Wednesday, February 18, 2009

Responses to ValidateRequest="false" ?

I'm having to set ValidateRequest="false" on one of my pages because users need to enter a value that contains an html tag (well asp.net think it is anyway). I understand why the "potentially dangerous request.form detected" error and why it is being thrown, but my question is:

What could a malicious user possibly do to my application by putting HTML fields within a form field? Is there a vulnerability I should know about in asp.net, or would bad coding on my part really only be the thing I need to worry about if ValidateRequest="false".

The main issue is Cross Site Scripting. If your site takes input from the
user and then displays it back to the user without first validating it, you
could potentially allow a bad guy to use your site to which is trusted by
your users to steal their cookies or other data.

The built-in request validation stuff in 1.1 tries to keep you from shooting
yourself in the foot by not allowing you to accidentally do this. If you
are careful, it is safe to turn the behavior off, but you need to make sure
you thoroughly validate all input before returning it back to the browser.
Add validateRequest="false" to your Page directive, eg.:

<%@ Page validateRequest="false" %>

you can add the following to the system.web section of your web.config:

< pages validateRequest="false" />

Monday, February 9, 2009

Auto Refresh a Page in a application with a given Interval

Place the HTTP-Equiv="Refresh" attribute to the Meta tag of the page. and at content attribute set the interval value. and for url attribute give the page name to which it is required. I'm showing a sample below. Place this in Head tag of the Page.

< META HTTP-Equiv="Refresh" CONTENT="Time in Seconds Goes Here; URL=SampePage.aspx">

The biggest problem with the "refresh" meta-tag method of page-refresh is that it can add to the visitor's page-history on various versions of browsers. This means that for each automatic page refresh/reload your site visitor must select the browser's back button. This potentially can be a considerable bother to your visitors as well as confusion.

The preferred refresh method is "JavaScript Refresh"




Saturday, February 7, 2009

Getting User IP address for a Web Site.

To get user System IP address for a website which is hosted.

HttpContext.Current.Request.UserHostAddress.ToString()

we can use the above code in another way as:

string VisitorIPAddress = Request.UserHostAddress.ToString();

Or, you can use REMOTE_ADDR from ServerVariables collection, with code snippet like this:

string VisitorIPAddress = Request.ServerVariables["REMOTE_ADDR"];

Thursday, February 5, 2009

Serial Number for Rows in Grid View with Paging.

In Grid View if we need Serial Number for Rows with Paging capability, then use the following ItemTemplate in a TemplateField.

Wednesday, February 4, 2009

Differences between IIS 5.1 and 6.0

There are litteraly a bunch of changes in IIS 6 compared to IIS 5.1. Let's give an overview:
1. Better security: IIS is not installed by default and after installation of IIS it comes locked down on the machine.
2. Application pools: new application model to load applications in a sandbox under a certain security context which is configurable by the administrator (so you can elevate priviles of a certain app without affecting others). App pools also have a recycling mechanism and replace large parts of machine.config configuration concerning the execution of the web app.
3. Smoother "integration" of ASP.NET (no separate installation, comes right out of the box, but needs to be enabled).
4. Editable metabase in XML.
5. No limits on the number of concurrent connections (which is the case in IIS 5.1).

So, for the hosting infrastructure the decision should be IIS 6 instead of IIS 5 (and of course instead of IIS 5.1 which is not meant to be used in hosting environments at all). However, if you want to run W2K3 on the development desktops, consider to use a Virtual PC to run W2K3 in, under Windows XP (actually I'm not following this recommendation myself and I run W2K3 as the primary OS on my laptop). Be aware about the fact that W2K3 has less support for laptop-related things (such as BlueTooth, Wireless LAN with WPA, etc). Also the advantages on the field of XP SP2 are not in W2K3 yet (will come in W2K3 SP1 which is now in RC1 phase).

For the Difference between IIS 6 and IIS 7. Please refer to the link given below.
I can also write about them by my thoughts, but i won't because he explained very clearly about the main difference, and definitely i can't reach him so please look into it.
URL: http://www.iisworkstation.com/2008/09/iis-6-and-iis-7-how-different-are-they.html