I'm new to using asp.net dynamic data apps.. I just generated a simple app from my schema, and in one table I'm trying to insert a record where one of the fields is a varchar(255) field. I am finding that any input that has the "<" character in it will cause the app to throw an error when you try to save it, with the exception being if "<" is the last character in the input string.
Since the editinsert function is some ajax based call, it just gives me a generic javascript error indicating whatever webservice it tried to hit for the update threw a 500 error and I have no idea how to debug this.
I would guess it's one of two things:
1 - You're triggering asp.net's built-in request validation. You can turn it off by adding the following to your page:
<%# Page validateRequest="false" %>
(You can read more about it at http://www.asp.net/%28S%28ywiyuluxr3qb2dfva1z5lgeg%29%29/learn/whitepapers/request-validation/)
OR
2 - You're not using parameterized SQL querys so your doing something like:
"SELECT * FROM Customers WHERE FirstName = " + input
And this is causing invalid SQL when "input" has an SQL operator in it (such as ">")
Related
I write the following piece of codes :
rst.Open(strSQL & Request.QueryString("C-PLACE")), conn, 0, 1
But got the following error. However, if the querystring is in English or just number, no error will pop out. Any guru can help please ?
Microsoft OLE DB Provider for ODBC Drivers error '80040e10'
[Microsoft][ODBC Microsoft Access Driver] Too few parameters. Expected 2.
/deliverable/GetMemberTest.asp, line 19
It's going to either be passing an encoding variable to the server, or in the case of your error, its saying "too few parameters". In this case, the parameter is "C-PLACE" and its suppose to be passed to your asp script from the previous page's link, something like:
/deliverable/GetMemberTest.asp?C-PLACE=THECPLACE
https://www.w3schools.com/asp/coll_querystring.asp
(citation about query strings)
or something like that .. obviously its not actually "THECPLACE", but just saying a QueryString("VARIABLENAME") looks to the URL of the previous page to pass the parameter to the script, so that error message should of done something to add a ? mark = C-PLACE= to something, and we aren't seeing that. So something on the previous page that was suppose to add this when they click a submit button didn't do it's job, or the script is just getting run on its own without the proper previous page's work being done to prepare it to execute properly on the following page.
It will also be of note that these types of things are easily hacked through sql script injection, so if you aren't validating your url first, someone could use some code to escape out of your sql and add their own code, such as one to drop your tables ..., so make sure you validate the variable FIRST instead of dumping it straight into your code. I can give some guidance into that later, but first lets figure out your problem.
(side note - can i request strSQL from you? Can you put this line in before that line:
<%
response.write("strSQL is " & StrSQL & "<BR>")
%>
All this code does is display what is stored in the StrSQL variable, see if we can figure out what is going on here. Also take note that your error message indicated that it expected 2 parameters, so we are missing 2 for this script to run properly.
EDIT - try this encoding:
<%
Response.CodePage=65001
Response.Charset="UTF-8"
Response.ContentType = "text/html"
%>
Try this strSQL, you didn't need the Response.Write and on C-PLACE you want to use '' instead of "" because the "" will exit you out of the SQL statement. Try this, and let me know how it works, but I still think we are going to need another parameter supplied to it, unless its getting one from the string and then it isn't actually counting the one supplied from the url perhaps.
<%
strSQL="SELECT * FROM DetailMemberInfo
WHERE C-PLACE=" & strSQL & Request.QueryString('C-PLACE'))"
%>
I want to display the SQL correctly in my .aspx pages. But am getting a bunch of validation errors when I do. The code still appears to function correctly when running the page though. Here is what I mean:
If I had all of the SQL on one line then it works fine. When I try to format it correctly I am getting validation errors. How can I not get validation errors but display the query correctly?
This issue only seems to come up on longer queries.
Set the SelectCommand in the codebehind and use an # infront of a string (Literal String), but cannot be used in the xHTML.
SqlDataSource6.SelectCommand = #"
/* SQL Query Here */
";
I'm writing a small ASP .Net application in order to retrieve data from a SQL database. The application uses drop downs in order to select what the next drop down should contain and when a page is selected, it should retrieve the HTML from the database. Everything is working until it gets to the retrival of the HTML data. When I try to retrieve the data, I get:
Microsoft JScript runtime error:
Sys.WebForms.PageRequestManagerServerErrorException:
An unknown error occurred while
processing the request on the server.
The status code returned from the
server was: 500
The HTML column is a defined as NVARCHAR(MAX), but I can't see this causing a problem. The application works if I set the DataValueField to another column. Has one else come across a problem like this? Maybe someone could shine some light on this?
One thing I noted when dealing with varchar(max) columns is that the framework still commonly expects to have a size associated with it. What I ended up having to do was specify the length as -1 to get it to accept a varchar(max) field. Your error message doesn't indicate that this is the problem, but you might try experimenting with it rather than turning off the validation, which could possibly have other repercussions.
Figured it out. Just needed to set ValidateRequest to false at the Page level.
I've had a set of legacy pages running on my IIS7 server for at least a year. Sometime last week something changed and now this line:
Response.Write CStr(myRS(0).name) & "=" & Cstr(myRS(0).value)
which used to return nothing more exciting than the string: 'Updated=true' (the sproc processing input params, stores them to a table, checks for errors and when that's all done returns a success code by executing this statement:
select 'true' as [Updated]
Now my pageside error handler is being involved and offers:
myError=Error from /logQuizScore.asp
Error source: Microsoft VBScript runtime error
Error number: 13
Error description: Type mismatch
Important to note that all lots of pages use the same framework - same db, same coding format, connecitonstrings and (so far as I can tell) all others are working.
Troubleshot to this point:
The call to the stored procedure is working correctly (stuff is stored to the given table). The output from the stored procedure is working correctly (i can execute a direct call with the given parameters and stuff works. I can see profiler calling and passing. I can replace all code with 'select 'true' as updated' and the error is the same.
everything up to the response.write statement above is correct.
So something changed how ADO renders that particular recordset.
So i try: Response.Write myRS.Item.count
and get:
Error number: 424
Error description: Object required
The recordset object seems not to be instantiating but the command object _did execute. Repeat - lots of other pages just the same basic logic to hit other sprocs without a problem.
full code snippet
set cmd1 = Server.CreateObject("ADODB.Command")
cmd1.ActiveConnection = MM_cnCompliance4_STRING
cmd1.CommandText = "dbo._usp_UserAnswers_INSERT"
...
cmd1.CommandType = 4
cmd1.CommandTimeout = 0
cmd1.Prepared = true
set myRS = cmd1.Execute
Response.Write CStr(myRS(0).name) & "=" & Cstr(myRS(0).value)
It seems to me that the sproc has changed and returns a scalar instead of a result set.
Changing CommandType = 1 (adCmdText) is need to match with your query changed to SELECT 'whateveryouwannatry' AS [updated].
Since you stated that nothing in the asp code changed we can rule out that the return type of your command/sproc was altered by specifying an output parameter.
I am having issues adding validation methods to a couple of controls in my MVC app. I use the following to test for the mm/dd/yyyy format:
if (!Regex.IsMatch(candidateToEdit.availability.StartDate.ToShortDateString(), #"giantregex"))
ModelState.AddModelError("availability_StartDate", "Start date must be in the mm/dd/yyyy format.");
//giantregex is a giant regular expression omitted for clarity
In my view I have:
<%= Html.ValidationSummary("Edit was unsuccessful. Please correct the errors and try again.") %>
<%= Html.ValidationMessage("availability_StartDate", "*")%>
For whatever reason the error text is not being displayed, it acknowledges there is an error and the start of the list is generated, but the "Start date must be in the mm/dd/yyyy format." is not displayed. It validates if you put in the date correctly.
I think the problem here is you're testing an actual DateTime type against a regular expression. Because they have entered an invalid date time format in the text box, it is never actually parsed into an actual DateTime where ToShortDateString() could be invoked on it. Therefore your regular expression validation is never actually occurring.
You'll need to adopt the ViewModel pattern where you expose all potential parsing problems as strings first (such as "candidateToEditViewModel.AvailabilityStartDateString") or implement client side validation and program defensively.
I think you need to include a validation summary to get the message
<%= Html.ValidationSummary() %>
EDIT: Try putting a "." instead of a "_" as your property name in the AddModelError call, like this:
Instead of:
ModelState.AddModelError("availability_StartDate", "Start date must be...");
try this:
ModelState.AddModelError("availability.StartDate", "Start date must be...");
The sample you gave works at my testproject. Can you try to reproduce the error in a freshly created project?