|
There's been an increase in SQL Injection attacks against Web sites. And a lot of developer are aleady developing Web application in a way that prevents the attack from being effective. But what can you do about it for legacy systems, and what are the best practices really? And how can I show that I'm doing the right thing in my site?
Microsoft Security Advisory (954462): Rise in SQL Injectsion Attacks Exploting Unverified User Data came out yesterday that provides advise and tools to protect against a rise in SQL injection attacks. A recent escalation in attacks on Web sites exploit unverified user data input. The attacks target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database.
But the vulnerability is not exploited in Web applications that follow best practices to verify user data. The Security Advisory provides phone support for customers in the United States and Canada who may have been affected by the vulnerability. International customers are provided a link where you can get help locally.
The Security Advisory provides an overview of the issues, a section for frequently asked questions, and a series of suggestion actions that includes tools to help idenfify if your site is vulnerable.
- Hewlett Packard provides a free scanner, HP Scrawlr, that can identify whether sites are susceptible to SQL injection. It provides a report pages that are vulnerable along with the associated fields.
- A beta versoin of UrlScan restricts the types of HTTP requests that Internet Information Services (IIS) will process. UrlScan 3.0 installes on IIS 5.1 or later and can be found at URLScan Tool 3.0 Beta.
- You can check your source code with SQL Source Code Analysis Tool to detect ASP code that is susceptible. The tool can be found in Microsoft Knowledge Base Article 954476.
- The Security Advisory also contains additional links to best practices on how to avoid SQL injection attacks, including Coding Techniques for protecting against SQL Injection in ASP.NET and other articles.
To learn more about how you can protect your Web site from SQL Injection, see Microsoft Security Advisory (954462): Rise in SQL Injectsion Attacks Exploting Unverified User Data.
|
|
|
|
|
I'm trying to work out what the question is. You know this post will be lost forever, and no-one will ever read it, in a few hours ?
Christian Graus
Please read this if you don't understand the answer I've given you
"also I don't think "TranslateOneToTwoBillion OneHundredAndFortySevenMillion FourHundredAndEightyThreeThousand SixHundredAndFortySeven()" is a very good choice for a function name" - SpacixOne ( offering help to someone who really needed it ) ( spaces added for the benefit of people running at < 1280x1024 )
|
|
|
|
|
form1.aspx
<br />
under html<br />
<script language="javascript" type="text/javascript"><br />
function calendarPicker(strField)<br />
{<br />
window.open('DatePicker.aspx?field=' + strField,'calendarPopup','width=250,height=190,resizable=yes');<br />
}<br />
</script><br />
<br />
<a href="javascript:;" onclick="calendarPicker('Form1.txtEventDate');" title="Pick Date from Calendar">pick</a>
for the calenderpicker.aspx
Private Sub Calendar1_DayRender(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.DayRenderEventArgs) Handles Calendar1.DayRender<br />
<br />
e.Cell.Controls.Clear()<br />
<br />
<br />
Dim Link As System.Web.UI.HtmlControls.HtmlGenericControl<br />
Link = New System.Web.UI.HtmlControls.HtmlGenericControl<br />
Link.TagName = "a"<br />
Link.InnerText = e.Day.DayNumberText<br />
Link.Attributes.Add("href", String.Format("JavaScript:window.opener.document.{0}.value = '{1:d}'; window.close();", Request.QueryString("field"), e.Day.Date))<br />
<br />
<br />
If e.Day.IsSelected Then<br />
Link.Attributes.Add("style", Me.Calendar1.SelectedDayStyle.ToString())<br />
End If<br />
<br />
<br />
'// Now add our custom link to the page<br />
e.Cell.Controls.Add(Link)<br />
<br />
End Sub
|
|
|
|
|
Which part of codes are not working ? OR I mean to say when ?
Parwej Ahamad
R & D: REST services with WCF
|
|
|
|
|
for firefox everything works great.
but for ie .. when the popup calendar comes.. i select a date but it does not append to the textbox assign to it.
|
|
|
|
|
Can you post again here that line of code only ? i did find on above post.
Parwej Ahamad
R & D: REST services with WCF
|
|
|
|
|
sorry about that guess i missed the most impt code, i deleted the a href code
a href "javascript:;" onclick="calendarPicker('Form1.TextBox11');" title="Pick Date from Calendar">
|
|
|
|
|
I don't know what you have post here ?
Remember that: If you wants to access the text box value in Javascript
then use Like this-
var obj=document.getElementById('textboxid');
if( obj != null )
var value = obj.value;
I hope it help you !!!
Parwej Ahamad
R & D: REST services with WCF
|
|
|
|
|
sorry those codes are under the html section for a img.
[a href "javascript:;" onclick="calendarPicker('Form1.TextBox11');" title="Pick Date from Calendar"]
so my idea is the on_click will be calling the javascript function. from first post.
another question will i have to overwrite my current script for the one you posted ?
|
|
|
|
|
You problem is in javascript:
function calendarPicker(strField)
{
window.open('DatePicker.aspx?field=' + strField,'calendarPopup','width=250,height=190,resizable=yes');
}
Change as this:
function calendarPicker()
{
var obj=document.getElementByID("TextBoxid");
if( obj != null )
window.open('DatePicker.aspx?field=' + obj.value,'calendarPopup','width=250,height=190,resizable=yes');
}
OR
Pass the text box id as strField
get it in the javascript
Like
function calendarPicker(strField)
{
var obj=document.getElementByID("strField");
.........
.....
}
Parwej Ahamad
R & D: REST services with WCF
|
|
|
|
|
hmm strange now the window does not appear and gives a yellow ! saying object does not support this method.
<script language="javascript" type="text/javascript">
function calendarPicker(strField)
{
var obj=document.getElementByID("strField")
if( obj = !null )
window.open('DatePicker.aspx?field=' + strField,'calendarPopup','width=250,height=190,resizable=yes');
}
</script>
|
|
|
|
|
strField is the Textbox id
If yes :
var obj=document.getElementByID(strField);
//Avoid the double quotes
No
Then find direct with Control id
var obj=document.getElementByID("TextBoxId");
Parwej Ahamad
R & D: REST services with WCF
|
|
|
|
|
after changing to either by control id or passing the id through strField it gives the same error.
|
|
|
|
|
Perhaps if you fix your formatting so we can see all the code ?
The answer is obviously that you're doing something, somewhere, that is done differently in IE. So, you need to find that bit of code, wrap it in a browser check, and write IE specific code as needed.
Christian Graus
Please read this if you don't understand the answer I've given you
"also I don't think "TranslateOneToTwoBillion OneHundredAndFortySevenMillion FourHundredAndEightyThreeThousand SixHundredAndFortySeven()" is a very good choice for a function name" - SpacixOne ( offering help to someone who really needed it ) ( spaces added for the benefit of people running at < 1280x1024 )
|
|
|
|
|
i have an image button that opens a file browser on clicking it, but my button always requires 2 clicks and then after it requires only 1 click. how can aviod it to have 2 clicks for the first time.
Here is my html code and the fucntion that it calls after click.
<img id="uploadImg1" class="imgUpload1" src="~/images/upload1.gif" runat="server"
alt="Select file from your computer" onclick="BrowseSingle()" />
here is my js function that should be called onclick:
function BrowseSingle()
{
maxNoOfFiles = 1;
if(browseMode == "bulk")
{
swfu = null;
}
if(swfu == null)
{
SingleUploadObjInit();
}
swfu.browse();
browseMode = "single";
}
|
|
|
|
|
I am not sure, but might be cause of runat="server".
Can you check it as this:
On page load event:
uploadImg1.Attribute.Add("onclick","BrowseSingle()");
Parwej Ahamad
R & D: REST services with WCF
|
|
|
|
|
My VS .Net 2005 web app uses crystal reports.
They are set to use Landscape orientation in the .rpt as well as programmatically.
When the print dialog shows, Portrait is always set.
Anyone have a solution for this?
Also, during my internet searches, I found a possible solution involving c:\windows\microsoft.net\framework\v2.0.50727\asp.netclientfiles\crystalreport\webformviewer3\html\crystalprinthost.html.
It suggested changing a javascript property from pageorientation to paperorientation.
Since then I don't even get the printer dialog, just a "Error in "/" application, resource cannot be found" in a 2" box.
I tried copying the whole folder from another working PC, no change.
I tried uninstall of everything VS, and reinstalling, but it still won't work.
"Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit..."
"There is no one who loves pain itself, who seeks after it and wants to have it, simply because it is pain..."
|
|
|
|
|
Hi Rechard,
I remember report object provides a property like :
oReport.PrintOptions.PaperOrientation = PaperOrientation.Landscape
OR are you looking different thing ?
Parwej Ahamad
R & D: REST services with WCF
|
|
|
|
|
Yes, I've tried that. The print dialog just ignores it and uses Portrait.
"Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit..."
"There is no one who loves pain itself, who seeks after it and wants to have it, simply because it is pain..."
|
|
|
|
|
Sorry Richard !
I never face this kind of problem. It seems like settings are automatically adjust by the print dialog.
It is learning for me.
Parwej Ahamad
R & D: REST services with WCF
|
|
|
|
|
What is strange is if I use the Windows Forms version of the reportviewer, and print, the print dialog sees Landscape like it should.
"Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit..."
"There is no one who loves pain itself, who seeks after it and wants to have it, simply because it is pain..."
|
|
|
|
|
Hi All,
I have a login screen with a header and footer. Once logged in , it will take me to a menu and from there, for every page that I navigate to...... the same header and footer as in the login screen should be visible along with the main menu at the side... How do I do this?
I am using VS2003 and vb.net...
Any help in this regard is highly appreciated.
Regards,
Reena
|
|
|
|
|
Im not sure if you can create master pages in visual studio 2003 but another way is to create a header and footer page i.e header.aspx and footer.aspx and then include them in your files i.e.
We are not a Code Charity
|
|
|
|
|
I'm sorry you have to use VS2003.
Master Pages don't exist yet. I would create a user control for the header and a user control for the footer. Then add the user control to each page.
I didn't get any requirements for the signature
|
|
|
|
|
Better way to implement it;
Create a Header and Footer Web User Control and add it in every page of header and footer area.
Parwej Ahamad
R & D: REST services with WCF
|
|
|
|