|
I am investigating a CSRF finding in asp.net c# code behind as shown in the following code:
LinkButton LinkButtonControl = new LinkButton();
LinkButtonControl.ID = Name;
<pre>
Now, I feel that the following code using ViewStateUserKey is the right approach:
<pre>
protected override OnInit(EventArgs e) {
base.OnInit(e);
if (User.Identity.IsAuthenticated)
ViewStateUserKey = Session.SessionID; }
<pre>
However; another person I work with thinks that the Httputility.htmlencode method is the best way to correct the problem. First I don't know if the Httputility.htmlencode method is the best way and if so I would I use it?
|
|
|
|
|
|
The HtmlEncode method is one of a group of methods used to prevent XSS (Cross-Site Scripting)[^] - that's where you take input from the user and write it to the output without properly encoding it. The method provides zero protection from a CSRF vulnerability.
CSRF (aka XSRF) is a Cross-Site Request Forgery[^] vulnerability. That's where a script on another site can force the user's browser to make an authenticated request to your site without the user's knowledge. It looks like Anil has already given you some good links for dealing with this class of vulnerability.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
I want to make one schedule in global.asax page that update date in database if current date is greater then database date. this schedule is run after every 24 hours. I have performed one task for it.
private static void Task()
{
String CS = ConfigurationManager.ConnectionStrings["DBCS"].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{
con.Open();
DateTime Newdate;
DateTime dt;
SqlCommand cmd1 = new SqlCommand("select Date from tblInsertDate", con);
cmd1.ExecuteNonQuery();
List<String> dates = new List<String>();
using (SqlDataReader rdr = cmd1.ExecuteReader())
{
while (rdr.Read())
{
dt = DateTime.ParseExact(rdr["Date"].ToString(), "dd/MM/yyyy", null);
String cd = DateTime.Now.ToString("dd/MM/yyyy");
DateTime CD = DateTime.ParseExact(cd, "dd/MM/yyyy", CultureInfo.InvariantCulture);
int result = DateTime.Compare(dt, CD);
if (result < 0)
{
Newdate = dt.AddDays(7);
DateTime Newdateonly = Newdate.Date;
String Ndate = Newdateonly.ToString("dd/MM/yyyy");
dates.Add(Ndate);
break;
}
}
}
foreach (String dataList in dates)
{
SqlCommand cmd2 = new SqlCommand("update tblInsertDate set Date=@Newdate where Date=@whereDate", con);
cmd2.Parameters.AddWithValue("@Newdate", dataList);
cmd2.Parameters.AddWithValue("@whereDate",dt);
cmd2.ExecuteNonQuery();
}
}
}
all the value of database table is changed. I just want to update date row by row if current date is grater then databse date.
So I have to put one where condition in foreach loop but how to put where condition?
if i try to write
SqlCommand cmd2 = new SqlCommand("update tblInsertDate set Date=@Newdate where Date=@whereDate", con);
cmd2.Parameters.AddWithValue("@Newdate", dataList);
cmd2.Parameters.AddWithValue("@whereDate",dt);
then "dt" is not use as local variable.
|
|
|
|
|
Why are you converting all of your dates to strings, and then parsing them back to dates? Just use them as dates:
dt = DateTime.ParseExact(rdr["Date"].ToString(), "dd/MM/yyyy", null);
dt = rdr.Field<DateTime>("Date");
String cd = DateTime.Now.ToString("dd/MM/yyyy");
DateTime CD = DateTime.ParseExact(cd, "dd/MM/yyyy", CultureInfo.InvariantCulture);
DateTime CD = DateTime.Today;
List<String> dates = new List<String>();
...
Newdate = dt.AddDays(7);
DateTime Newdateonly = Newdate.Date;
String Ndate = Newdateonly.ToString("dd/MM/yyyy");
dates.Add(Ndate);
List<DateTime> dates = new List<DateTime>();
...
dates.Add(dt.AddDays(7).Date);
Having said that, you can replace all of your code with a single query:
private static void Task()
{
string CS = ConfigurationManager.ConnectionStrings["DBCS"].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
using (SqlCommand cmd = new SqlCommand("UPDATE tblInsertDate SET [Date] = DateAdd(day, 7, [Date]) WHERE [Date] < @Today", con))
{
cmd.Parameters.AddWithValue("@Today", DateTime.Today);
con.Open();
cmd.ExecuteNonQuery();
}
}
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
I created a website but it was built with the wrong code from TFS. Because of this I copy the correct code web folder from my c: drive to the IIS website folder. The website runs fine; however, when I try to build the site in VS I get the following error:
Error 102 The configSource file 'appSettings.config' is also used in a parent, this is not allowed.
|
|
|
|
|
When I try to add the new code to source control I get the following error:
The following IIS Virtual Directories cannot be added to source control at this time because their files do not reside under the Local Path of the root Web site localhost : https://localhost (D:\TAMIS-Root\Web)
Click Continue to add all other Web items to source control. Click Cancel to stop adding files to source control.
|
|
|
|
|
I did have to delete the website from IIS and recreate it.
|
|
|
|
|
sir i made a registration page i want to know how to varification code went to user's email id if we are working on local host without using any gateway and all. i want the code pls help
|
|
|
|
|
|
I want to upload only the details of students belonging to my department, the file is in excel format which contains many columns of which one column is the department column. Now, i have to obtain the column values for each student and compare with that of my department and only, if it matches, it has to upload.
|
|
|
|
|
Very interesting; and what is your question?
|
|
|
|
|
Hi Friends ,
iam using one iframe in my application. In that iframe iam Display another web application in that have registration form with captcha , when our submit the Registration its working in chrome and mozilla but its Not Working in IE because of third party cookies are Disable by Default. how can i enable third party cookies using code.
|
|
|
|
|
You can't - it's a setting made by the user
|
|
|
|
|
Thankyou for replay. any other way can we add webpage in out application.
|
|
|
|
|
What use would security features be if you could simply disable then via your code? The fact that you are showing a different site in yours via an iframe and you're having captcha problems makes me think that whatever you are doing probably isn't ethical anyway.
|
|
|
|
|
Thank You for Your Replay ,
yes, but i want captcha in my Registration Page, how can i sue the captcha with out using cookies?
|
|
|
|
|
You need to add information on the page to tell the user to enable cookies for your website. If they do not do it they cannot register. But as with all of these issues the user owns the computer, and so retains the right to allow or disallow what other applications can do.
|
|
|
|
|
Why not write your own captcha, that way you are not invoking third party code and cookies...
|
|
|
|
|
how to insert data into table with foreign key using the max id of primary key table.
using asp.net VS2013, DB-Ms-Access.
getting following error when i try to insert data using "select max(id) from table 1"
|
|
|
|
|
What error you are getting here?
modified 20-Sep-20 21:01pm.
|
|
|
|
|
|
|
Is your question about gridview formatting?
modified 20-Sep-20 21:01pm.
|
|
|
|
|
My client will be sending the request as described below in SOAP format.
<RequestTimestamp>2014-08-22T11:28:00Z</RequestTimestamp>
<SystemID>TestProcessor</SystemID>
<Version>1<Version>
<QWID>201507080000001</QWID>
<QWID>201507080000010</QWID>
<QWID>201507080000001</QWID>
<QWID>201507080000010</QWID>
<QWID>201507080000001</QWID>
<QWID>201507080000010</QWID>
<CHL>201507080000010</CHL>
In every request, QWID should come as batch and I proposed below entity design to adopt above data.
public class APIRequest
{
[DataMember]
public DateTime RequestTimestamp;
[DataMember]
public string SystemID;
[DataMember]
public int Version;
[DataMember]
public string[] QWID;
[DataMember]
public string CHL;
}
With above entity design, SOAP request generated as
<request xmlns:a="http://schemas.datacontract.org/2004/07/QWID.Services" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<a:RequestTimestamp>0001-01-01T00:00:00</a:RequestTimestamp>
<a:SystemID>WireSystem_001</a:SystemID>
<a:Version>0</a:Version>
<a:QWID xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<b:string>20141023010232_ORG99000002_CTR.fedwire</b:string>
<b:string>20141023010842_ORG99000001_CTR.fedwire</b:string>
</a:QWID>
</request>
My client expecting the SOAP request in the form of <QWID>201507080000001</QWID> instead of coming under <QWID><b:string>20141023010232_ORG99000002_CTR.fedwire</b:string> </QWID> as string tag.
How do i do the entity design (without grouping of QWID) to achieve client expectation as described above? Please help me on this?
modified 14-Jul-15 21:54pm.
|
|
|
|