I have a screen where I print all the variables to the screen and show them to the user with classic asp.
On this screen, I show the values of "Session","Querystring","Form","Cookie","Server.Variables" to the user.
I'm doing replace so that some data is understandable. Other than that, I don't do anything.
There is nothing in the displayed values to bother me.
But can the user do anything harmful by tampering with a Cookie or submitting malicious code with the Request form?
A regex etc before displaying the values to the user. Will I need to apply anything?
Before showing these values on the same page, I check the username and password according to the values I assigned to Session from SQL Server and show all the data below to the user.
You can think of it as a kind of phpinfo.
My classic asp code
<%
variables=variables & "<style>h3 {margin:3px;text-decoration: underline;}</style>"
variables=variables & "<h3>Session</h3>"
ix=0
For Each ix in Session.Contents
variables=variables &"<span style='color:red;font-weight:bold;'>"&ix&"</span>="
variables=variables & Session.Contents(ix)
variables=variables & "<br>"
Next
variables=variables & "<h3>Querystring</h3>"
for each variable_name in request.QueryString
variable_value=request.QueryString(variable_name)
variables=variables &"<span style='color:red;font-weight:bold;'>"&variable_name&"</span>="
variables=variables & variable_value
variables=variables & "<br>"
next
variables=variables & "<h3>Form</h3>"
for each variable_name in request.Form
variable_value=request.Form(variable_name)
variables=variables &"<span style='color:red;font-weight:bold;'>"&variable_name&"</span>="
variables=variables & variable_value
variables=variables & "<br>"
next
variables=variables & "<h3>Cookie</h3>"
for each x in Request.Cookies
if Request.Cookies(x).HasKeys then
for each y in Request.Cookies(x)
variables=variables&("<span style='color:red;font-weight:bold;'>"&x&"</span>"&"<span style='color:blue;font-weight:bold;'>('"&y&"')</span>=" & Request.Cookies(x)(y))
variables=variables&("<br>")
next
else
variables=variables&("<span style='color:red;font-weight:bold;'>"&x & "</span>=" & Request.Cookies(x) & "<br>")
end if
next
variables=variables & "<h3>Server.Variables</h3>"
for each x in Request.ServerVariables
variables=variables&("<span style='color:red;font-weight:bold;'>"&x&"</span>="&Request.ServerVariables(""&x&"")&"<br>")
next
Response.Write variables
%>
Yes - you're not encoding the values before outputting them to the page. At the very least put use the Server.HTMLEncode around the values.
Related
I have an "edit" form that is pulling data from a specific row. Part of this form includes radio buttons (a set of four). I am able to retrieve the data from the radio button that has been selected but the other three don't have anything and I get a Null Value error. How could I prevent this? I essentially have 1 cell that pushes in the value of the radio button that was selected. In my asp code I have it set up like this:
<input <%If (CStr((rsCourseNum.Fields.Item("question1Correct").Value)) = CStr("answer1")) Then Response.Write("checked=""checked""") : Response.Write("")%> type="radio" name="question1Correct" id="question1Correct" value="answer1">
this would throw an error if answer0 was in the db since there is no answer1, I'm just not sure exactly how to set this up to prevent it from calling a null value.
What's the Response.Write("") for?
You're not getting an error because you're checking a db value that happens to be Null; you're getting an error because you're trying to convert a Null to a string. There are two* ways around this. Method one is to not do any data type conversions:
Response.Write "<input type=""radio"" name=""question1Correct"" id=""q1c"""
If rsCourseNum("question1Correct") = "answer1" Then Response.Write " checked"
Response.Write " value=""answer1""><label for=""q1c"">Question 1</label>"
This will work with Nulls because the comparison Null = "answer1" will return Null, which isn't True, so the button isn't marked.
The other method is to explicitly check for Nulls, and only do a data type conversion if the value isn't null.
Response.Write "<input type='radio' name='q" & i & "' id='q" & i & "c'"
If Not IsNull(rs("q" & i)) Then
If CStr(rs("q" & i)) = CStr(answers(i,0)) Then Response.Write " checked"
End If
Response.Write " value='" & answers(i,0) & "'>"
Response.Write "<label for='q" & i & "c'>" & answers(i,1) & "</label>"
* Well, two, uh, "proper" ways around this. There's also the hacky way: append a blank string instead of using CStr. (Thanks for the tip, Lankymart!)
If rs("q" & i) & "" = CStr(answers(i,0)) Then Response.Write " checked"
if I don't enter anything in one of the textbox , ASP.NET can't tell an empty textbox and treat it at null... So anyone please help me how to detect an empty textbox and set that to null
i know that this code is ganna work well
If MUSIC_TITLE.Text.Trim() = "" Then
MUSIC_TITLE.Text = Nothing
End If
but i can't use be couse i have a lot of forms in my application so i need somthing or any function exist in the ASP.NET that can handel this
and thats for the insert in a requet the sql server
"insert into Reunion values(" & Convert.ToInt32(ID_Reunion.Text) & ",'" & d.ToString("MM/dd/yyyy") & "'," & Convert.ToInt32(ID_Membre.Text) & ",'" & Type_Reunion.Text & "','" & Session("Nom_GIAC") & "')"
and tnks
This sounds like you're trying to directly store the textbox values in your database.
Please don't do this. If you haven't already, learn about the high risk security threat of SQL Injection and parameterize your INSERTS and UPDATES.
Before setting the parameters, you can convert empty strings to Nothing if required.
Dim musicTitle as String = _
If(String.IsNullOrWhiteSpace(MUSIC_TITLE.Text), Nothing, MUSIC_TITLE.Text)
In your insert sp should be like:
create procedure Insert(#test varchar(50)=NULL)
as
begin
update foo set testCol=#test
end
In c#, use below code, when calling the sp and adding the parameters:
if(txt.Text!=String.Empty)
{
cmd.Parameters.Add("#test",SqlDBType.Varchar,20).Value=txt.Text;
}
I have this same type of loop running on several pages, but the one that I said I'd get done in 1 day just... Ignores the out.movenext and prints only the first result out of a possible 10 results until it crashes. The SQL is fine. I got it with a tracer.
Changes:
I originally had the movenext last before the loop - but moved it up one line for tracing. Tried (out = out.movenext , out = out.next) to see if it would do anything. And I tried putting an integer count in to have it stop after 20 loops so I can debug it faster. The int changes, the data prints, but out doesn't advance.
strSQL = "SELECT [RecordID],[SubmitDate],[DataEntered] FROM [ManagerFileReview] where submitdate = '" & timetap & "'"
out = cnt.execute(strSQL)
out.movefirst
response.write "<table>"
Do while not out.eof
response.write "<tr><td>"
response.write "<table><thead></thead>"
response.write "<tr><td>Submit Date:</td><td>" & out(1) & "</td></tr>"
response.write "<tr><td>Data Entered:</td><td>" & out(2) & "rrrrrrrrrrr</td></tr>"
out.movenext
response.write "passed movenext</table></td></tr>"
loop
response.write "</table>"
Edit: Forgot the "SET" before the cnt.execute
The logic looks OK, unless I'm missing something. Even though out isn't listed as a reserved word with MS, I do wonder if it's the problem.
Found it.
Didn't have SET before the out = cnt.execute(strSQL)
Should have been
set out = cnt.execute(strSQL)
I am writing Classic ASP program.In one function, I have to use 2 update statements to one table in one function. First Statement is update the quantity of invoice and second update statement is base on that update Purchase Order quantity and Purchase Requisition quantity, I need to update one flag field. Can I write in same function as following:
SET RS = app.Execute("SELECT PRInvoiceNo, Quantity FROM PurchaseOrderDetails WHERE CoID='" & param & "'")
do while RS.EOF=false
app.Execute("UPDATE PurchaseRequisitionDetails SET PO_Quantity = PO_Quantity + " & RS("Quantity") & " WHERE CoID='" & param & "' AND PRInvoiceNo = '" & RS("PRInvoiceNo") & "'")
app.Execute("UPDATE PurchaseRequisitionDetails SET FullyPaidFlag=CASE WHEN PO_Quantity >= Quantity THEN 1 ELSE 0 END WHERE CoID='" & param & "' AND PRInvoiceNo = '" & RS("PRInvoiceNo") & "'")
RS.MoveNext
loop
The problem is in the loop the first statement is properly worked. Second one not work. What can it be? Can I do like this or not?
Well, I have to go, but be sure to check the following:
Response.Write(RS.RecordCount) -- are there any records? Or, do a Response.Write("hello") inside the loop to make sure.
Check that RS("Quantity"), param, etc are not null. If they are, your string concatenation will result in a null string.
Also, please, please don't forget to escape your variables!
Replace(param, "'", "''")
Good night!
I'm debugging some ASP code and I need to get a quick printout of the current Request datastructure, which I believe is an array of key/value pairs.
I see that Request.Form("key") is the method for extracting individual elements.
Any tips on printing out the entire thing?
Try this
For Each item In Request.Form
Response.Write "Key: " & item & " - Value: " & Request.Form(item) & "<BR />"
Next
Working:
For x = 1 to Request.Form.Count
Response.Write x & ": " _
& Request.Form.Key(x) & "=" & Request.Form.Item(x) & "<BR>"
Next
I have other Classic ASP code snippets here:
https://github.com/RaviRamDhali/programming-procedure/tree/master/Snippets/ASP
Try a FOR/EACH loop:
for each x in Request.Form
Response.Write(x)
Next