Compromising Security using querystring

Today I came across an issue with querystrings. If someone opens a url that has link to a form on my site. The form in turn saves some information in a table(update a row). what will happen if i used rowid in the querystring. Then anyuser can change the rowid in the querystring and update any other record tampering the DB.

This case occurs when you are sending URL to someone in an automated mail.

Solution to this:

Use GUID, Create a new GUID store that in the table with another id and then update the Mailtext with the GUID you just created and then mail url with guid as the key to the row not the row id.

in C# you can use:

System.Guid.NewGuid()

Using Masterpages – HTML Meta Tags in .Net

Faced another problem today, about meta tags, in .net if you want to change the meta tags of a page programatically then it will change the contents of the page if it is not using master page and the master page has some defualt contents for the description and the keywords.

If you want to change meta tags that are present in Master pages

use this code

 

Mater Page Code

<

meta id=”Description” runat=”Server” name=”Description” content=”Default Description”

/>

<

 

meta id=”Keywords” runat=”Server” name=”Keywords” content=”Default Keywords” />

Code behind file of the content page

Dim

hdMain As HtmlHead = DirectCast(Page.Master.FindControl(“mainHead”

), HtmlHead)

 

 

Dim metaDesc As HtmlMeta = DirectCast(Page.Master.FindControl(“Description”

), HtmlMeta)

 

 

Dim metaKeywords As HtmlMeta = DirectCast(Page.Master.FindControl(“Keywords”

), HtmlMeta)

metaDesc.Content =

 

“Test”

metaKeywords.Content =

“keyword1, keyword2, keyword3,keyword4″

 

Cache in ASP Classic

Expire Cache and Cookies in ASP Classic

Here are the the commands to place at the top of your ASP scripts to ensure that the page is not cached:

Response.Expires = 60
is said to expire at 60 seconds, not 0.

Response.Expiresabsolute=Now()-2
says “expire this page 48 hours ago”, allowing for time differences, rather than specify a static date.

Response.AddHeader “pragma”,”no-cache”
Response.AddHeader “cache-control”,”private”
Response.CacheControl = “no-cache”

Mime Types for IIS on Server 2003

MIME Maps Extension Type

.323 text/h323 .3gp audio/3gpp .3gp video/3gpp .IVF video/x-ivf .Mtx Application/metastream .aaf application/octet-stream .aca application/octet-stream .ace application/x-compressed .acx application/internet-property-stream .aer Application/atmosphere .afm application/octet-stream .ai application/postscript .aif audio/x-aiff .aifc audio/aiff .aiff audio/aiff .application application/x-ms-application .art image/x-jg .as text/plain .asd application/octet-stream .asf video/x-ms-asf .asi application/octet-stream .asm text/plain .asr video/x-ms-asf .asx video/x-ms-asf .au audio/basic .avi video/x-msvideo .axs application/olescript .bas text/plain .bcpio application/x-bcpio .bin application/octet-stream .bmp image/bmp .c text/plain .cab application/octet-stream .cat application/vnd.ms-pki.seccat .cdf application/x-cdf .cfg 3DVista CFG .chm application/octet-stream .class application/x-java-applet .clp application/x-msclip .cmx image/x-cmx .cnf text/plain .co application/x-cult3d-object .cod image/cis-cod .cpio application/x-cpio .cpp text/plain .crd application/x-mscardfile .crl application/pkix-crl .crt application/x-x509-ca-cert .csh application/x-csh .css text/css .csv application/octet-stream .cur application/octet-stream .dcr application/x-director .deploy application/octet-stream .der application/x-x509-ca-cert .dib image/bmp .dir application/x-director .disco text/xml .djv Image/x.djvu .djvu Image/x.djvu .dll application/x-msdownload .dlm text/dlm .dnl application/x-msdownload .doc application/msword .dot application/msword .dsp application/octet-stream .dtd text/xml .dvi application/x-dvi .dwf drawing/x-dwf .dwg image/x-dwg .dwp application/octet-stream .dxr application/x-director .eml message/rfc822 .emz application/octet-stream .eot application/octet-stream .eps application/postscript .etx text/x-setext .evy application/envoy .exe application/octet-stream .fdf application/vnd.fdf .fif application/fractals .fla application/octet-stream .flr x-world/x-vrml .flv application/x-shockwave-flash .gif image/gif .gtar application/x-gtar .gz application/x-gzip .h text/plain .hdf application/x-hdf .hdml text/x-hdml .hhc application/x-oleobject .hhk application/octet-stream .hhp application/octet-stream .hlp application/winhlp .hqx application/mac-binhex40 .hta application/hta .htc text/x-component .htm text/html .html text/html .htt text/webviewhtml .hxt text/html .ico image/x-icon .ics application/octet-stream .ief image/ief .iii application/x-iphone .inf application/octet-stream .ins application/x-internet-signup .ips application/x-ipscript .ipx application/x-ipix .isp application/x-internet-signup .ivr i-world/i-vrml .jad text/vnd.sun.j2me.app-descriptor .jar application/java-archive .java application/octet-stream .jck application/liquidmotion .jcz application/liquidmotion .jfif image/pjpeg .jpb application/octet-stream .jpe image/jpeg .jpeg image/jpeg .jpg image/jpeg .js application/x-javascript .kml Application/vnd.google-earth.kml+xml .kmz Application/vnd.google-earth.kmz .latex application/x-latex .lit application/x-ms-reader .lpk application/octet-stream .lsf video/x-la-asf .lsx video/x-la-asf .lzh application/octet-stream .m13 application/x-msmediaview .m14 application/x-msmediaview .m1v video/mpeg .m3u audio/x-mpegurl .man application/x-troff-man .manifest application/x-ms-manifest .map text/plain .mdb application/x-msaccess .mdp application/octet-stream .me application/x-troff-me .mht message/rfc822 .mhtml message/rfc822 .mid audio/mid .midi audio/mid .mix application/octet-stream .mmf application/x-smaf .mno text/xml .mny application/x-msmoney .mov video/quicktime .movie video/x-sgi-movie .mp2 video/mpeg .mp3 audio/mpeg .mp4 Video/mp4 .mp4 video/mp4 .mpa video/mpeg .mpe video/mpeg .mpeg video/mpeg .mpg video/mpeg .mpp application/vnd.ms-project .mpv2 video/mpeg .ms application/x-troff-ms .msi application/octet-stream .mts Application/metastream .mvb application/x-msmediaview .mw2 Image/x.mw2 .mwx Image/x.mwx

.nc application/x-netcdf .nsc video/x-ms-asf .nws message/rfc822 .ocx application/octet-stream .oda application/oda .ods application/oleobject .odt application/vnd.oasis.opendocument.text .p10 application/pkcs10 .p12 application/x-pkcs12 .p7b application/x-pkcs7-certificates .p7c application/pkcs7-mime .p7m application/pkcs7-mime .p7r application/x-pkcs7-certreqresp .p7s application/pkcs7-signature .pbm image/x-portable-bitmap .pcx application/octet-stream .pcz application/octet-stream .pdf application/pdf .pfb application/octet-stream .pfm application/octet-stream .pfx application/x-pkcs12 .pgm image/x-portable-graymap .pko application/vnd.ms-pki.pko .pma application/x-perfmon .pmc application/x-perfmon .pml application/x-perfmon .pmr application/x-perfmon .pmw application/x-perfmon .png image/png .pnm image/x-portable-anymap .pnz image/png .pot application/vnd.ms-powerpoint .ppm image/x-portable-pixmap .pps application/vnd.ms-powerpoint .ppt application/vnd.ms-powerpoint .prf application/pics-rules .prm application/octet-stream .prx application/octet-stream .ps application/postscript .psd application/octet-stream .psm application/octet-stream .psp application/octet-stream .pub application/x-mspublisher .qt video/quicktime .qtl application/x-quicktimeplayer .qxd application/octet-stream .ra audio/x-pn-realaudio .ram audio/x-pn-realaudio .rar application/octet-stream .ras image/x-cmu-raster .rba 3DVista Audio .rdf application/xml .rf image/vnd.rn-realflash .rgb image/x-rgb .rm application/vnd.rn-realmedia .rmi audio/mid .rmvb application/vnd.rn-realmedia-vbr .roff application/x-troff .rpm audio/x-pn-realaudio-plugin .rtf application/rtf .rtx text/richtext .scd application/x-msschedule .sct text/scriptlet .sea application/octet-stream .setpay application/set-payment-initiation .setreg application/set-registration-initiation .sgml text/sgml .sh application/x-sh .shar application/x-shar .sit application/x-stuffit .ski 3DVista SKI .skz 3DVista SKZ .smd audio/x-smd .smi application/octet-stream .smx audio/x-smd .smz audio/x-smd .snd audio/basic .snp application/octet-stream .spc application/x-pkcs7-certificates .spl application/futuresplash .src application/x-wais-source .ssm application/streamingmedia .sst application/vnd.ms-pki.certstore .stl application/vnd.ms-pki.stl .sv4cpio application/x-sv4cpio .sv4crc application/x-sv4crc .svg image/svg+xml .svg2 image/svg+xml .svgz image/svg+xml .swf application/x-shockwave-flash .t application/x-troff .tar application/x-tar .tcl application/x-tcl .tex application/x-tex .texi application/x-texinfo .texinfo application/x-texinfo .tgz application/x-compressed .thn application/octet-stream .tif image/tiff .tiff image/tiff .toc application/octet-stream .tr application/x-troff .trm application/x-msterminal .tsv text/tab-separated-values .ttf application/octet-stream .txt text/plain .u32 application/octet-stream .uls text/iuls .ustar application/x-ustar .utx Text/xml .vbs text/vbscript .vcf text/x-vcard .vcs text/plain .vdx application/vnd.visio .vml text/xml .vsd application/vnd.visio .vss application/vnd.visio .vst application/vnd.visio .vsw application/vnd.visio .vsx application/vnd.visio .vtx application/vnd.visio .wav audio/wav .wax audio/x-ms-wax .wbmp image/vnd.wap.wbmp .wcm application/vnd.ms-works .wdb application/vnd.ms-works .wks application/vnd.ms-works .wm video/x-ms-wm .wma audio/x-ms-wma .wmd application/x-ms-wmd .wmf application/x-msmetafile .wml text/vnd.wap.wml .wmlc application/vnd.wap.wmlc .wmls text/vnd.wap.wmlscript .wmlsc application/vnd.wap.wmlscriptc .wmp video/x-ms-wmp .wmv video/x-ms-wmv .wmx video/x-ms-wmx .wmz application/x-ms-wmz .wps application/vnd.ms-works .wri application/x-mswrite .wrl x-world/x-vrml .wrz x-world/x-vrml .wsdl text/xml .wvx video/x-ms-wvx .x application/directx .xaf x-world/x-vrml .xbm image/x-xbitmap .xdr text/plain .xla application/vnd.ms-excel .xlc application/vnd.ms-excel .xlm application/vnd.ms-excel .xls application/vnd.ms-excel .xlt application/vnd.ms-excel .xlw application/vnd.ms-excel .xml text/xml .xof x-world/x-vrml .xpm image/x-xpixmap .xsd text/xml .xsf text/xml .xsl text/xml .xslt text/xml .xsn application/octet-stream .xwd image/x-xwindowdump .z application/x-compress .zip application/x-zip-compressed

Please let me know If there is something missing and needs to be added.

ASP Classic Recordset states

The State property returns a value that describes if the object is open, closed, connecting, executing or retrieving data. The value returns an ObjectStateEnum value. Default is adStateClosed.

This property can be used with the Command, Connection, Record, Recordset, and Stream object.

The State property can have a combination of values. If a statement is executing, this property will have a combined value of adStateOpen and adStateExecuting.

1. adStateClosed value=0 The object is closed
2. adStateOpen value=1 The object is open
3. adStateConnecting value=2 The object is connecting
4. adStateExecuting value=4 The object is executing a command
5. adStateFetching value=8 The rows of the object are being retrieved

To check if a recordset is open you can use

if rs.State=adStateOpen then

end if

to close it if its open the use

if rs.State=adStateOpen then

rs.Close

end if

Removing spaces in MSSQL

To remove spaces in the mssql using query
you can use ltrim(columnname) to remove spaces before the value or
you can use rtrim(columnname) to remove the trailing spaces

still I faced a problem today that the script did not remove the spaces from the middle of a value like
we have ” abc @xyz.com ” ltrim will remove the space before “abc” and rtrim will remove the space after “.com” but the space between “abc” and “@xyz.com” will not be removed so to remove the a space in the value you can use replace function
replace(columnname,’ ‘,”)

SQL Server 2005 linking another server in management studio express

If you have two servers A and B. and you want to link Server B in managment studio express within Server A so that you can use queries to get data from a database in the Server B while remaining in Server A.

or if you want to create join queries from data in both the servers. You can use the link server facility of SQL Server.

here is the query you can use to link a new server

EXEC sp_addlinkedserver  
   @server=’linkedsql’,  –this will be the server name that will be used in queries later onwards
   @srvproduct=”,
   @provider=’SQLNCLI’,  — this is the product information
   @datasrc=’ip\servername’ — this is the server information

when you have linked the server and you want to query the server you can use query like

select * from linkedsql.dbname.dbo.tablename

but it will give you this error

Msg 18452, Level 14, State 1, Line 1

Login failed for user ”. The user is not associated with a trusted SQL Server connection

you have to provide the user credentials and the password for the sql server

You can use the following query to create the password and userid for the linked server.

EXEC sp_addlinkedsrvlogin ‘linkedsql’, ‘false’, NULL, ‘userid’, ‘password’

You can also use the object explorer->linked server->properties->security-> be made using this security context. then enter the userid and password and click ok