Security :: Storing And Displaying User Input (encoding Query)?
Aug 30, 2010
how to handle html and scriptswhat . if I build my own CMS? Isn't it inevitable that I'll want to store html code, possibly scripts, and almost certainly apostrophes and special characters, and then display them again.
What's the best way to do this, since I wont want to display the encoded html, but the html itself.
Would it be to encode everything then when I want to actually display the html, decode it, but everywhere else, keep it encoded?
I'm just trying to think of all the scenario's that I could come across when I accept user input where I don't know what they could be typing in. What if I WANT the user to be able to display html? Is it possible to decode only some tags but leave all other tags encoded?
View 10 Replies
Similar Messages:
Jun 1, 2010
I would like a situation where there are three textbox available and this would give the user an opportunity to input a value in the textboxes. The value in the textboxes would then be stored in a database table(the table is already created in sql). Furthermore, the value would be able to be reterieved later on when the user presses another button. A sample code will help.
View 1 Replies
Jan 12, 2011
I have two text boxes for the user to enter UserName & First Name, both these fields are optional and not mandatory to fill.
once the user presses the Search button, i execute the following query to fetch matching records.
[Code]....
The problem is, in cases where User leaves both the textbox or one of the textbox empty/blank, in that case that particular field should be removed from where clause.
More like if something is entered then search for that particular record otherwise search for all the records.
View 2 Replies
Nov 25, 2010
When I first implemented forms authentication I consulted an article that told me to store the user's custom IPrincipal object in the cache. Is this wrong? Should I have stored it in the session?
View 1 Replies
Jun 13, 2010
Moderator Note:Post split from this thread[http://forums.asp.net/t/1403132.aspx]
Q: Im a novice with ASP.net. I want to append a UserID to the Context.Identity.User.Name field.
Something like:
FormsAuthentication.RedirectFromLoginPage(UserName+UserID, false);
Where can I set this code while still using asp.net membership and the login control.
Is it possible to set this in an OnLogin or OnAuthenticate event handler.
Is there someway to see the "login control" code, that way I can just copy it but append my own value when setting the name.
View 2 Replies
Jan 26, 2011
I would like to make sure that everything that goes into my database is safe, i.e. protection from sql injection.
What I want to do is type something in a textbox, "<b>hello</b>" for example, it be encoded before it's put in the database, but when I retrieve it, I want it to display "hello" in bold.
I've tried the obvious of server.encode on input and server.decode on the output (to a label and a literal control), but couldn't get it to display the text in bold without having unencoded text in the database.
View 7 Replies
Feb 7, 2010
In my web.config I have
<globalization
fileEncoding="utf-8"
requestEncoding="utf-8"
responseEncoding="utf-8"
culture="en-US"
uiCulture="de-DE"
/>
In my page directive I have
ResponseEncoding="utf-8"
Yet for some reason an ASP TextBox with the TextMode="MultiLine" allows inputs of characters outside of UTF-8. When I paste the following line of text into an ASP TextBox that is not MultiLine
the non UTF-8 characters are replaced, but not when I use a MultiLine TextBox.
EDIT: To explain a little more the set up I am seeing this problem in, here are 4 text areas that can be put on an ASP page.
<asp:TextBox ID="txtTest1" runat="server"></asp:TextBox>
<asp:TextBox ID="txtTest2" runat="server" TextMode="MultiLine"></asp:TextBox>
<input id="Text1" runat="server" />
<textarea id="Textarea1" cols="100" rows="8" runat="server">
View 2 Replies
Jan 27, 2010
I have a quick Linq to SQL question. I am trying to write a Linq query that has multiple where clauses depening on user input. What I would intuitively code is:
Dim arrTerms As Array = txtUserInput.Text.Split(" ")
Dim q = From newsitem In db.MyNewsTable _
Where newsitem.Contains(arrTerms) _
Select newsitem
Listview1.DataSource = q
Listview1.Databind()
Unfortunately, though, the "Contains" operattor does not accept an arraylist, or array, or anything but String.
View 1 Replies
Jan 19, 2011
i have my own DLL (for the data access layer),,i use escaping characters technique to avoid the user input errors ,, but recently i decided to enhance my classes and using parametrized query to prevent all possible errors,Is the modification will be easy or difficult ??how to convert this way to use the parametrized query ..
View 1 Replies
Jan 13, 2011
I am starting work on an already fully developed site. This site has no input encoding or output encoding. If some one ebters <input type="text"> in an insert form it is displayed as a real tex box when viewing that form details.
So how can i apply encoding at input or output to the WHOLE SITE?
turning on validate request is not an option as the cms wud need it off.
also this is .net 3.5 so no question od using <%: tags.
View 4 Replies
Nov 23, 2013
I am generating report through report viewer.. I want show my record which date i select but it cant select data from date which are giving it taking system date to display data...
Example: I select 2013-11-15 it does not showing any data but when i change my system date to 15 it is showing data...
<body> <form id="form1" runat="server"> <table class="style1"> <tr> <td class="style4"> </td>
<td class="style3"> </td> <td align="right"> Date</td> <td> <asp:TextBox ID="TextBox1" runat="server">
</asp:TextBox> <asp:CalendarExtender ID="TextBox1_CalendarExtender" runat="server" Enabled="True" TargetControlID="TextBox1" format="yyyy-MM-dd"> </asp:CalendarExtender> </td> <td>
<asp:Button ID="Button1" runat="server" Text="Search" onclick="Button1_Click1" /></td>
[code]....
Here report is temporary table which save all the select data from purchase from.
View 1 Replies
Jun 3, 2010
I want to prevent cross site scripting in my website.....is dat good to use innerhtml,htmlencode?
View 3 Replies
Jan 30, 2011
I have a CMS page that allows the user to paste in or type HTML code into a TextBox in a FormView, then do an INSERT or UPDATE operation to an nvarchar(MAX) column in an SQL table. This is using an ObjectDataSource that refers to an insert or update method in a TableAdapter in my dataset.
When testing, the server initially warned me when I tried to input or update text containing HTML code; so I set the validateRequest="false" in my page header.
I gather this can be a serious security risk. What's the proper way to "validate" the string being input? Am I opening the database to SQL injection?
Only the site administrator has access to the CMS, but malicious could theoretically bust their way in...
View 1 Replies
Feb 9, 2011
this is basically to show a welcome message [welcome user]on the index page after login in as a registered user of my site. i can achieve this with session but i really want to see this work. i read it in a book. it is not working as i want instead it is displaying my pc's name, instead of showing welcome for the current loggrd in user. put into consideraton that i programmatically created my login controls, my database on sqlserver myself, without asp.net custom login controls.
//this is the label that shows the welcome text
{welcomeLbl.Text = "you are welcome, ";
//user.identity.name+"."; this is suppose to display the name of the current logged in user
welcomeLbl.Text += User.Identity.Name + ".";}
View 2 Replies
Aug 3, 2010
I'm a complete novice to ASP.Net embarking on a charity work for a primary school in Africa to create a simple website. The website should have a webpage that users can upload pictures that is stored and displayed as thumbnails. Which can be click on to show the picture in its actual size.
I've used masterpages to create a consistent look across all pages. On the gallery page, I have a textbox and a button which are yet to be programmed.
View 9 Replies
Mar 16, 2010
a user loged in and he wants to delete his user. how do i make a delete query that refers to his userID how do i get the user id of the current logedin user?
View 4 Replies
Jan 21, 2010
why I get the following error: Query input must contain at least one table or query
for this code...
Insert into BlogPost (BlogID,BlogTitle,BlogContent,Attatchments,IsEnabled,IsVisible) values
((SELECT BLOGID FROM Blog WHERE BlogOwnerID =7),'test','aaaaa','aaaa',true,true);
all i know that it is a problem with how i have nested the select statement...
View 1 Replies
Mar 17, 2010
I was wondering if anyone had a tutorial or overview of the best way to store html in a MS SQL database, and then calling it back up and displaying it and should I save the decoded html in ntext?
View 5 Replies
Oct 1, 2010
Since I'm new to coding and I'm trying to understand why here is a little more detail on the question.If you have a text box and you are limiting the input to say 2 charactrs do you really need to validate the input further? What I have is a text box that has a max length of 2. Is there a security reason to add a validator to the textbox. I should add this is in Asp.net.
View 8 Replies
Feb 5, 2010
I have the aspnet membership on my own sql database, I am trying to add the user's first and last name into my sql select query. How can I do it?
View 3 Replies
Apr 29, 2010
Input: - 3 excel files storing them into global temporary tables after reading cell by cell.
Requirement is to process inputs files and generate a single excel report.
After report gets exported, data in tables in should be deleted (i am using global temp tables for this).
But the problem is, two users are unable to generate report simultaneously.
Is this problem with global temporary tables?
View 1 Replies
May 27, 2010
how can i generate rtf file based on input field(textbox input by user) c#
View 3 Replies
Aug 4, 2010
I would like to program an Input Box that comes up when a user clicks 'Find' button. It asks 'Please enter an employee number'. Then it takes the employee number typed into a text box and searches a dataset for that specific employee record.
I know that it should be server side because the client may not have the proper javascript installed or diabled. Therefore, can someone give me some code to put in code behind that can pop up an input box and use the input after, if this can be done?
View 1 Replies
May 24, 2010
Is it possible to display a list of descriptive phrases (say pulled from a lookup table in a database) but store a code in another table? I'm a beginner at ASP.NET but have some experience with SQL Server. If so, how can I do it?
View 9 Replies
Nov 29, 2010
I've narrowed the problem down to the following:
Receive "Login failed" for user ASPNET error message SQL Server 2005 is db and IIS is web server (both on same computer) Mixed authentication used on SQL Server I have created user ASPLogin with password that is correctly typed int the web.config:
add
name="masterConnectionString"
connectionString="Data
Source=computernameGMOSERVER;Initial Catalog=Portal;Persist Security Info=True;User ID=ASPLogin;Password=password" providerName="System.Data.SqlClient"
/>
I am able to access my webpages that query the database as long as they are not parameterized.However, the parameterized queries (e.g., SELECT * FROM SUPP_DASH_RESULTS WHERE organization_code = @orgcode) are the ones that do not work, and give me the "Login failed" error message
View 5 Replies