Miniplast <T-Piece> Welding Machine
But it show me error as below:
Server Error in '/' Application.
------------------------
A potentially dangerous Request.Form value was detected from the client (tb0="...niplast 2 <T-Piece> Welding Ma...").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (tb0="...niplast 2 <T-Piece> Welding Ma...").
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (tb0="...niplast 2 <T-Piece> Welding Ma...").]
System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +230
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +99
System.Web.HttpRequest.get_Form() +121
System.Web.UI.Page.GetCollectionBasedOnMethod() +70
System.Web.UI.Page.DeterminePostBackMode() +47
System.Web.UI.Page.ProcessRequestMain() +2106
System.Web.UI.Page.ProcessRequest() +218
System.Web.UI.Page.ProcessRequest(HttpContext context) +18
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +179
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87
Here is my code
Dim strsql as string= "INSERT INTO ToolNAccessories (Name, Descrip, Price) VALUES" & _
"( @dotnet.itags.org.Params0, @dotnet.itags.org.Params1, @dotnet.itags.org.Params2)"
Dim objCmd as New OleDbCommand(StrSql, Conn)
Dim Objparam as OleDbParameterWith ObjCmd.Parameters:
.Add(New OleDbParameter("@dotnet.itags.org.Params0", Tb0.Text))
.Add(New OleDbParameter("@dotnet.itags.org.Params1", Tb1.Text))
.Add(New OleDbParameter("@dotnet.itags.org.Params2", Tb2.Text))
End With
Conn.Open()
ObjCmd.ExecuteNonQuery()
Conn.Close()
This piece of code was working very well until i insert
Miniplast <T-Piece> Welding Machine
This sound like Sql injection... how can it be... im using parameters to prevent it already right?
Any idea what happened? Pls guard me on tis..
Thanks in advance
life's NgOn the page, in the @.page directive, add ValidateRequest="false". This will allow the < and > character in posted data, but you should then check for script injection.
Thanks douglas,
oh my God.... now i then realize there is sooo much injections we gonna deal with... :(
Mr douglas, i dont think im going to set validateRequest="false"... but I having some questions in my mind..
1. Will my previous error let any attacker getting some clues to proceed their job?
2. Can i try some "weird" characters like <>)*&%$^&* for some user's input on any website? is that illegal? i just wish to try out see whether the web application is secure from this aspect.. will that made a web server down or something?
Best Regards
life's Ng
Hi Douglas,
I wonder if i set validateRequest="false" , all i need to check is script injection using "Server.HtmlEncode" is tat correct? Anything else i need to consider?
Regards
life's Ng
If it is acceptable to have users enter < or >, then you will need to set ValidateRequest="false". Failing that, you should think about handling the error in a somewhat more elegant way. I am not totally certain that will address all the issues. Anyone else who has looked at this more closely?
0 comments:
Post a Comment