What Are The Risks Of Allowing Quote Characters As Part Of A URL Parameter
Nov 2, 2010
I need to allow the user to submit queries as follows;
/search/"my search string"
but it's failing because of request validation, as outlined in the following 2 questions:
[URL]
I'm currently trying to figure out how to disable request validation for the quote character, but i'd like to know the risks before I actually put the site live with this disabled?
I need a regular expression on a RegularExpressionValidator that just checks if the minimum length is 3 characters, it doesnt matter what characters are typed in...
I'm using SQL Server 2005 and am getting security errors when the user enters certain characters in the aspx page. For example, the simple string,
&#
causes an error. How do I allow the user to enter anything they want and keep the site secure? In my VB all fields are sent with Parameters.AddWithValue.
I have to create a utility through which user can able to upload singh or multiple files with the use of asp.net FileUpload Server control.
I am looking for Security concern for the same. What are the points need to keep in our minds which violate security. One main issue is in my mind is related to Viruses - means
How to prompt user for viruses and terminate the upload operation How to scan files for viruses during upload operation There may be several Security risks. discuss the issues/risks with proposed solutions.
I'm building a website at the moment, I've some html fragment that is being stored into the database, I've been reading around that inserting HTML at runtime poses security risks by using the InnerHTML property of any html tag with runat server on it. So, my question is there any alternative way to safely display the html code and won't pose security risks and is it best to assume any textboxes on any given page is dangerous and process the text in the textboxes with Server.HtmlEncode before I store it to database?
We have several asp.net web applications we've built and we also want to embed them into various sharepoint pages. We need to have them look like standalone applications when viewed in their own pages, but also have them look like they fit within the sharepoint page when embedded. We are doing this currently with IFrames and it works ok, but I'm wondering if there is some sort of proxy web part where we can configure the web part to point to an existing web app and it will proxy the contents through from the web app into the sharepoint page removing the need for an IFrame. Possible?
I have four columns in database. Consider it as a,b,c and d. I'm trying to place a and b column values in TO part and c and d column values in CC part in outlook. a,b,c,d contains six digits numeric values. I just need to place a and b columns values in to and c and d values in cc part on click of a button.
When using SPWeb.GetCatalog(SPListTemplateType.WebPartCatalog), it returns an SPList which of course contains a SPListItemCollection of the web parts in the web part gallery. When looping through the items, is there any easy way to get properties of the web parts? Such as AllowClose, CatalogIconImageUrl, etc... I know I can probably accomplish this using the listItem.OpenBinaryStream etc and loading the xml of the .webpart file, but I wondered if there was an easier way to do this.
I have a string with 100 characters and it is for me too long in one line. I want to make NewLine after each 25 characters. For example:
Instead: "Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua."
I have a application that takes a tab delimited text file parses and the inserts the data. Some of the data has international characters. My problem is it appears that my application is changing the characters. For Example the file might contain something lke this Andrlová and is converting it to this Andrlov�
I am passing this into a sproc. The datatypes for my paramater & DB Field is nVarChar(50). If I insert the data directly into my table or if I call my sproc from a query window and pass in some data it works fine, but when my app touches the data it appears to get messed with.
How would I put quotes on the DataLink control so it outputs " computerfolder" (i put a space in there between the \ so it would show up) instead of just\computerfolder it generates a link but if the folder name has a space it in the link breaks so i am trying to put double quotes on it so it creates a link even if there are spaces.
I'm working on an ASP.NET (C#) web project that is using master pages.
I'm looking for an easy way to display a random customer quote each time a page is loaded.
Since this is a fairly simple web project I'd like to stay away from storing the quotes in a database. Currently there is no database connections required for the project so I'd like to keep it as simple as possible -- perhaps storing the quotes in an XML file them using an XmlTextReader to read the file?
Edit: I will need to store and pull both a quote and a customer name for the quote.
I have a textbox and button in my child page it inherits a master page.the textbox should allow to key in only alphabets,comma,dot,space,single quote. And also consecutive comma dot single quote should not be allowed to key in. first and last character should be alphabets.
I have a javascript but it does not check for consecutive comma,dot,single quote...
"something here [tagQuote=Name of Author]bla bla bla[/tagQuote] something here"And now I want to replace all the whitespace character in quote attribute with "%#%#%#%".So I want to have: [tagQuote=Name%#%#%#%of%#%#%#%Author]bla bla bla[/tagQuote]So remove all of the whitespaces between "[tagQuote=" and "]...[/tagQuote]"
I get csv files from clients which I need to read, test data then import. All this is done, however, I do have one sticking point which I just dont seem to be able to get around.
[Code]....
Problem is when there is a comma in the middle of a field. I have been looking at the csv prasers on the net but dont seem to be able to find anything that will return back to LineArray.
SQLCommand cmd = new SQLCommand("insert into customers name values ('"+textbox1.Text+"')",conectionstring); cmd.ExecuteNonQuery();
now when people enter a (') single quote, this doesnt work. how do i avoid this error as this is driving me nuts!! i cannot prevent users from entering single quotes as names like "O'Connor" contain a single quote. parameterized query doesnt seem to be the best solution as it involves loads of coding and will involve huge changes in the code. as its not a fresh app im making... can some modification in the code above so this can be avoided?