How to avoid querystring being accessible in ASP.Net dynamically generated chart? - asp.net

To create dynamic charts and graphs in ASP.Net, I have placed the (GDI+) code for each chart in separate page files – so the output from running a chart page by itself if to just display the chart onscreen.
The chart page contains the code to get the relevant data from SQL Server, as well as the chart generation code. The generated chart object is then saved to Response.OutputStream.
A content page where I want to display the chart provides various parameters to determine what data will be used to generate the chart (such as userID, project ID, selection from dropdown lists etc.).
To display the chart as part of a content page, I then place an image object in the page, collect the various chart parameters, and in code behind set the URL of the image object to be the chart page, plus all the chart parameters added to the query string.
This works fine, except for one thing: when I right click on the chart image as it appears in the content page in the browser, I get an option to “open image”, which displays a page with the chart all by itself (perhaps not surprising as it is generated with a chart page). However, the problem is that in this chart page, the full URL with the querystring is visible, which means that a user could change the values in the query string, and thereby generate a new chart. This is a big problem, as it might enable a user to generate a chart for data they should not have access to.
Is there a way to avoid this problem whilst still using this “chart page” approach to generating and displaying dynamic charts? Alternatively, should I rather save the dynamically generated images as files, either on disk or as SQL Server Filestream objects for example, and then reference these in the page?
By the way, I am aware of the various ASP.Net chart controls that are available. However, the charts I need to generate are highly customised to a very specialised application, so those controls will unfortunately not work in this instance.

I have the same concern for one of my previous projects. One cheap but not 100% fool-proof solution is to insert a http-referer check before you process the image. Images loaded from within you page will have the referrer URL of your domain, those entered directly via the browser won't have.
Of course it's very easy to hack by faking referrer url, still it is some form of deterrent. Will be glad if others can offer their solutions.
Another way is to add some sort of checksum params into your querystring. Only you know how to 'decrypt' and only generate image when the checksum is 'correct'.

First of all, I assume that your users are authenticated (logged in) to your website, so you know who they are and what data/charts they are supposed to have access to?
You need to check the incoming parameters in your image-generating code to see if the current user has access to the data he asks for. Typically you would query your user/privilege tables for this (or call the Membership API or whatever).
Trying to hide the URL (for example by doing a POST instead of a GET to the image-generating page) is just "security by obscurity", which is not a good idea.
By the way, your problem is called "URL tampering", a Google search for this should get you in the right direction.

Related

Google Optimise - How to test a page that only loads the required content when called in a specific way

I have a multiple-step flow that I would like to run A/B testing on, in this case by hiding/removing a single checkbox on one screen to find out if it impacts on the CTR of the Continue button on that screen. I haven't done this before so I might be missing some basic knowledge. The issue I have is that the target page doesn't load the required control by default, i.e. if you just type the URL into the search bar it comes up blank, because it's missing required data that normally comes from the referer page (which identifies the charity they want to donate to). To complicate things further, the control I want to test is on the second screen of the flow, and all screens have the same URL. When I set it up in Google Optimize, it doesn't show any editable content.
To be a bit more specific, the content displayed is dependent on POST parameters passed in before the stage I want to test. Is there any way to either (a) force Google Optimize to load the page using specific POST values, showing the relevant control so I can disable it for the B variant, or (b) bypass using the visual editor and disable the control by ID? Or will we need to rewrite the whole flow to use separate URLs for each stage and to load relevant content even when required data is missing?

Use LogParser's graphic image output in an asp.net Page

I would like to create another page with statistics about the usage of my ASP.NET project. Top page visited, etc, etc.
I wonder if it is possible to use LogParser to create the graphic images of the page?
The following use-case comes to my mind: Select startDate and endDate and use them in a LogParser QUERY to select top user, hours with most traffic, etc, and output this query as an image with a chart in it.
Is this feasible to do on server side?
Thank you for your time.
Sure it's possible, you can use the CHART output format to save a chart to a gif or jpg, and then include that image in the page.

use html to get image and create link from database

I have a column in my database that stores images that are links, when i populate them in a gridview on my asp.net page I want it to display the image as a link but when i did it i just get the text below.
<img src="http://www.url.com/url/url/url/url.jpg">
My goal is to have a list of the images and when a user clicks the image they will go to another page. This is a start of my page, and i was attempting to use a gridview but now I am not sure what to do
Don't save markup
Instead just save a URL. In your case two of them since one points to *.html and the other to *.jpg. Or just without extensions if they're always the same except for the extensions. This way you can easily change your markup later and still use the same data from the DB.
But apart from this fact of not saving non-data in DB you could at least provide some relevant code you're using. We'd much easier tell you where you're doing it wrong.
Using GridView
The problem you're having are column templates. Check this link out and see how you can customize the display of a particular column in a GridView. Essentially you will have to provide your own template and do whatever you please with your DB data.

VB.Net application - display a message to the user whilst the application is starting up

I have recently created an application where a lot of data is loaded into objects when the application starts up, and other data as it is required. For example if the user requests the catalogue page then it will load all the top level category data into objects of type Category. This will then stay there to be used by other users (who will therefore not have to load this data into objects) and can be altered by admin if they happen to login during the same application instance. I know this is not the most efficient solution, as pointed out below, but it works and the page load, at the moment, is not too long. It is very quick if most of the required data is already loaded into objects. It is also tailored to the business' needs - unlike other techniques such as Linq-to-SQL.
The problem I am facing is when a page is requested which requires lots of data to be displayed about different types of object. For example when a catalogue page is requested which displays information on a product which can be bought, it then loads all the products and categories (as the products make reference to the category object, not just the category name).
I would like to display a loading symbol with a message whilst all this data is being loaded into objects, so the user knows its not just in a loop or anything. Is there any way to do this? I am open to using JS / jQuery if I need to.
Thanks in advance.
Regards,
Richard
PS I am working on ways to make it more efficient - such as using HashTables or HashMaps. However this is taking time as there are so many different types of item (News, Events, Catalogue Item - Range, Collection, Design, RangeCollection, CollectionDesign, RangeCollectionDesign and RangeDesign - Users, PageViews and the list goes on).
Please correct me if I'm wrong, but I do believe that Javascript is required in order to display a "loading" image... Using server-side scriping alone would typically require an entire page load after all the content loads unless you want to start messing with IFrames.
This is a job for AJAX. A common solution to your problem is to have a small page that displays a loading icon. The page has some JavaScript that makes additional HTTP requests to the server to download the rest of the page. JQuery has a "$.ajax" method that is designed to simplify this process.
I would suggest looking at the documentation to the .ajax method in the jQuery documentation. Unfortunately, it seems to be a rather delicate process to get all the scripting code right and it takes a while to learn it all.

Creating a chart with tool tips in a Web Garden

I need to show a Line Chart on an ASP.NET page where each data point has a tooltip that shows its exact X and Y values. A chart for a particular dataset will probably only ever be requested once, so caching is disabled and the chart will be regenerated if it ever needs to be shown again.
Restrictions:
Needs to work in a web garden environment
Cannot use Session
Cannot use rich media, such as Flash or Silverlight.
The approaches I've seen used an image map for a generated chart image. Due to the restrictions, all of my charts so far have been generated in a handler in memory, streamed directly back to the user, and then disposed of. Now I need to add tool tips, which would requires both HTML and an image.
My current plan is to generate the chart once on the page to get the HTML, ignore the generated image, and rewrite the "src" of the image tag to point to a second page. The second page generates the same exact chart as the first, ignores the HTML markup, and streams the image back to the client. This all seems very kludgy.
Is there an better way to do this that doesn't involve generating the chart twice?
Available chart controls:
Dev Express 8.2
Syncfusion 6.2
?? - Recommend something
What about using the Google Chart API, and a .Net wrapper? See this SO discussion for more information.
I solved this by using the MS Chart Control. The disk handler can share images across servers in the web garden and automatically cleans up after itself.

Resources