I am getting a CA1305 Warning.
Microsoft.Globalization : Because the
behavior of 'int.Parse(string)' could vary based on the
current user's locale settings,
replace this call in
'_Default.CalculateImageButton_Click(object,
ImageClickEventArgs)' with a call to
'int.Parse(string,
IFormatProvider)'. If the result of
'int.Parse(string,
IFormatProvider)' will be displayed to
the user, specify
'CultureInfo.CurrentCulture' as the
'IFormatProvider' parameter.
Otherwise, if the result will be
stored and accessed by software, such
as when it is persisted to disk or to
a database, specify
'CultureInfo.InvariantCulture'.
What exactly can go wrong if I omit specifying the culture when parsing Int32?
It means that when you read "1,234" from a data file or Database record, then try to cast it to an Int via Parse, you'll get 1234 in America and 1 in Germany. The warning gives good advice - if you're interacting with the user, specify CurrentCulture (thanks Andrew!), and if you're interacting with a filesystem or database (or anything !user), use InvariantCulture
If you are parsing an integer, it may have thousand separators, which can be "," or "." depending on the locale.
Related
I wrote a small service in go (although I don't think this would be a language specific issue), that caches some results by saving it to a file, and writing a URL query parameter into the filename with "prefix" + param + ".json" using ioutil.WriteFile. The service runs on Ubuntu.
Is it possible to do something malicious, by passing an unexpected string via the query?
Relevant attacks that come to mind are called path injection. For example what if the query parameter is something like ../../etc/passwd (okthis would probably not work as the user running this service would have no permissions, but you get the point). For example it could be possible to overwrite your service code itself.
You should sanitize the parameter before adding it to the filename. The best would be a strict whitelist of letters and numbers that are allowed, anything else should ve removed from the parameter. That way injection would not be possible.
You can also check whether the path you are writing to is actually under an explicitly allowed directory.
I will make a test in python, here is the struct of the project
app1/main.py
while True:
a = input() # passing query
with open("{}.json".format(a), "w") as f:
f.write("Hello world")
now i am a hacker, and i want to change "yourfile.json"
so i passed this
and than, the content of yourfile.json become: Hello world
I am building a Web application and I want to allow users to insert records into a database. The method that I came across is to take the information from text boxes and run this code:
SqlDataSource1.InsertParameters["ProductCode"].DefaultValue = txtProductCode.Text;
SqlDataSource1.InsertParameters["Name"].DefaultValue = txtName.Text;
SqlDataSource1.InsertParameters["Version"].DefaultValue = txtVersion.Text;
SqlDataSource1.InsertParameters["ReleaseDate"].DefaultValue = txtReleaseDate.Text;
try
{
SQLDataSource1.Insert();
}
...
If I try to inject some SQL I get the error message:
Message: String or binary data would be truncated. The statement has been terminated.
Does this method sanitise the parameters? I am having a hard time finding this information because I am not sure if there is still a way to get around this error. If it does not how should I go about sanitising the inputs?
Additionally, the ReleaseDate parameter seems to be currently reading as dd/MM/yyyy but is there a way to lock this so that the same code on a different system doesn't behave differently. I am worried that if the code is run on a system with different regional settings it will use a different format.
One of your field in the table is not long enough to insert the value. You need to check each of ProductionCode, name, Version and ReleaseDate for their length and increase them accordingly.
http://msdn.microsoft.com/en-us/library/aa196741(v=sql.80).aspx
I am using asp.net and c# in my application and Mysql as Database.I want to take input from user in hindi and store it in database and retrieve it.
When I am storing the hindi characters in from Mysql database it is working fine for me but when I am using textbox to input a hindi characters it is showing me ?????????.
I guess the problem is the aspx page does not set to support hindi characters.Please tell me the way to achieve this.
I guess using UTF-8 encoding on your Http request and responses would solve it. What is your requestEncoding and responseEncoding in your Web.config file set to currently?
See more on the <globalization> tag here:
http://msdn.microsoft.com/en-us/library/hy4kkhe0(v=VS.100).aspx
try this:-
// mytable=2 fields id(auto increment),title(nvarchar(max))
string title = "बिलाल";
SqlCommand cmd = new SqlCommand("insert into mytable values (N'" + title + "')", con);
con.Open();
cmd.ExecuteNonQuery();
con.Close();
Haha.. Oh the memories (and I only had to deal with spanish which fits into the default latin1).
So I don't know the MS side of the stack, but I assume it's the same types of solutions as Java. Namely you should always assume UTF-8, and thus make your Content-Type HTML responses always show UTF-8 so that browsers know to encode POST data in UTF-8. You should always inspect the encoding type of HTML POST's just in case you have a browser that ignored the encoding of the HTML form (someone might be using curl/wget/custom-browser). You need to learn how in MS-land to convert from one encoding type into UTF-8 (in java, for reference, we just say String s = new String(bytes, encoding_name))
Assuming that MS's stack uses UTF-16 or UCS-32 or whatever so that UTF-8 is easy to extract, next comes the mysql layer.
This includes 2 things..
1) column encoding MUST be set to UTF8.. It's not obvious at all how to do it, and even the spelling is annoying.. Just google it.. "create database foo default character set UTF8" (approximate syntax), or if you're worried for some reason, do it at the table level "create table foo (..) character set UTF8" (approximate syntax).. Or if the table is already there, take EVERY column that can take arbitrary web-form text (possibly including login-name, but not columns like enumerated varchars - as it would waste index space - even though you'd think it wouldn't) "alter table foo change name varchar(255) character set UTF8" (approximate syntax).
2) You MUST make the ODBC connection (jdbc in java, don't know in MS), encode all in/out characters at UTF-8. There are two parameters I set (use-unicode, and character-set=UTF-8) (approximate parameter names).
Google it all, but this should point you in the right direction.
Test the existing DB by connecting to mysql both with character-set=UTF8 and latin1.. You'll see totally different output in your text-data when connected as each encoding. If you're lucky, you already got the data in correctly.. Otherwise you'll have to regenerate ALL the data, or perform some very clever character conversion hacks like I had to do once upon a time (painful stuff).
I have a TextBox, and I want to force the user to type an email format in this field like (example#mail.com) ?
I don't want to use FilteredTextBoxExtender or the RegularExpressionValidator.
I want to do it manualy.
Use the MailAddress class of System.Net.Mail. If what you pass into it is not a valid email address it will fail.
Example:
How do I validate email address formatting with the .NET Framework?
You are really going to reinvent the wheel.
But if it is your wish, you have to use string manipulation functions built in to the String object.
First do a check whether there is a in # symbol in the text.
Use String.Contains to check that.
Or you can use String.IndexOf to check whether the # symbol is present, and if present which index is it present. (considering the string as an array of characters)
And then check whether there are any (and how many) characters present before the # symbol.
If the symbol # symbol was in the 4th index, then you know there are 3 characters before etc.
There's plethora of functions for the String object. You may have to use Length function and String.SubString to retrieve parts of the string.
Get the indexes of the # symbol and the . symbol and check whether there are at least 3 characters in between.
I really cant seem to think of all the possibilities but first list down all the possibilities and check them one by one.
You can also use the Contains method to check whether illegal characters are present :)
EDIT: String.LastIndexOf will return the last index where a specified character was found ;)
And you count and check whether the # symbol was found more than once etc
String.IndexOfAny(Char[])
String.IndexOfAny Method (Char[], Int32)
String.IndexOfAny Method (Char[], Int32, Int32)
This is the best way I found on internet.
Regex.IsMatch(YourStringEmail, "^(?("")("".+?""#)|(([0-9a-zA-Z]((\.(?!\.))|[-!#\$%&'\*\+/=\?\^`\{\}\|~\w])*)(?<=[0-9a-zA-Z])#))" + _
"(?(\[)(\[(\d{1,3}\.){3}\d{1,3}\])|(([0-9a-zA-Z][-\w]*[0-9a-zA-Z]\.)+[a-zA-Z]{2,6}))$")
Thank you.
MS SQL Server's Money Data Type seems to accept a well formatted currency value with no problem (example: $52,334.50) From my research MS SQL Sever just ignores the $ and , characters. ASP .NET has a parameter object that has a Type/DbType property and Currency is an available option to set as a value. However, when I set the parameter Type or DbType to currency it will not accept a value like $52,334.50. I receive an error
Input string was not in a correct format.
When I try to Update/Insert. If I don't include the $ or , characters it seems to work fine. Also, if I don't specify the Type or DbType for the parameter it seems to work fine also. Is this just standard behavior that the parameter object with its Type set to currency will still reject $ and , characters in ASP .NET?
Here's an example of the parameter declaration (in the .aspx page):
<asp:Parameter Name="ImplementCost" DbType="Currency" />
So here is a little more information:
The code snippet that I provided above is part of the Update parameters to an Update command declared for an SqlDatasSource Control. That parameter will update a column (of money type) of a table in my database. The column in my database is bound to a control in a DetailsView control.
Look at the overrides on Parse - one of them accepts a format type parameter, one of the valid values being currency.
Two issues. (1: .NET ASP layer) and (2:SQL Server at the server)
On the ASP side you are trying to put a string in a money/decimal type.
Try converting the string $123.45 to a decimal type and then to your declaration. Or leave it a string (with checking), or a string 123.45M (M literal) because ...
On the SQL Side the dollar sign is a literal that implies money currency data type with a fixed 4 decimal places. So it is ok to leave it but SQL is not ignoring it. It actually is using it to cast the value.
Here is why I never do what you are doing. You have just discovered what is really going on. The IIS profile and defaults affect why dolars with commas and German marks with decimals are all interpreted correctly. But 123.45 and 123,45 do not mean the same thing under both language profiles. Also on the SQL side similar things happen such as when a literal dollar sign is passed in to sql. So you may want to clean up the value and get it right on the screen for the user and then pass the decimal value up to SQL with no formatting at the SQL layer so that this is not a hidden issue. I personally usually pass a string and fix it and validate it at the server after it is reasonably validated at the client.