I can get the value of non server control with Request.Form["fieldID"];
how i can get the attributes of these control?
some think like these :
Request.Form["fieldID"].Attribute["the_Attribute"].value;
or any other way
You're able to get the fieldId because its value is included in the POST, its attributes however will not be.
I'd recommend using something like firebug or fiddler to see the info that's coming in on the request, or even using the locals or immediate window to explore the Request.Form object to get a feel for what you can/can't do in this kind of situation.
There are no attributes. The only thing sent in the form data to the server is the value from the form field.
Related
So this is about output caching, and I am trying to use <%# OutputCache VaryByParam="">, how to realize this?
VaryByParam refers to the query string parameters in the request url. So you would need to submit the dropdownlist values as part of the url query string.
You would probably need to use javascript to alter the request url since you would not know the selected values server side.
document.aspnetForm.action = "https://www.paypal.com/cgi-bin/webscr";
I use master page and paypal payment page but giving error "document.aspnetform is not defined"
I can't tell from your question whether you are doing this on the client using JavaScript or on the server in C#. I guess the former as you are using document all lower case. Either way check your capitalisation - Javascript is case sensitive so you may need document.AspNetForm or something similar as your identifier. Just make sure it matches up to whatever the title of the form is in the source code.
I need to add a custom header something like
MYName: Balaji
which i need to access from .aspx file through
Request.ServerVariables["HTTP_MYName"];
should return "Balaji". I need so many variables like this it will added dynamically.
Kindly help.
Also, I cannot persist this varaibles in any of the .Net controls or objects like
cookies, sessions, application, hidden variable etc., or cannot store this in d/b and get it back whenever is required, I NEED IT ONLY IN HTTP HEADERS.
Kindly send the C# code how to add this variable and get the value back in .aspx file.
What do you mean by "get the value back in .aspx file"? HTTP headers are intended to be used as directives to a browser, how to interpret the given content. You don't have access to these values in your document.
Setting a custom HTTP header is quite easy, however:
Page.Response.AddHeader("MyCustomHeader", "VerySecretValue")
Updated my answer as per your comment.
If you need to transfer information between a HTTPModule and an ASPX page, you can use HTTPContext.Current, since this stays the same in both places.
So, you add it by
HttpContext.Current.Items.Add("SecretKey", "SecretValue");
and read it as
string s = HttpContext.Current.Items["SecretKey"];
Should we guard against unanticipated user input from dropdown lists? Is it plausible to expect a user to somehow modify a dropdown list to contain values that weren't originally included?
How can they do this and how can we stop it?
Absolutely check for that.
Do something like this pseudo code on the receiving end:
if { posted_value is_element_of($array_of_your_choices) }
//processing code
else {
//prompt them for good input
}
So for example: Your dropdown list is of Primary Colors they'd like their house painted. You'd have (in PHP)
$colors = array('red', 'blue', 'yellow');
if in_array($_POST['color'], $colors)
{ //process this code! dispatch the painters; }
else {echo "sorry, that's not a real color";}
Edit: This is certainly possible. If your values are being submitted via a GET request, then the user can simply enter www.example.com/?price=0 to get a free house. If it's a POST request, it may seem a little more difficult, but it's really not:
curl_setopt($ch, CURLOPT_POSTFIELDS,"price=0");
People could just use cURL to directly manipulate a POST request, in addition to a trivially large number of other clients.
A user can simply hand-write a HTTP request which has has filled in malicious data. For GET requests, for example, you may have a "State" dropdown that lists Alabama, Arkansas, etc. He may put http://example.com?state=evilstuff just simply into the browser url bar.
This is easily prevented since you already know exactly what is in the dropdown list. Simply checking to see if the input is in that list or not should be sufficient to prevent against injection-like attacks. If he puts in something other than a valid state name, throw an error.
This can only be done by modifying the HTTP response. So,
yes, it can be done and you need to safeguard against it (i.e. check if this can be a security threat and, if yes, validate the input), but
no, you don't need to bring a "nice" error message, since this cannot happen to a normal user "by accident".
When I'm bored, I edit drop-down lists in web sites just for fun. Mostly it just breaks the site, but at least once I could have gotten free or drastically reduced prices on tickets just by playing with the site's hidden fields. (Alas it was for a company I worked for, so I had to instead report the bug.)
Yes, a malicious user can submit data to your server without ever using your form, and could submit data that's not normally included in your dropdown list. This is a trivial form of attack that's often exploited in the real world.
Always check for valid input!
Some of the other answers are absolutely correct, you MUST validate on the server-side ANY data coming from the user side.
At work, we use tools such as the Firefix plug-in Tamper Data to manipulate and view data thats being posted to the server, after any client-side (javascript) validation has been done. Also, you can even use simple tools such as Firebug to visibly alter drop-down boxes to contain values that weren't put there by the server before submitting it.
I've seen a couple of rest examples where the xml message gets posted in the body of the http request, and not in a named parameter...
in classic asp I have the request.form object that allows me to get the posted values, but I have to specify the name of the parameter...
is there some way to get the whole content of the post?
I would need the equivalent of
request.serverVariables("QUERY_STRING"), but for the post, not the get part of the http request...
( http://www.w3schools.com/ASP/coll_servervariables.asp )
would I have to use request.binaryRead()???
thanks a lot
ps: in java, I cold achieve this using request.getReader()...
how to get a the value of an http post as a whole? parsing restful post
--
just to clarify thing a little bit
when I say post a value as the body, I mean that the content of the message is not enconded like param1=value1¶m2=value2...paramx=valuex
the message is the body itself... you can achieve this with any ajax library (like prototype) to test ir I'm using a firefox plugin that let you do that, it's named POSTER
https://addons.mozilla.org/en-US/firefox/addon/2691
A developer tool for interacting with web services and other web resources that lets you make HTTP requests, set the entity body, and content type. This allows you to interact with web services and inspect the results...
You didn't specify either what actual content type is being posted nor what you intented to do with it once you've acquired it.
Lets assume for a moment that the content is XML and you want to load it into an XML DOM.
A useful fact about the Request object is that it implements IStream where the stream is the entity body of the POST. Another useful fact is MSXML DOMDocument load method can accept an implementation of IStream. Hence:-
Dim xml: Set xml = CreateObject("MSXML2.DOCDocument.3.0")
xml.async = false
xml.load Request
This code loads the posted entity body into the DOM.
I think I found it
if you issue str( request.form ) you get the raw value of the form element...
works also with request.querystring and request.cookies
it doesn't work with request.serverVariables, throws an exception...
oh, and inspecting the debugger I've also found a completely undocumented property, request.body, that seems to behave just like the request.form property...
Are you trying to loop through all the posted values from the form? If so in ASP.OLD you could do this:
For Each Field in Request.Form