Click here to Skip to main content
12,819,248 members (32,182 online)
   

ASP.NET

 
Answerrelated to itext sharp-iText use for commercial purpose Pin
Abhishek Pant6-Feb-13 20:07
memberAbhishek Pant6-Feb-13 20:07 
AnswerRe: related to itext sharp Pin
Sandeep Mewara2-Feb-13 1:24
mvpSandeep Mewara2-Feb-13 1:24 
QuestionDisplay image using handler.ashx what wrong my code Pin
Michael511931-Jan-13 21:43
memberMichael511931-Jan-13 21:43 
AnswerRe: Display image using handler.ashx what wrong my code Pin
Richard Deeming1-Feb-13 3:17
memberRichard Deeming1-Feb-13 3:17 
Apart from the fact that you're not setting the ContentType[^] of the response, you have a SQL injection vulnerability[^] in your code:
string imageid = context.Request.QueryString["UserID"];
...
new SqlCommand("select UserID,Image FROM Users where UserID=" + imageid, connection);

Anyone with access to your site could call Handler.ashx?UserID=1;DELETE FROM Users;, and your code would happily execute two queries: one to select the image for UserID 1, and one to delete all records from the Users table.

Change your code to use a parameterized query:
public sealed class Handler : IHttpHandler
{
    public void ProcessRequest(HttpContext context)
    {
        string imageid = context.Request.QueryString["UserID"];
        string connectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;

        // Use "using" blocks to clean up automatically:
        using (SqlConnection connection = new SqlConnection(connectionString))
        using (SqlCommand command = new SqlCommand("SELECT UserID, Image FROM Users WHERE UserID = @UserID", connection))
        {
            // Use a parameterized query to avoid SQL injection:
            command.Parameters.AddWithValue("@UserID", imageid);

            connection.Open();
            using (SqlDataReader dr = command.ExecuteReader(CommandBehavior.CloseConnection))
            {
                // The image might not exist!
                if (!dr.Read()) throw new HttpException(404, "Image not found.");

                // Add the correct type here:
                context.Response.ContentType = "image/jpeg";
                context.Response.BinaryWrite((byte[])dr[dr.GetOrdinal("Image")]);
            }
        }
    }

    public bool IsReusable
    {
        get { return true; }
    }
}




"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer


GeneralRe: Display image using handler.ashx what wrong my code Pin
Michael51191-Feb-13 5:16
memberMichael51191-Feb-13 5:16 
GeneralRe: Display image using handler.ashx what wrong my code Pin
Richard Deeming1-Feb-13 6:36
memberRichard Deeming1-Feb-13 6:36 
GeneralRe: Display image using handler.ashx what wrong my code Pin
Michael51191-Feb-13 6:58
memberMichael51191-Feb-13 6:58 
GeneralRe: Display image using handler.ashx what wrong my code Pin
Michael51191-Feb-13 8:03
memberMichael51191-Feb-13 8:03 
GeneralRe: Display image using handler.ashx what wrong my code Pin
Richard Deeming1-Feb-13 9:12
memberRichard Deeming1-Feb-13 9:12 
GeneralRe: Display image using handler.ashx what wrong my code Pin
Michael51198-Feb-13 21:10
memberMichael51198-Feb-13 21:10 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.


Advertise | Privacy | Mobile
Web02 | 2.8.170308.1 | Last Updated 25 Mar 2017
Copyright © CodeProject, 1999-2017
All Rights Reserved. Terms of Service
Layout: fixed | fluid