We have some error reporting code that, when an unhandled exception occurs, we send everything over in an email to our groups. This is great except if an unhandled exception occurs on a page with a password field then it's sent over as plain text.
Is there a way to iterate through Request.Form and figure out which item(s) are passwords? This is done at a low level so we can't look for specific controls.
Naturally, we could check to see what type the input box is but I'm not sure if that's the cleanest way. Advice?
Use a whitelist of field names that you want to email.
There could be hundreds of field names that get POSTed to your server. And password isn't the only field that is sensitive. Depending on your application, there could be other things that should be treated with a little respect.
So, make a list of field names that will assist in you in debugging. These are typically unique identifiers / database keys and such. If you have any parameter names in this list, you can include it in the email.
I've suggested a different solution earlier, but I thought you were going to handle this on the client side. Following your comments I now understand that you need to take care of this on the server side. There may be a way for you to do it, which is not really elegant, but it should work:
Add to all pages a script that collects all password field names into a new client-generated field, like so:
function collectPasswordFields() {
var inputs = document.getElementsByTagName('input'), list = [];
for (var i = 0; i < inputs.length; ++i)
if (inputs[i].type == 'password') list.push(inputs[i].name);
var field = document.createElement('input');
field.name = '__password_fields';
field.value = list.join(',');
document.getElementsByTagName('form')[0].appendChild(field);
}
Then intercept the additional field in the server-side error handler, and remove the named fields from the email.
Can something like this work for you?
The cleanest way is to check the type attribute of the input element.
The HTML5 specification has this to say about input type=password:
The input element with a type attribute whose value is "password" represents a one-line plain-text edit control for entering a password.
Data type: Text with no line breaks (sensitive information)
Control type: Text field that obscures data entry
This is a mandatory requirement from all User Agent implmentations, and it has been so since HTML 2. So this is indeed the cleanest way to do what you want.
If you want to do it on the client side (you talked about sending the data to the server) then it is relatively easy:
function hidePasswords() {
var inputs = document.getElementsByTagName('input');
for (var i = 0; i < inputs.length; ++i)
if (inputs[i].type == 'password') input[i].value = '*****';
}
As Jerome already pointed out in the comments, just keep track of the names of your password input fields and filter them before sending the error/exception report. This is the best solution as the type of the input field is not submitted.
A few solutions, though I'm not sure how bright any of them is:
1) Maintain in the page a List of input control IDs that are passwords, pass this list to the exception handler with the expectation to ignore these fields.
2) Keep a resource file in the website that lists a page name, a field id and have the exception handler check against this resource file (may not work if the exception is related to the ResourceManager)
3) Keep a database table as with idea 2. Same problems exist.
Related
i wanted to add to my website the option of seeing the usernames of the people that are logged in my website as a list.
i did it using the Application state so when a person loges in the application variable adds it to itself.
but when a person loges out of the website i need to remove his username from the list and i'm having trouble with this... any code suggestions?
in the Login page:
Application["UserList"] += Session["UserName"].ToString() + "<br/>";
and i tried this in the Logout page but it didnt work...:
String name = Session["UserName"].ToString();
Application.Remove(name);
you would use something along the lines of this:
Application["UserList"].ToString.Replace(Session["UserName"].ToString() + "<br/>", "");
But you really should not try manage a string. Use something like a HashTable and store that object in the application state. It's far easier to manage key/value pairs in a dictionary type construct.
Also it separates the data from the formatting which gives you much greater control over the output.
I'm trying to make a web application for the first time, and I use all kinds of tutorials and help of any kind, but I don't get why this happens. Everything worked all right until now:
I'm trying to transmit a "User" attribute between servlets, and I'm doing so by sending part of it as an attribute (using RequestDispatcher or HTML forms), and looking up the rest of it in a database, like this:
String user = (String) request.getAttribute("txt");
Users info = (Users) emf.createEntityManager().createNamedQuery("Users.findByUsername").setParameter("username",user).getResultList().get(0);
Username is Unique key, and the code for the NamedQuery is
#NamedQuery(name = "Users.findByUsername", query = "SELECT u FROM Users u WHERE u.username = :username)
The first time I use this, it works and I get the expected result, but, if I come back to the same servlet or I use the same code again in other servlet, I get java.lang.IndexOutOfBoundsExpcetion: Index: 0, Size: 0
How can this happen if I didn't modify the database at any moment?
Any help would be appreciated.
Seems like your request attribute "txt" is null the second time. It's a request attribute, so it will be only valid during the request. If you don't store it or submit it every time it will be null.
A null as username will produce an empty list. The attempt to read the first element of an empty list produces the IndexOutOfBoundsException.
Use a session attribute or resubmit the attribute every time and it will work.
I have a datagrid that contains data from different documents. The user can edit some of the columns. I want to restrict them to only be able to enter a number.
I would like to do it from the client side instead of server side as that would mean checking 20 or more documents.
ok figured out what to do. Create a function to format the data with as red background if they enter a non-numeric or invalid value. Put the function in a scriptBlock and put the name in the formatter field for each column
function ValidNmbr(s)
{
var RegularExpression = new RegExp(/^\$?([1-9]{1}[0-9]{0,2}(\,[0-9]{3})*(\.[0-9]{0,2})?|[1-9]{1}[0-9]{0,}(\.[0-9]{0,2})?|0(\.[0-9]{0,2})?|(\.[0-9]{1,2})?)$/);<br/>
if(RegularExpression.test(s))
{
return s;
}
else {
return "<span style='background-color:red'>"+s+"</span>";
}
}
Client side format enforcement can be bypassed (anyone having firebug), so you have to be clear it is only for the comfort of the user, not for the integrity of your data.
On the server side: you can have a entry field with a number mask. No code required -- might be the least work. If you want to do that client side:
use the HTML5 attributes for number format
use some helper to make older browsers behave
consider to use a Dojo grid. It does nice validation
Hope that helps
url:http://localhost:51806/fair/PersonPage/personalPages.aspx?idCompany=1338006699#Site/AboutAs
request["idCompany"];
this code return null
how can get value idCompany
EDIT
Request.UrlReferrer.Query
this return ?idCompany=1338006699
this Request.UrlReferrer.Query.Split('=')[1] return 1338006699
but i think this way does not good way
#Site/AboutAs is a tab aboutAs in full tab component
Try this instead:
string id = Page.PreviousPage.Request.QueryString["idComapny"];
If no luck then your method of splitting is the best you can achieve, as you're trying to read the query string of the referrer page.
One work around though is to store the value in that previous page.
To do this, store the value of Request["idComapny"] in the previous page, where it should be available, in Session then you can read the Session value in any other page.
I'm creating a time sheet for work to learn more about asp and making database connections I am also using this time to prepare for my next C# and database design class which start on Wednesday. I'd like to know how I can get data from default.aspx and display it in timesheetdisplay.aspx, and I would also like to know how I can make it so the person doesn't have to enter the full id "100000111" as it appears in the database just the last 3.
<asp:TextBox id="xBadgeTextBox" runat="server" width="100px"></asp:TextBox>
As far as passing data between pages you can pass it via QueryString, Session variables, or by persisting it to some sort of data store such as a Database. In the situation above I would look at passing via Querystring parameter. Be sure that if you do do this that you validate the data on the new page to ensure its safety and validity before using it (think SQL Injection Attack).
How to: Pass Values Between ASP.NET Web Pages
As far as your second question goes I would say that this could be handled on the server side if you are sure that the last 3 digits will always be unique. Or were you looking to prompt the user entering data similar to Google? If so look at the AutoComplete Extender in the AJAX Control Toolkit or look at doing something similar in JQuery.
If you're redirecting from page to page, consider using the Server.Transfer("timesheetdisplay.aspx", true) method when navigating away from your default.aspx page. Note the second parameter, true, which will persist all ViewState and QueryString data across from page to page.
I would generate a unique key, store the value you are transfering in the users session, redirect the user and include the key in the query string, grab the key, and then get the value. Something like this:
//---On Default---
var value = "can be a single string or even a complext object...";
var keyName = Guid.NewGuid().ToString();
HttpContext.Current.Session[keyName] = value;
HttpContext.Current.Response.Redirect("timesheetdisplay.aspx?SID=" + keyName);
//---On TimeSheet---
var getKeyName = HttpContext.Current.Request.QueryString["sid"].ToString();
var myValue = HttpContext.Current.Session[keyName];
To get the id from a partial ID I would do it just like Muhammad Akhtar said:
select * From yourtable where id like '%111'