|
I have a scan finding and hope someone can provide any ideas as to best ways to resolve the issue. First I will show the scan Finding then my code and finally what the scanner's recommended solution is.
Finding
Without proper access control, the method GetAttributeKey() in Provider.cs can execute a SQL statement on line 163 that contains an attacker-controlled primary key, thereby allowing the attacker to access unauthorized records.
Rather than relying on the presentation layer to restrict values submitted by the user, access control should be handled by the application and database layers. Under no circumstances should a user be allowed to retrieve or modify a row in the database without the appropriate permissions. Every query that accesses the database should enforce this policy, which can often be accomplished by simply including the current authenticated username as part of the query.
My Code:
Offending line:
myParam.SqlParam.Value = attribute;
Method:
public string GetAttributeKey(string attribute)
{
string qry = "SELECT ws_attribute_key FROM webservice_attributes WHERE ws_attribute = @attribute";
QueryContainer Instance = new QueryContainer(qry);
MyParam myParam = new MyParam();
myParam.SqlParam = new SqlParameter("@attribute", Instance.AddParameterType(_DbTypes._string));
myParam.SqlParam.Value = attribute;
Instance.parameterList.Add(myParam);
object key = ExecuteScaler(Instance);
return Convert.ToString(key);
}
<pre>
Scanner's Recommend fix:
<pre>
string user = ctx.getAuthenticatedUserName();
int16 id = System.Convert.ToInt16(invoiceID.Text);
SqlCommand query = new SqlCommand(
"SELECT * FROM invoices WHERE id = <a href="http://www.codeproject.com/Members/id">@id</a> AND user = <a href="http://www.codeproject.com/Members/user">@user</a>", conn);
query.Parameters.AddWithValue("@id", id);
query.Parameters.AddWithValue("@user", user);
SqlDataReader objReader = query.ExecuteReader();
<pre>
modified 8-Jun-15 14:07pm.
|
|
|
|
|
Message Closed
modified 18-Jun-15 20:52pm.
|
|
|
|
|
This finding was determined to be changed to a mitigated warning and was remove as a valid finding. Showing that he caller needs rights to call the method when they are logged into the system is a false finding.
|
|
|
|
|
Hi,
I'm planing another website social network-like, with ASP.NET C# for the back end, and I'm having good feelings with the new stuff in MVC 6 and Net Framework 6, but I'm squeezing my brain chosing the best technology for my purposes.
I will need of course an entire front-end website, so I may need use MVC 6, but I want to make several mobile clients too, though RESTful WebAPI.
I was wondering if I have to use simply WebAPI project for backend + AngularJS for the frontend, but I really don't like the way that AngularJS will expose some "server-side" things, such the route table.
So the question is, should I use a classic MVC project (with normal controllers + razor views) AND in separate, controllers for WebAPI for the mobile aplications? Or maybe WebAPI + AngularJS?
PD: I don't want to repeat the logic in normal controllers and in WebAPI controllers
|
|
|
|
|
Since you are going to use ASP.NET MVC 6, do not worry about different standards. ASP.NET MVC 6 is composed of
- ASP.NET MVC
Much popular web development framework. - ASP.NET Web Pages
Known for its compact structure and easy deployment. - ASP.NET Web API
Known for robust and efficient REST solutions
That is not all. Angular, Knockout, jQuery and other famous JavaScript libraries are already supported and tutorials are already posted on CodeProject, ASP.NET's official website and other similar platforms. So for you, the only task is to learn ASP.NET MVC 6. It is the next web development standard by ASP.NET. ASP.NET MVC 6 would allow you to have control over MVC (the source code pattern), Web API (how mobile and other devices communicate) and client-side libraries (already mentioned above).
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
I would like to be able to have on a plain HTML page and image that is dynamically created from a link to an ASP.NET page
<img src="http://www.domanin
name.co.uk/GetImage.aspx?filename=ImageName.png&width=200">
I have the following code in the GetImage.aspx page
```
<script runat="server">
Dim strServerPath, strFilename As String
Private Sub Page_Load(sender As Object, e As System.EventArgs)
Dim filename As String = Request.QueryString("filename")
Dim width As Integer = Integer.Parse(Request.QueryString("width"))
strServerPath = Server.MapPath("images\")
strFilename = strServerPath & Request.QueryString("filename")
Me.GenerateThumbnail(Server.MapPath(strFilename), width)
End Sub
Private Sub GenerateThumbnail(filename As String, width As Integer)
Try
Using orig As System.Drawing.Image = System.Drawing.Image.FromFile(filename)
Me.GenerateThumbnail2(orig, New Size(width, CalculateHeight(orig, width)), GetFormat(filename))
End Using
Catch ex As Exception
End Try
End Sub
Private Sub GenerateThumbnail2(orig As System.Drawing.Image, size As Size, format As ImageFormat)
Try
Using stream As New MemoryStream()
Dim callback As New System.Drawing.Image.GetThumbnailImageAbort(AddressOf ThumbnailCallback)
Dim img As System.Drawing.Image = orig.GetThumbnailImage(size.Width, size.Height, callback, IntPtr.Zero)
img.Save(stream, format)
Response.ContentType = "image/" + format.ToString()
Response.BinaryWrite(stream.ToArray())
img.Dispose()
Response.Flush()
End Using
Catch ex As Exception
Try
Dim img As System.Drawing.Image = Drawing.Image.FromFile(strFilename)
img.Save(Response.OutputStream, ImageFormat.Jpeg)
Catch
Dim img As System.Drawing.Image = Drawing.Image.FromFile(strServerPath & "PaddySheepskinSlippers1.png")
img.Save(Response.OutputStream, ImageFormat.Jpeg)
End Try
End Try
End Sub
Private Shared Function GetFormat(filename As String) As ImageFormat
If filename.EndsWith("jpg") OrElse filename.EndsWith("jpeg") OrElse filename.EndsWith("tiff") Then
Return ImageFormat.Jpeg
End If
Return ImageFormat.Png
End Function
Private Shared Function CalculateHeight(img As System.Drawing.Image, desiredWidth As Double) As Integer
Dim power As Double = img.Width / desiredWidth
Return CInt(img.Height / power)
End Function
Private Function ThumbnailCallback() As Boolean
Return False
End Function
</script>
```
But my HTML page does not display the image.
I would appreciate if someone could tell me what I have done wrong or omitted in the code. Thank you
|
|
|
|
|
One thing to try is a Response.Clear at the start of your page_load event and Response.End at the end of it. If that doesn't work use Fiddler to look at the request for the image and see what the response is, it might shed some light on what the problem is, especially if you compare it against a request for a static image.
|
|
|
|
|
You need to validate the filename passed in the query-string. You only want the code to be used to read images directly within the specified path, but it could currently be used to read images anywhere on the server.
You should also use Path.Combine to combine the folder path and file name:
Dim filename As String = Request.QueryString("filename")
If filename.IndexOfAny(System.IO.Path.GetInvalidFileNameChars()) <> -1 Then
Throw New HttpException(400, "Bad request")
End If
Dim width As Integer = Integer.Parse(Request.QueryString("width"))
Dim serverPath As String = Server.MapPath("~/images/")
Dim imagePath As String = System.IO.Path.Combine(serverPath, filename)
GenerateThumbnail(imagePath, width)
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
|
HI,
Every Body,
Can anyone tell me,What is Eval()and Bind() method in asp.net and What it's use???
And
What is difference between Eval() and Bind() Method???
|
|
|
|
|
You can find full details either by a Google search, or by looking at the MSDN documentation.
|
|
|
|
|
The first Google result for "asp.net eval bind" has the answer:
Data-Binding Expressions Overview[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
EVal is one way binding, Bind is two way
If you bind a value using Eval, it is like a read only. You can only view the data.
If you bind a value using Bind, and if you do some change on the value it will reflect on the database also
|
|
|
|
|
|
the eval use in front page(*.aspx)like <%#Eval("article_title")%>
the bind is from code page(*.cs),is from a void of a control's databind.
you can search in google
|
|
|
|
|
Hai All,
I am having two methods in a single service below. I will host this service in IIS. I will be having only one service URL. Client will consume this service by creating the proxy class as usual. But Mehod1 should only be displayed to Client A, Mehod2 should only be displayed to Client B. How can I overcome this scenario?.. Can you please clarify my doubt..? Thanks in Advance
namespace serviceHide
{
[ServiceContract]
interface IServiceHide
{
[OperationContract]
string Method1(string id);
[OperationContract]
string Method2(string id);
}
}
|
|
|
|
|
You're obviously working on the same project as this guy:
1 wcf service and 2 client[^]
The options haven't changed since last week.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
I can see it now....task given to Employee A who thinks "I'll just ask on CP". Doesn't get a simple "here is the code" answer as the requirement is essentially flawed, so he can't do his task. Task is taken off him and given to Employee B. Employee B thinks "I'll just ask on CP" ....
|
|
|
|
|
Don't edit spam in QA, even to add a "Spam" tag.
When you do, you risk the automated system thinking you are the author and you getting the "spammer" votes.
And if you edit it to remove the spam, then you can confuse the spam detector which results in more "false positives" when it picks up "spam / abuse" kicks later.
Best thing to do is just hit the "spam" flag and / or report it in the Spam and Abuse forum - a Protector or Staff member will delete it.
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
Thanks for the heads up, don't think I edited that question? Could be wrong, but I'll keep that in mind anyway. Hard to know when thinks are marked as spam though as you only know it has been reported when you report it yourself.
|
|
|
|
|
No, you came up as the edit link on this one: How to create Play store Developer account[^] - if you click the "(no name)" link it goes to your user page!
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
Mmm, I did report that as being off-topic but I didn't edit it, I didn't add the spam tag.
|
|
|
|
|
|
Weird, it was actually me (and I take your point above). Click on the v2 link and it shows me as the last editor.
|
|
|
|
|
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
public partial class plrsmkt_calculation : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
int totalrs = 0;
protected void GridView1_RowDataBound(object sender, GridViewRowEventArgs e)
{
if (e.Row.RowType == DataControlRowType.DataRow)
{
totalrs += Convert.ToInt32(DataBinder.Eval(e.Row.DataItem, "rs"));
}
else if (e.Row.RowType == DataControlRowType.Footer)
{
e.Row.Cells[1].Text = "Total";
e.Row.Cells[1].Font.Bold = true;
e.Row.Cells[2].Text = totalrs.ToString();
e.Row.Cells[2].Font.Bold = true;
e.Row.Cells[3].Text = totalrs.ToString();
e.Row.Cells[3].Font.Bold = true;
}
}
protected void TextBox1_TextChanged(object sender, EventArgs e)
{
}
}
The above coding display me Total of a column with display of all rows as per database
but now i want to display total of same column(without rows) on other page of my web site. Can u help me
modified 4-Jun-15 13:48pm.
|
|
|
|