Compromising Security using querystring

September 18, 2008 — aspclassic

Today I came across an issue with querystrings. If someone opens a url that has link to a form on my site. The form in turn saves some information in a table(update a row). what will happen if i used rowid in the querystring. Then anyuser can change the rowid in the querystring and update any other record tampering the DB.

This case occurs when you are sending URL to someone in an automated mail.

Solution to this:

Use GUID, Create a new GUID store that in the table with another id and then update the Mailtext with the GUID you just created and then mail url with guid as the key to the row not the row id.

in C# you can use:

System.Guid.NewGuid()

Posted in ASP.net, Forms, GUID, Mail, Querystring. Tags: , , , , , , . Comments Off

Using Masterpages – HTML Meta Tags in .Net

September 16, 2008 — aspclassic

Faced another problem today, about meta tags, in .net if you want to change the meta tags of a page programatically then it will change the contents of the page if it is not using master page and the master page has some defualt contents for the description and the keywords.

If you want to change meta tags that are present in Master pages

use this code

 

Mater Page Code

<

meta id=”Description” runat=”Server” name=”Description” content=”Default Description”

/>

<

 

meta id=”Keywords” runat=”Server” name=”Keywords” content=”Default Keywords” />

Code behind file of the content page

Dim

hdMain As HtmlHead = DirectCast(Page.Master.FindControl(“mainHead”

), HtmlHead)

 

 

Dim metaDesc As HtmlMeta = DirectCast(Page.Master.FindControl(“Description”

), HtmlMeta)

 

 

Dim metaKeywords As HtmlMeta = DirectCast(Page.Master.FindControl(“Keywords”

), HtmlMeta)

metaDesc.Content =

 

“Test”

metaKeywords.Content =

“keyword1, keyword2, keyword3,keyword4″

 

Posted in ASP.net. Tags: , , , . Comments Off

Cache in ASP Classic

June 18, 2008 — aspclassic

Expire Cache and Cookies in ASP Classic

Here are the the commands to place at the top of your ASP scripts to ensure that the page is not cached:

Response.Expires = 60
is said to expire at 60 seconds, not 0.

Response.Expiresabsolute=Now()-2
says “expire this page 48 hours ago”, allowing for time differences, rather than specify a static date.

Response.AddHeader “pragma”,”no-cache”
Response.AddHeader “cache-control”,”private”
Response.CacheControl = “no-cache”

Posted in ASP Classic, Cache. Tags: , , , , . Leave a Comment »

ASP Classic Recordset states

February 26, 2009 — aspclassic

The State property returns a value that describes if the object is open, closed, connecting, executing or retrieving data. The value returns an ObjectStateEnum value. Default is adStateClosed.

This property can be used with the Command, Connection, Record, Recordset, and Stream object.

The State property can have a combination of values. If a statement is executing, this property will have a combined value of adStateOpen and adStateExecuting.

  1. adStateClosed value=0 The object is closed
  2. adStateOpen value=1 The object is open
  3. adStateConnecting value=2 The object is connecting
  4. adStateExecuting value=4 The object is executing a command
  5. adStateFetching value=8 The rows of the object are being retrieved

To check if a recordset is open you can use

if rs.State=adStateOpen then

end if

to close it if its open the use

if rs.State=adStateOpen then

rs.Close

end if

Posted in ASP Classic, Recordsets. Leave a Comment »

Removing spaces in MSSQL

February 17, 2009 — aspclassic

To remove spaces in the mssql using query
you can use ltrim(columnname) to remove spaces before the value or
you can use rtrim(columnname) to remove the trailing spaces

still I faced a problem today that the script did not remove the spaces from the middle of a value like
we have ” abc @xyz.com ” ltrim will remove the space before “abc” and rtrim will remove the space after “.com” but the space between “abc” and “@xyz.com” will not be removed so to remove the a space in the value you can use replace function
replace(columnname,’ ‘,”)

Posted in 2000, 2005, SQL Server, String. Leave a Comment »

SQL Server 2005 linking another server in management studio express

December 24, 2008 — aspclassic

If you have two servers A and B. and you want to link Server B in managment studio express within Server A so that you can use queries to get data from a database in the Server B while remaining in Server A.

or if you want to create join queries from data in both the servers. You can use the link server facility of SQL Server.

here is the query you can use to link a new server

EXEC sp_addlinkedserver  
   @server=’linkedsql’,  –this will be the server name that will be used in queries later onwards
   @srvproduct=”,
   @provider=’SQLNCLI’,  — this is the product information
   @datasrc=’ip\servername’ — this is the server information

when you have linked the server and you want to query the server you can use query like

select * from linkedsql.dbname.dbo.tablename

but it will give you this error

Msg 18452, Level 14, State 1, Line 1

Login failed for user ”. The user is not associated with a trusted SQL Server connection

you have to provide the user credentials and the password for the sql server

You can use the following query to create the password and userid for the linked server.

EXEC sp_addlinkedsrvlogin ‘linkedsql’, ‘false’, NULL, ‘userid’, ‘password’

You can also use the object explorer->linked server->properties->security-> be made using this security context. then enter the userid and password and click ok 

Posted in 2000, 2005, SQL Server. Tags: , , , , . Leave a Comment »