Web Forms :: Query String Parameters Make App At Risk?
Feb 1, 2010
I'm writing an Asp.Net WebForms app where I am calling an edit page an passing in the data about the record to be edited using query string parameters in the URL.Like:
On a previous page in the app, I have presented the user with a GridView of screened items he can edit based on his account privileges, and I call the edit page with these above parameter list, and the page know what to do.
I'm writing an Asp.Net WebForms app where I am calling an edit page an passing in the data about the record to be edited using query string parameters in the URL.Like:http://myapp.path/QuoteItemEdit.aspx?PK=1234&DeviceType=12&Mode=EditOn a previous page in the app, I have presented the user with a GridView of screened items he can edit based on his account privileges, and I call the edit page with these above parameter list, and the page know what to do. I do NOT do any additional checking on the target page to validate whether the user has access to the passed in PK record value as I planned to rely on the previous page to filter the list down and I would be fine
I am trying to redirect the user to login page with ReturnUrl and with querystring parameters which are already in the url there.But it is getting only first querystring parameter and not others. here is the code:Response.Redirect("~/login.aspx?ReturnUrl="+Request.RawUrl);it is showing correct in login.aspx after redirect but not returning as per querystring parametersI ave also tried other methods e.g.:
I have a data grid with a lot of information on it - to easily filter the data, I would like to be able to pass parameters to it. My problem is that I do not want the parameters to be required. So if I just put 1 or 2 of them in the query string, I would like for it to return all of the data related to those two parameters.I am using a data grid & stored procedures:My Stored Procedure looks like this:
I am working on a website in asp.net mvc. I have to show a view where user put some search values like tags and titles to search. I want to use the same Index method for that. I have make my form to use formMehod.Get to send the parameters as querystring.
[HttpGet] public ActionResult Index(string title, string tags, int? page) { if (string.IsNullOrEmpty(title) return View(null); [code]...
I am trying to set up a page that has two behaviors. I'm seperating them by URL: One behavior is accessed via /some-controller/some-action, the other is via /some-controller/some-action?customize. It doesn't look like the Request.QueryString object contains anything, though, when I visit the second URL...I mean, the keys collection has one element in it, but it's null, not 'customize'. Anyone have any ideas about this or how to enable this. I'd like to avoid manually parsing the query string at all costs :).
In one of my ASP.Net websites, I have to provide a link to the user in which all query string parameters should be encrypted.What I am thinking is to use the command "aspnet_regiis" (as used to encrypt web.config data), pass output as a query string inside published url.When the user clicks that link, I first decrypt the string and then fetch the original data for the query string.Am right in doing this? Is there any good technique to encrypt and decrypt query strings?
i just noticed that if my controller has a parameter with a name that matches the name of a field in my view model, and the view emits the value of the model's field, the value emitted is that passed in the query string, not the one set by the controller. is this by design?
here is what i mean:
my view model:
public class MyViewModel { int id; string name; [code]....
sending a request to "create?id=1234" emits "1234" in the hidden field instead of "1".
I am consuming a web service in .aspx with a added web reference that links to http://www.webservicex.net/stockquote.asmx After this, I can get the result from ebServiceX.StockQuote ws = new WebServiceX.StockQuote();String xmlString = s.GetQuote("XOM"); I am wondering how I can call the web service like GET, http://www.webservicex.net/stockquote.asmx/GetQuote?symbol=XOM+BAC
I've written my own staticsitemapprovider which builds a dynamic site map. The problem I have is that sometimes pages will have additional parameters in the query string which I need to ignore. Public Overrides Function FindSiteMapNode(ByVal rawUrl As String) As SiteMapNode
Dim startpos As Integer = 0 Dim endpos As Integer = 0 If rawUrl.Contains("pagetype=") Then startpos = rawUrl.IndexOf("pagetype=") endpos = rawUrl.IndexOf("&", startpos) + 1 [code]...
1. I have a GridView on my page and it uses sqldatasource with parameterized query. What I want to do is, on page load (where nothing has been selected so no parameter supplied), I want it to query everything (something like SELECT * FROM [this_table]) but since my SelectCommand is something like
SELECT * FROM [this_table] WHERE [this_column] = @someParameters AND [that_column] = @someParameters.
Can I play around with default value to achieve something like that but how ? Now, when the page loads, it doesn't show anything (No Gridview).
2. On my page, I made something like (username, gender, address, and more) and one single search button. That means, no single control enable auto postback. What I am trying to accomplish is building dynamic query
(if username specifed -> SELECT * FROM [this_table] WHERE [username] LIKE @username).
If both username and gender are specified (SELECT * FROM [this_table] WHERE [username] LIKE @username AND [gender] = @gender) and you know the rest. How can I do this using GridView and SqlDataSource ? To my knowledge, I can only specify one SELECT statement in a sqldatasource.
here is my code for selectiong some records from db table
string strSql = "select * from mtblNBD where SentTo=@SentTo and InternalStatus Is NULL order by DeadLine desc"; SqlCommand com = new SqlCommand(strSql, con); com.Parameters.Add("@SentTo", SqlDbType.NVarChar, 50).Value = (string)Session["uname"];
here I am using parameters for SenTo field but not for NULL so it is ok... or should I use parameters for this field where value is NULL , if yes then how can I use parameter for this
I have an application which uses globalization, hence the datetime objects are globalized based on current culture. These datetime objects are passed as sql parameters for a select query. The database stores the datetime in only one format (en-US style). Although the query is parameterized the final query generated does not contain converted values (format that Database is expecting).
Is there a security risk if an application called page.ashx called internal only page.ashx, can a hacker conclude that another page is called.I don't want anyone to access this page. it looks stupid I know, but it is a part of more complex problem.
I have tried using .NET's various encryption functions but all my encrypted strings are at least 24, 28 or 32 in length.
I have heard of CipherMode.CTS with Padding = None that produces the same length output as the input length but I can't seem to get the same result. I have toyed with the block-size, key-size and salt size.
I don't mind adding a digit to my input string to make it 16 in length.
I want to make a serach system in my website, In which user select the various fields of tables through checkbox & after selecting the desired fields he clicks on the serch button, & the desried result set is comes. Can any buddy tell me the code that how i implement this functionality.
We are sending an HTML encoded string in the Query string. It was working fine on IIS 6 (windows 2003). We have recently moved the website to Windows 2008 (IIS 7.x). Since the move any Query String that contains "+" sign i.e., "%2b" gives error on the server "404 -File or directory not found."
