start the discussion, I'd hazard that using ASP.NET cache would be faster and simpler.
View 1 Replies
Jan 21, 2011
I made a pretty cool ASP.NET MVC 3 application, and I want to send it as an attachment to a web firm. I tried playing around in visual web developer but could not get anything :( Should I just zip the project folder up and send it that way? Is there somewhere I can host it for free (doubtful).
View 2 Replies
Feb 12, 2011
I am playing with Asp.net MVC 3, I was wondering how do you acheive a collection rendering in the view when the collection is made of 'real world' objects. Let's say I have a collection of client, each client
may have an address and an adress may have a country.
When I write the following code it crashs if one of the client has a null address (or a null country). Object reference not set to an instance of an object.
[code]...
View 11 Replies
Sep 17, 2013
I am following this article [URL] ....
It's working fine except for zip file. When ever i am attaching zip file in mail, it is giving me error
"Exceeded storage allocation. The server response was: 5.7.0 This message was blocked because its content presents a potential"....
View 1 Replies
Jan 7, 2011
I have a page that contains a few user controls which all use an id in a querystring. I want to change this so that the page can send the id to the user control and can call a function on the user control.
Also is it possible for the user control to get the id from the page or a control on the page as its parent?
View 8 Replies
Feb 25, 2010
I have two member roles at my project:
1.) Administrator
2.) Member
From the toolbox in Visual Studio 2008, I have dragged and dropped the create user wizard into the stage. I aim that a guest can register itself and automatically join the "member" role. Not the role "administrator". How can I do that?
View 9 Replies
Mar 17, 2010
My company uses SharePoint 2007 as a CMS. We have a set of publishing sites. When servers go down, we would like to apply a status message. It doesn't have to be automatically applied, just would appear on first load (if a message exists) or a subsequent refresh. Here's how we would like it to work:
- Status message is located in a text file on the server.
- When a page loads, we would like each it to check to see if there is anything in the text file, and if so, display the message on the page.
- If the text file is empty, we would like it not to display anything on the page.
I can think of a few different ways this could be accomplished using PHP or something, but I'm at a loss as how to do it within SharePoint. Ideally we would be able to place such a block of code into the masterpage.
View 4 Replies
Sep 2, 2010
userName = Global.getComponent('centerRegion').UserName.getValue();
That code pops up with the error
{"browserEvent":"'Global.getComponent(...).UserName' is null or not an object","button":-1,"ctrlKey":false,"xy":[0,0]}
When I run it on this form:
Using Form As New WebControls.Forms.Form
With Form
.ID = "Test"
.ItemName = "connector"
With .Toolbar
.UseDefaultButtons = False
.AddButton(Forms.FormToolbar.ButtonType.Save)
.AddButton(Forms.FormToolbar.ButtonType.Cancel)
.AddButton("Test Connection", "testConnection", "icon-button-testconnection", , "Test")
End With
With .CenterRegion
.Id = "centerRegion"
With .AddFieldSet("Activate Service")......................
View 2 Replies
Jun 14, 2010
I have written a web scraping program to go to a list of pages and write all the html to a file. The problem is that when I pull a block of text some of the characters get written as '�'. How do I pull those characters into my text file? Here is my code:
string baseUri = String.Format("http://www.rogersmushrooms.com/gallery/loadimage.asp?did={0}&blockName={1}", id.ToString(), name.Trim());
// our third request is for the actual webpage after the login.
HttpWebRequest request =
(HttpWebRequest)WebRequest.Create(baseUri);
request.Method = "GET";
request.UserAgent = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)";
//get the response object, so that we may get the session cookie.
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
StreamReader reader = new StreamReader(response.GetResponseStream());
// and read the response
string page = reader.ReadToEnd();
StreamWriter SW;
string filename = string.Format("{0}.txt", id.ToString());
SW = File.AppendText("C:\Share\" + filename);
SW.Write(page);
reader.Close();
response.Close();
View 3 Replies
Mar 23, 2011
I have two tables:
Entity
ID (PK), int
Name
Descrip
Users
ID (PK)
EntityID, int (this is not connected to Entity table)
Now I am using LINQ to pull the records which has a Entity.ID = something. Which will show me couple of records in my GridView. Here is my LINQ statement:
protected void Page_Load(object sender, EventArgs e)
{
string getEntity = Request.QueryString["EntityID"];
int getIntEntity = Int32.Parse(getEntity);
OISEntityTestingDataContext db = new OISEntityTestingDataContext();
//OISLinqtoSQLDataContext db = new OISLinqtoSQLDataContext();
var tr =
from r in db.Users
join s in db.Entities on r.UserID equals s.ID
where s.ID == getIntEntity
select new
{
//To Show Items in GridView!
};
GridView1.DataSource = tr;
GridView1.DataBind();
}
Now here I am getting an error mesg on 'join' The type of one of the expressions in the join clause is incorrect. Type inference failed in the call to 'Join What does that mean?
View 3 Replies
Dec 21, 2010
I'm getting ready to start a C# web application project and just wanted some opinions regarding pulling data from a database. As far as I can tell, I can either use C# code to access the database from the code behind (i.e. LINQ) of my web app or I can call a stored procedure that will collect all the data and then read it with a few lines of code in my code behind. I'm curious to know which of these two approaches, or any other approach, would be the most efficient, elegant, future proof and easiest to test.
View 3 Replies
Jan 15, 2010
I recently designed a website for a school, I have their result in my database, I am using Northwind. What I want to do is, since all the result are in the data, I want to input a students name, exam number and some numbers in a card(exam scratch card, which they will purchase) they will purchase. When they input these details, the students results will be pulled out from the database.
Just like exam result portal, where you will look up your result with, your name, school number and numbers from the scratch card.
View 6 Replies
Sep 27, 2010
I have to pull up a list of people by their branch number which could vary, and give a detailed report on there performance using a select queries. I have the select queries but how can i create a script to look similar to this one. Ive got the branch drop downlist already created just need to know how i can go about pulling all the users in this group and doing this select to all of them. someone told me I might need to use cursors to loop thru a select with every person in the list but im not sure how to go about that.
select fldusername from tbluser where fldio='o' and
flduserbranch=@branchid
is going to give me the names of the people i need to query. but how can i run a query on each of them seperate?
View 3 Replies
Jun 28, 2010
I'm trying to pull a value from a Gridview so that I can create a running subtotal. I've looked at a number of examples but they all seem to fail.
Why does this not work? Each and every reference I try to make to the cells "value", comes up null.
Sample code1:
[Code]....
Sample code2:
[Code]....
In sample code 2, I get the "header text" for the column...but I know the value in the cell...so it fails on a data conversion.
View 5 Replies
Feb 17, 2010
I was hired to do some contract work for a short contract. I am looking at this code on this Aspx web form. What they do is load the labels for a radio button list from an ObjectDataSource object. Well this is the first time I have ever heard of an ObjectDataSource. The problem is that I don't even know where this object is pulling data from. With a SqlDataSource object, I can easily view the flyout menu to see the sql query where the data is being pulled from. Anyway, I need some figuring out where objectDataSourcePlanType lives and where it is pulling data from. I know I can't list the entire project, but I am sure someone who is familiar with ObjectDataSource
<tr>
<td>Type of Plan</td>
<td><img alt="Required" src="/Images/arrow.png" /></td>
<td>
<asp:RadioButtonList ID="radioButtonListPlanType" runat="server" AutoPostBack="True" DataSourceID="objectDataSourcePlanType"
DataTextField="PlanTypeName" DataValueField="PlanTypeId" OnSelectedIndexChanged="RadioButtonListPlanType_SelectedIndexChanged"
RepeatColumns="1" RepeatDirection="Vertical" AppendDataBoundItems="true">
</asp:RadioButtonList>
<asp:RequiredFieldValidator ID="requiredFieldValidator10" runat="server" ControlToValidate="radioButtonListPlanType" ErrorMessage="Type
of Plan is required."
SetFocusOnError="true" />
<asp:ObjectDataSource ID="objectDataSourcePlanType" runat="server" SelectMethod="ListPlanTypes" TypeName="Candle.Web.PlanRequest.CommonWeb">
</asp:ObjectDataSource>
</td>
</tr>
View 2 Replies
Mar 4, 2011
I have 50 sites for 50 states. When a company uploads their contact info their image is stored in a folder relative to the site they are uploading from. When you view this company on the other sites the image is not present. So, I was thinking I would store the path of where the file is originally and then access it through the handler, but I can't seem to get the handler to recognize locations other than virtual directories.
[Code]....
View 3 Replies
Sep 19, 2010
I am trying to avoid enabling EnableViewState..Sample code as you can see has 1 repeater and 2 textboxes inside. I bind the textboxes at page init. After a postback I want to get the updated data from the client & save in a db. The Request.Form contains the data keyed with autogenerated client ids but the repeater has 0 items after the postback. So my options seem limited to.a. Enable viewstate so I can pull the data from the repeater using Control.Find(...)b. iterate through Request.Form and find my textbox values...ultimatly the goal is to to render data from a datatable to some textboxes, allow the user to make changes then save these changes. I'd like to avoid viewstate if there is a clean alternative..ASPX:
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Foo.aspx.cs" Inherits="Ads_Foo" EnableViewState="false"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-
[code]...
View 1 Replies
Nov 4, 2010
I am having a slight issue with grabbing data from my masterpage into my content page (as a whole).
I have generated a public property for the my textbox and the contentpage can see this public property. But it comes across empty (even from within the masterpage). Now I guess the problem is with the property itself (possibly). It also shows as empty when I response.write it's value to the page.
Even when I call the value of the property in the masterpage it comes across as empty. The way I have this setup is that a textbox named pageTitleField has it's value updated from an iframe. All is working well and the textbox has its value updated correct upon iframe content changes. This is great. Now I just need to pass this textbox value into my content page and then set it as the document title.
see my code thus far.
My MasterPage
[Code]....
My MasterPage CodeFile
[Code]....
My ContentPage
[Code]....
My ContentPage CodeFile
[Code]....
I know the public property is being seen from the content page because if I just do a Response.Write(Master.GrabPageTitle) I see System.Web.UI.WebControls.TextBox appearing as the output of that property. So it appears hat the textbox value is not being captured in the public readonly property.
View 5 Replies
Feb 1, 2011
So I have been trying to follow serenarules posts about persistence layers, but I seem to be missing something.
The persistence layer is an architectural layer whose job is to provide an abstract interface to information storage mechanism(s).
This makes sense to me, but I am still having a hard time with this.
So in what cases is this necessary? When you are pulling similar data from multiple information sources?
View 7 Replies
Feb 25, 2010
we have a program that we work with with in 2 different locations, both of the program instances must share the same database.what i did is to open Web Sharing folder on our server then i added on both computers this folder to their "My network places" and direct both of application to this folder which contains the database.this is how i direct the program :
Code:
D:WNKKWnkk.exe \MyServer�ktest
nk2008
it all works fine but there is one problem, the data pulling is pretty slow when it shouldn't we have 100MB download / upload on our server and over 10MB dl/ul in our office.
some pointers:i added the shared web folder to one of our website directory and thats mean that the port the program is using is 80
is port 80 is slower then others?
View 10 Replies
Feb 3, 2010
I currently designed a school result portal. If the students want to view their result, they input their student school number in a text box to search out their result. But this is not secured because anybody can look up any students result if you have the number which is even written on their school uniform for identification.
I have being trying to secure this result by trying to generate or code special numbers that the students will input with their school number. The special numbers will be random numbers and may be from 10 and above, it might even contain letters. How do
I code this. I believe this is the best asp.net forum. I want the students to be inputing this special unique numbers and their student numbers so that there result will be avaliable to them.
View 2 Replies
