|
How would I do that, Ryan? This is my first venture into asp.net.
|
|
|
|
|
I suggest getting a book or going through online tutorials.
A simple method is to add a label and then in Page_Load take the value from Request.QueryString and put it into the label. But this is such basic stuff that I think you'll learn a lot more if you go through tutorials.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Yes, OK, I will do.
Thanks
|
|
|
|
|
A word of warning: Don't do what Ryan said. (Or at least, not exactly what he said!)
When you take a value from the request and want to re-display it, you need to make sure it's properly encoded. In this case, since you're display it as text within the HTML of the page, you need to use the HttpUtility.HtmlEncode method[^] to encode the string before showing it in a label.
The reason you need to encode it before displaying it is to prevent a cross-site scripting (XSS)[^] attack. Since the query-string could be modified by the user, they could pass in any HTML or javascript. If your code blindly copies that to the response, they can execute that script within your page. Since it's just a link, they could send that out to anyone they think might use your site, and anyone who clicked on the link would suddenly find that their authentication cookies have been stolen, or that your site has installed malware on their device.
You should never trust any input that comes from the user, whether it's in the query-string, part of a POST request, or even the HTTP headers. Always assume that all users are trying to hack into your site, and use the appropriate defences. 
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Hello Richard
Thanks for your post.
So in addition to this if I can get it to work:
Public Class success
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If Request("Name") IsNot Nothing Then
Name.Text = String.Format("{0}, ", Request("Name"))
End If
End Sub
End Class
I would also need the basis of something like this (which looks complicated!):
Imports System
Imports System.Web
Imports System.IO
Class MyNewClass
Public Shared Sub Main()
Dim myString As String
Console.WriteLine("Enter a string having '&' or '""' in it: ")
myString = Console.ReadLine()
Dim myEncodedString As String
' Encode the string.
myEncodedString = HttpUtility.HtmlEncode(myString)
Console.WriteLine("HTML Encoded string is " + myEncodedString)
Dim myWriter As New StringWriter()
' Decode the encoded string.
HttpUtility.HtmlDecode(myEncodedString, myWriter)
Console.Write("Decoded string of the above encoded string is " + myWriter.ToString())
End Sub 'Main
End Class 'MyNewClass
As an aside, my 'you have successfully registered' page tells me after I complete the form myself:
'System.Web.UI.WebControls.TextBox, You have successfully registered'.
I can see 'System.Web.UI.WebControls.TextBox' if I hover my mouse over the word 'username' in my Register.aspx.vb file, but I don't know what the source of the error is.
Thanks again, Richard.
|
|
|
|
|
You don't really need the console application, unless you want to play with the methods. All you really need is:
Public Class success
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Dim theName As String = Request.QueryString("Name")
If Not String.IsNullOrEmpty(theName) Then
Name.Text = HttpUtility.HtmlEncode(theName)
End If
End Sub
End Class
As for the page displaying your name as System.Web.UI.WebControls.TextBox, it sounds like you're doing something like:
Response.Redirect(String.Format("success.aspx?name={0}", UserNameTextBox))
You need to pass the value of the TextBox, which is in the .Text property. You should also make sure that you properly encode the value - this time, for a URL:
Dim theName As String = UserNameTextBox.Text
Dim encodedName = HttpUtility.UrlEncode(theName)
Response.Redirect(String.Format("success.aspx?name={0}", encodedName))
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Thanks for that, Richard.
This finally worked:
register.aspx.vb
Dim target = String.Format("~/Success.aspx?Name={0}", username.Text)
' Perform your Redirect '
Response.Redirect(target, True)
success.aspx.vb
Public Class success
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If Request("Name") IsNot Nothing Then
' It exists, so set your label (and a trailing comma) to display your name '
Name.Text = String.Format("{0}, ", Request("Name"))
End If
End Sub
End Class
Thanks for your help and for giving me an idea of what to look for.
|
|
|
|
|
That looks very much like the original code you posted. You're missing all of the required encoding.
For example, try entering a username of <script>alert("Test")</script> - you'll either get a message box pop up when the success page loads, or your browser will prevent access to the page with a warning about cross-site scripting.
You need to encode the value according to the context:
register.aspx.vb:
Dim name As String = HttpUtility.UrlEncode(username.Text)
Dim target As String = String.Format("~/Success.aspx?Name={0}", name)
Response.Redirect(target, True)
success.aspx.vb:
Public Class success
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Dim theName As String = Request.QueryString("Name")
If Not String.IsNullOrEmpty(theName) Then
Dim encodedName As String = HttpUtility.HtmlEncode(theName)
Name.Text = String.Format("{0}, ", encodedName)
End If
End Sub
End Class
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Hello Richard
Thanks for that.
I actually have in aspx.vb:
Dim target = String.Format("~/Success.aspx?Name={0}", username.Text)
' Perform your Redirect '
Response.Redirect(target, True)
and in success.aspx.vb:
Public Class success
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If Request("Name") IsNot Nothing Then
' It exists, so set your label (and a trailing comma) to display your name '
Name.Text = String.Format("{0}, ", Request("Name"))
End If
End Sub
End Class
That seems to work, but I don't have HttpUtility.UrlEncode or HttpUtility.HtmlEncode.
Thanks again for your time.
|
|
|
|
|
Richard Deeming wrote: it is to prevent a cross-site scripting (XSS)[^] attack.
Yes, I intentionally left that out as to not overwhelm, but valid point.
Note, most browsers do a good job preventing that anyway.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
I have an unordered list of Html.ActionLinks that work just fine except now we want the Admin link to become a hover dropdown with the actual Html.ActionLinks to be contained in the sub-menu items. What I have done is wrap<div> around the main Admin menu item on the Main menu bar and child <div> below. First below is the code I am using to do this:
VIEW
<ul>
<li>@Html.ActionLink("Home", "Index", "Home")|</li>
<li>@Html.ActionLink("My Account", "", "")|</li>
<li>@Html.ActionLink("Admin", "Index", "Admin")|</li>
</ul>
<div align="center">
<div class="content_head">
Admin Main Menu
</div>
<div class="content_body">
@Html.ActionLink("Admin Page", "Index", "Admin")
</div>
<div class="content_body">
@Html.ActionLink("Admin Info", "Index", "Admin")
</div>
</div>
<ul>
<li>@Html.ActionLink("Log Out", "LogOffAbacus", "Home")</li>
</ul>
}
SITE.css
.content_head {
width: 150px;
height: 30px;
background-color: #CCCCCC;
cursor: pointer;
}
.content_body {
display: none;
width: 150px;
height: 50px;
background-color: #9999FF;
}
SITE.js
$(".content_head").hover(function () {
$(".content_body").hide(100);
$(this).next(".content_body").slideToggle("slow");
})n;
Now, this does not work because of jQuery error "Microsoft JScript runtime error: Object expected" and I am unsure why. Now the big question, this method looks likes a bad way of doing this. Is there a better way to do this?
.
|
|
|
|
|
guys;
I gave a problem with __VIEWSTATE hidden input it lays on the page like a huge spider web. I want to reduce its size efficiently without adding enableViewState="false" to every control.
is it possible to do so?
Help people,so poeple can help you.
|
|
|
|
|
|
|
Hello friends, I need your help in this issue. Am working on exam system using asp.net. There is a feature I would like to apply. On the onload event of the welcome page, the application should check the devices' date and compare it with the current date. If the devices' date is not same as current date, the person should be redirected to a warning page with a warning message the device date is not accurate. Please set time and date. Example, if the current date is 10-09-2014 and the devices' date is 09-09-2014, that means the devices' date is not accurate. I really need this because the date and time student logged in will be auto-captured and saved to database for officials' use. I have googled alot but couldn't found any match and am not even sure if am using the right keywords. Please, any idea on how to play around this will be highly appreciated.
|
|
|
|
|
I think that you should not use the client date instead use your server date on student login so you would face no problem as the server date appears on the screen.
Help people,so poeple can help you.
|
|
|
|
|
Thanks. But, how can I capture the server date?
|
|
|
|
|
easily.
When a student logged in you save getdate() which would return the database time. or you pass the value of DateTime.Now for the web server time. and you can do the same for the time you want to send it with the response.
Help people,so poeple can help you.
|
|
|
|
|
Thanks I really appreciate your response. But, when if I use DateTime.Now, is the client device date that will be captured and the date might not be current. This is what am trying to avoid. To be more specific, assuming today's date now which is 11/09/2014 and maybe the student might not have his device date set(assuming the students' device date is 10/08/2014 instead of 11/09/2014, I want to compare the current date with the device date then if match, student should be allowed else should be prompt for system date correction. Anyway? Please.
|
|
|
|
|
Calling DateTime.Now from server-side code will capture the current date and time on the server. The client's date/time settings will have no effect.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Ok. Thanks. But, please how can I call the DateTime.Now on the server side?
|
|
|
|
|
Just add it to the code that's saving the details to the database:
yourInsertCommand.Parameters.AddWithValue("@StartDate", DateTime.Now);
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
I reset my systems' date to incorrect date and tried what you suggested. But, it was the system's date which is inaccurate it captured. Or will this before solve when the site has been host?
|
|
|
|
|
If you're testing the site locally, the client and server will be the same machine. If you change the client's date, then you're also changing the server's date.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
I have .net application which loads data from file into DB2 , Drive iSeries to connect to DB2.
Its running really slow (10,000 rows per 1 hour).
The application is simple doing bunch of inserts/updates. Any idea how I can speed it up?
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
