Now I would like to share another interesting thing in web application. That is HTML Injection
HTML Injection refers to injecting HTML code into a web server’s response to alter
the content to the end user. This is also known as Cross Site Scripting.
Cross Site Scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
An attacker can use XSS to send malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.
Let’s see how the problem can be solved.
validateRequest is a nice feature that tells ASP.NET whether to examine all data from the browser for potentially malicious input — particularly anything that looks like HTML or scripting that form the basis for many types of attacks, such as cross-site scripting. By introducing validateRequest and setting it to true by default, Microsoft has very effectively put a halt to some of the most common Web site attacks.
The first problem with validateRequest comes when you run an ASP.NET application on a server in many circumstances — painfully many — you’ll get an exception of “A potentially dangerous Request. Form value was detected from the client” when it detects uuencoded input. This breaks the application. In this case it is justified. If you don’t catch these kinds of attacks, your servers could be under a hacker’s control without your knowledge.
You can disable this for a single page by setting it to false in the page directive
<%@ Page ... validateRequest="false" %>
With this setting, ASP.NET won’t examine the data coming from the browser.
Secondly Never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. Converting < and > to < and > is also suggested when it comes to script output.
Friday, January 16, 2009
Thursday, January 15, 2009
(CheckBox in HeaderTemplate to) Select All CheckBoxes inside a GridView using JavaScript
This question has been around for pretty long time.
Here is the Scenario; there is one TemplateColumn in GridView which is used to Select Row within GridView. So, there will be Checkbox inside ItemTemplate of that TemplateColumn. User would be able to select more than one Checkbox in that Column. And to Select All the Checkboxes of that column, there will be a "Select All" Checkbox in HeaderTemplate of that GridView. When user check "Select All" Checkbox in Header, all the checkboxes should be selected and vice versa And when an User will select all the checkbox individually the Select All checkbox should be selected and vice versa.
First of all I am showing the grid structure for this.
and Now the Required javascript for these.This one is for check/uncheck all Checkbox when Select All is clicked
function SelectAll(obj)
{
var item= <%=GridView1.Rows.Count%>;
if(obj.checked==true)
{
for(var i=2;i<=item+1;i++) { if(i<=9) document.getElementById("GridView1$ctl0"+i+"$chkChild").checked=true; else document.getElementById("GridView1$ctl"+i+"$chkChild").checked=true; } } else { for(var i=2;i<=item+1;i++) { if(i<=9) document.getElementById("GridView1$ctl0"+i+"$chkChild").checked=false; else document.getElementById("GridView1$ctl"+i+"$chkChild").checked=false; } } }
This one is for check/uncheck SelectAll Checkbox
function SelectParent(obj)
{ var item= <%=GridView1.Rows.Count%>;
var check=0;
for(var i=2;i<=item+1;i++)
{
if(i<=9)
{
if(document.getElementById("GridView1$ctl0"+i+"$chkChild").checked==true)
check++;
}
else
{
if(document.getElementById("GridView1$ctl"+i+"$chkChild").checked==true)
check++;
}
}
if(item==check)
document.getElementById("GridView1$ctl01$chkParent").checked=true;
else
document.getElementById("GridView1$ctl01$chkParent").checked=false;
}
Here is the Scenario; there is one TemplateColumn in GridView which is used to Select Row within GridView. So, there will be Checkbox inside ItemTemplate of that TemplateColumn. User would be able to select more than one Checkbox in that Column. And to Select All the Checkboxes of that column, there will be a "Select All" Checkbox in HeaderTemplate of that GridView. When user check "Select All" Checkbox in Header, all the checkboxes should be selected and vice versa And when an User will select all the checkbox individually the Select All checkbox should be selected and vice versa.
First of all I am showing the grid structure for this.
and Now the Required javascript for these.This one is for check/uncheck all Checkbox when Select All is clicked
function SelectAll(obj)
{
var item= <%=GridView1.Rows.Count%>;
if(obj.checked==true)
{
for(var i=2;i<=item+1;i++) { if(i<=9) document.getElementById("GridView1$ctl0"+i+"$chkChild").checked=true; else document.getElementById("GridView1$ctl"+i+"$chkChild").checked=true; } } else { for(var i=2;i<=item+1;i++) { if(i<=9) document.getElementById("GridView1$ctl0"+i+"$chkChild").checked=false; else document.getElementById("GridView1$ctl"+i+"$chkChild").checked=false; } } }
This one is for check/uncheck SelectAll Checkbox
function SelectParent(obj)
{ var item= <%=GridView1.Rows.Count%>;
var check=0;
for(var i=2;i<=item+1;i++)
{
if(i<=9)
{
if(document.getElementById("GridView1$ctl0"+i+"$chkChild").checked==true)
check++;
}
else
{
if(document.getElementById("GridView1$ctl"+i+"$chkChild").checked==true)
check++;
}
}
if(item==check)
document.getElementById("GridView1$ctl01$chkParent").checked=true;
else
document.getElementById("GridView1$ctl01$chkParent").checked=false;
}
How to insert XML data into a table in SQL Server
How to insert XML data into a table in SQL Server.Below is the Stored Procedure for that.....
CREATE PROCEDURE [dbo].[pr_wip_InsertXML]
@dataXML VARCHAR(3000)
AS
BEGIN
SET NOCOUNT ON
DECLARE @DocHandle INT
DECLARE @BookName VARCHAR(50)
EXEC sp_xml_preparedocument @DocHandle OUTPUT, @dataXML
INSERT INTO dbo.Books(BookName)
SELECT X.* FROM
OPENXML (@DocHandle, '/Books/Book',1)
WITH
(
BookName VARCHAR(50)
) AS x
EXEC sp_xml_removedocument @DocHandle
END
--Below is the XML format
<xml version="1.0" encoding="utf-8" ?>
<Books>
<Book BookName="Let Us C" />
<Book BookName="Asp.Net" />
</Books>
CREATE PROCEDURE [dbo].[pr_wip_InsertXML]
@dataXML VARCHAR(3000)
AS
BEGIN
SET NOCOUNT ON
DECLARE @DocHandle INT
DECLARE @BookName VARCHAR(50)
EXEC sp_xml_preparedocument @DocHandle OUTPUT, @dataXML
INSERT INTO dbo.Books(BookName)
SELECT X.* FROM
OPENXML (@DocHandle, '/Books/Book',1)
WITH
(
BookName VARCHAR(50)
) AS x
EXEC sp_xml_removedocument @DocHandle
END
--Below is the XML format
<xml version="1.0" encoding="utf-8" ?>
<Books>
<Book BookName="Let Us C" />
<Book BookName="Asp.Net" />
</Books>
Find out the (Day-Hours-Minutes) difference between two datetime fields.
In one of my project requirement was to find out the (Day-Hours-Minutes) difference between two datetime fields. So I wrote a function in SQL server to find out that difference in Day-Hours-Minutes format.
Below is the Code.....
CREATE [dbo].[FindDateDiff]
(
@StartDate DATETIME,
@EndDate DATETIME
)
RETURNS VARCHAR(100)
AS
BEGIN
DECLARE
@dateDay INT,
@dateHour INT,
@dateMin INT
SET @dateMin =CASE WHEN @EndDate IS NULL THEN DATEDIFF(mi,@StartDate,GETDATE()) ELSE DATEDIFF(mi,@StartDate,@EndDate) END
IF(@dateMin > =60)
BEGIN
SELECT @dateHour=@dateMin / 60;
SELECT @dateMin=@dateMin % 60;
IF(@dateHour >=24 )
BEGIN
SELECT @dateDay=@dateHour / 24;
SELECT @dateHour=@dateHour % 24;
END
ELSE
BEGIN
SET @dateDay =0;
END
RETURN CONVERT(VARCHAR(100),@dateDay)+'-'+CONVERT(VARCHAR(100),@dateHour)+'-'+CONVERT(VARCHAR(100),@dateMin) ;
END
ELSE
BEGIN
RETURN '0-0-'+CONVERT(VARCHAR(100),@dateMin) ;
END
RETURN '0-0-0';
END
--select [dbo].[FindDateDiff] ('06/05/2008 6:28:00 PM','11/06/2008 7:28:00 PM')
Below is the Code.....
CREATE [dbo].[FindDateDiff]
(
@StartDate DATETIME,
@EndDate DATETIME
)
RETURNS VARCHAR(100)
AS
BEGIN
DECLARE
@dateDay INT,
@dateHour INT,
@dateMin INT
SET @dateMin =CASE WHEN @EndDate IS NULL THEN DATEDIFF(mi,@StartDate,GETDATE()) ELSE DATEDIFF(mi,@StartDate,@EndDate) END
IF(@dateMin > =60)
BEGIN
SELECT @dateHour=@dateMin / 60;
SELECT @dateMin=@dateMin % 60;
IF(@dateHour >=24 )
BEGIN
SELECT @dateDay=@dateHour / 24;
SELECT @dateHour=@dateHour % 24;
END
ELSE
BEGIN
SET @dateDay =0;
END
RETURN CONVERT(VARCHAR(100),@dateDay)+'-'+CONVERT(VARCHAR(100),@dateHour)+'-'+CONVERT(VARCHAR(100),@dateMin) ;
END
ELSE
BEGIN
RETURN '0-0-'+CONVERT(VARCHAR(100),@dateMin) ;
END
RETURN '0-0-0';
END
--select [dbo].[FindDateDiff] ('06/05/2008 6:28:00 PM','11/06/2008 7:28:00 PM')
Subscribe to:
Posts (Atom)