|
i was reading article on web security from this url http:
the person so if any action method return data in json format for get request then malicious user can do CSRF. he suggested if stop delivering json data for get request then bad people can not hijack our json.
my question is if hacker drop a jquery script which make a ajax post request then also json will be delivered to client. so please tell me after reading that article that what the person is trying to say like deliver json for post request that will be invulnerable. because auth cookie goes at the time of get & post method too. help me to understand how to stop JSON Hijacking and also why author is saying post is secure than get?
tbhattacharjee
|
|
|
|
|
|
i search google for my above question but not getting a single web site which will discuss all common and dangerous attach happen for web site and how to secure them. most of site is talking about XSS attach , CSRF & sql injection but i love to know other attack name as a result i can read and understand about those attack and solution to close those hole for a web site.
so if anyone knows any website address then please share the link which discuss about various attack and their solution.
tbhattacharjee
|
|
|
|
|
OWASP[^] is a good place to start.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Sir Richard MacCutchan I wasn't able to post my reply in that thread that is why I am posting here.
That I have done. But the problem is that the user can fetch data in many ways like filling just one text box or two or three or more than three text boxes.
What I have in mind is that i check all options like if text box 1 and text box 2 is not null
select * from emp where id is text box 1 and number is text box 2
or if text box 1 and text box 2 and text box 3 is not empty
perform this query
can you please help me out if there is any alternate way to perform this operation.
|
|
|
|
|
I already explained to you how to do it in my last reply. I don't understand what more you need. Check each box in turn, if it is null continue checking. If it is not null add its search expression to the command string. And use proper parameterized queries, not concatenated strings.
|
|
|
|
|
Okay gotcha Thank you Sir.
|
|
|
|
|
I have a page with calendar and textbox.
when I select a date from calendar the selected date is stored in textbox.text.
I have another page where data is displayed in gridview in pageload.
I want to access data where expiry date is textbox1.text. I am getting error in adap.fill(ds) section with data type miss match exception.
|
|
|
|
|
You'll need to fix the error.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Yes, I know that I have to fix the error. but How that is my question.
|
|
|
|
|
How can we know? You haven't provided the exact error.
However, data type mismatch means just that, trying to put dec into int or string into int. It should be very easy for you to find if you debug the code.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
I've googled but cannot find a solution that works. I've found and gotten to work uploading, viewing and downloading files to/from folders on my server. These are shown in bound gridviews on 2 pages. Now what i need is to allow the user to delete files when they are out of date. Below is the code. If anyone can point me in the right directions i would greatly appreciate it!
Attachments:<asp:FileUpload ID="fileUpload1" runat="server" /><br />
<asp:Button ID="btnUpload" runat="server" Text="Upload" onclick="btnUpload_Click" usesubmitbehavior="false"/>
<asp:GridView ID="gvDetails" CssClass="Gridview" runat="server"
AutoGenerateColumns="False"
DataSourceID="SqlDataSource2">
<HeaderStyle BackColor="#df5015" />
<Columns>
<asp:BoundField DataField="Id" HeaderText="Id" Visible="False" />
<asp:BoundField DataField="filepath" HeaderText="filepath" Visible="False" />
<asp:BoundField DataField="FileName" HeaderText="File Name" />
<asp:TemplateField>
<ItemTemplate>
<asp:LinkButton ID="lnkDownload" runat="server" Text="Download" OnClick="lnkDownload_Click"></asp:LinkButton>
</ItemTemplate>
</asp:TemplateField>
<asp:BoundField DataField="CVSNumber" HeaderText="Company Auto" Visible="False" />
</Columns>
</asp:GridView>
VB Code-
Protected Sub btnUpload_Click(ByVal sender As Object, ByVal e As EventArgs)
Dim cvsfilename As String = Path.GetFileName(fileUpload1.PostedFile.FileName)
Dim firmcvs As String = CompanyAuto_TB.Text
fileUpload1.SaveAs(Server.MapPath("files/" & cvsfilename))
sql = "Insert INTO tblFiles(Filename, Filepath,CVSNumber) "
sql += "values(@Name,@PAth,@CompanyAuto_tb) "
Dim cmd As SqlCommand = New SqlCommand(sql, New SqlConnection(conString))
cmd.Parameters.AddWithValue("@Name", cvsfilename)
cmd.Parameters.AddWithValue("@Path", "files/" & cvsfilename)
cmd.Parameters.AddWithValue("@CompanyAuto_tb", firmcvs)
Try
cmd.Connection.Open()
cmd.ExecuteNonQuery()
Catch ex As Exception
Response.Write(ex.ToString())
Finally
If cmd IsNot Nothing Then
If cmd.Connection.State <> ConnectionState.Closed Then
cmd.Connection.Close()
End If
cmd.Dispose()
End If
End Try
Protected Sub lnkDownload_Click(ByVal sender As Object, ByVal e As EventArgs)
Dim lnkbtn As LinkButton = TryCast(sender, LinkButton)
Dim gvrow As GridViewRow = TryCast(lnkbtn.NamingContainer, GridViewRow)
Dim filePath As String = gvDetails.DataKeys(gvrow.RowIndex).Value.ToString()
Response.ContentType = "image/jpg"
Response.AddHeader("Content-Disposition", "attachment;filename=""" & filePath & """")
Response.TransmitFile(Server.MapPath(filePath))
Response.[End]()
End Sub
|
|
|
|
|
If the files are located on the File system of your web application, (not in database; like most of the developers do to store the binary data in database, for me this option is just too-foolish) you can execute the command to delete the file; like you do in any other .NET application.
The following MSDN link[^], has the method to delete the files from File system. You can use the VB version of the code; right now it is in C# or depending on your choice of MSDN code samples.
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
Unfortunately, that would give me the entire list of files. The gridview is tied to the specific record on screen and the file(s) are shown in the gridview. I do not want users to have to hunt to find a record to delete. I just want a delete button next to the download button to remove the file.
|
|
|
|
|
Did you try to understand what I told you?
The link I gave, was about "How to delete one single instance of file from your machine". You can use it, to delete one file (at a time). It won't give you the list of files, that is the job of Directory.EnumerateFiles(string location) [^] to provide you with the list of files available in a directory.
The button that you're talking about, that has been tied to the delete event. You can write this code in it.
void Button_Click(object sender, EventArgs e) {
string file = "You can pass the location from a parameter.";
File.Delete(file);
}
Once this code would execute, the file at that location (you need to pass the location of the file to delete, so embed the file path somewhere alongwith the button) would be deleted.
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
That's my problem. I cannot get the path. I have the folder path, I have the file name but putting both together in the delete button is frustrating me.
|
|
|
|
|
Why is it frustrating at all?
Now this is somewhat stupid for me, concatenating the directory and filename is frustrating. In which sense actually? You're concatenating it to extract the file from the machine, but you're having psychological troubles while concatenating the both while you're about to delete?
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
It's frustrating because it's not working. I'm very much a novice at this. I've tried several different ways of taking the folder "~/files/" and the file name, tying them together and deleting the file.
|
|
|
|
|
First, sorry for being rude.
Secondly, you should try this code then.
File.Delete(Server.MapPath("~/Files/Location.format"));
You can pass the virtual location to your file and it would delete the real file from the machine. The Server.MapPath[^] should be used when working on a web application, on an HTTP server you don't specifically share the actual path to a resource, instead you share the virtual path to the file using a URL and a domain and so on, in such scenarios Server.MapPath() is used to handle the virtual paths and converts it to real path; such as D:\Files\Location.format. You can read the MSDN document I have attached to the answer too.
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
I've tried multiple ways but I cannot get the filename to come over. I'm thinking this is a lost cause and will be stuck going into the folder and manually deleting the files and the line in the table
|
|
|
|
|
I have a page with 6 textbox. I want to fetch data from database ms access but there may be many combination like user fill only one box and fetch or user can fill more than one box and fetch data. there may be many combination.
i have emp_id, from date, to date, expiry date, request number, status.
combination may be user only fill one box i.e emp_id or from date or status etc.
or user can fill emp_id and status and request number and from date etc.
|
|
|
|
|
|
The problem is I am not able to understand whether to check if textbox1.text is not null and textbox2.text is not null then perform this query for every possible combination or what?
|
|
|
|
|
Firstly, please don't fill you message with emoticons, they add nothing useful.
Secondly, it is just a matter of checking your textboxes in order, and if they contain a value then adding them to your query. So, your final query would be built up something like:
SELECT [record qualifier] WHERE Parameter1=@Value1 AND Parameter2=@Value2 ... "
adding each parameter as appropriate, ensuring you use a proper parameterized query, not a concatenated string.
|
|
|
|
|
So I have to check every possible combinations with textboxes.
|
|
|
|