This is an odd (to me anyway) query string problem.
I'm using a installation tool that has web serial number validation. Basically the install passes a users email and serial number to a web page (or a controller method for MVC) and that takes the query string arguments and does magic to validate the installation.
One of the arguments is the email address passed in the query string.
I recently has a user who used ‘+’ email addressing to purchase a subscription. All worked well until he went to install the product and had to get past the validation screen.
After doing some digging I found that instead of receiving
‘joe+foo#gmail.com’
The validation code receives
‘joe foo#gmail.com’
Of course the space ruins the validation attempt as his email address is now wrong.
I've spoken with the install tool company (Advanced Installer, best install tool on the planet) and they claim (and I believe them) that the email is sent correctly.
So that leaves me at how do I get the asp.net mvc querystring parser do to the right thing for that particular argument and pass the string with the '+' to the contoller method ?
It's asp.net mvc 5 if it matters.
Thanks for any help you can spare.
UPDATE
The problem is with the sending, not the reception. the plus sign ends up unencoded so it translate to a space= when it get handled by the query string parser.
So what I am looking for is a way to customize the query string parser for that particular URL (and only that URL).
The shortcut to a fix is to replace spaces with a plus sign in the email arg. Simple, but I hate that kind of hackery in my code I;d prefer to have it use a customized parser to that if I need it else where I can just plug it in any way it goes.
You can customize just about everything else in asp.net mvc so I was wondering if there was a way to do the query string pasring in some custom fashion.
Assuming you are calling the URL from javascript, instead of doing this:
url += "?email=" + email;
Encode the value like this:
url += "?email=" + encodeURIComponent(email);
If you are calling the URL from the server, then:
string encodedEmail = Server.UrlEncode(email);
UPDATE
If you can't change where the URL is getting called, then you don't have any other option than:
HttpUtility.UrlEncode(Request.QueryString["email"]);
or:
email = email.Replace(' ', '+');
It looks like I'm going to have to go with my hack solution of swapping space for a plus sign in that particular query string parameter. Not the ideal solution in my way of thinking, but it will do the trick.
Related
This is a question that has been asked before, but I've not found the information I'm looking for or maybe I'm just missing the point so please bear with me. I can always adjust my question if I'm asking it the wrong way.
If for example, I have a POST endpoint that use a simply DTO object with 2 properties (i.e. companyRequestDto) and contains a script tag in one of its properties. When I call my endpoint from Postman I use the following:
{
"company": "My Company<script>alert(1);</script>",
"description": "This is a description"
}
When it is received by the action in my endpoint,
public void Post(CompanyRequestDto companyRequestDto)
my DTO object will automatically be set and its properties will be set to:
companyDto.Company = "My Brand<script>alert(1);</script>";
companyDto.Description = "This is a description";
I clearly don't want this information to be stored in our database as is, nor do I want it stored as an escaped string as displayed above.
1) Request: So my first question is how do I throw an error if the DTO posted contains some invalid content such as the tag?
I've looked at Microsoft AntiXss but I don't understand how to handle this as the data provided in the properties of a DTO object is not an html string but just a string, so What I am missing here as I don't understand how this is helping sanitizing or validating the passed data.
When I call
var test = AntiXss.AntiXssEncoder.HtmlEncode(companyRequestDto.Company, true);
It returns an encoded string, but then what??
Is there a way to remove disallowed keywords or just simply throw an error?
2) Response: Assuming 1) was not implemented or didn't work properly and it ended up being stored in our database, am I suppose to return encoded data as a json string, so instead of returning:
"My company"
Am I suppose to return:
"My Company<script>alert(1)</script>"
Is the browser (or whatever app) just supposed to display as below then?:
"My Company<script>alert(1)</script>"
3) Code: Assuming there is a way to sanitize or throw an error, should I use this at the property level using attribute on all the properties of my various DTO objects or is there a way to apply this at the class level using an attribute that will validate and/or sanitize all string properties of a DTO object for example?
I found interesting articles but none really answering my problems or I'm having other problems with some of the answers:
asp.net mvc What is the difference between AntiXss.HtmlEncode and HttpUtility.HtmlEncode?
Stopping XSS when using WebAPI (currently looking into this one but don't see how example is solving problem as property is always failing whether I use the script tag or not)
how to sanitize input data in web api using anti xss attack (also looking at this one but having a problem calling ReadFromStreamAsync from my project at work. Might be down to some of the settings in my web.config but haven't figured out why but it always seems to return an empty string)
Thanks.
UPDATE 1:
I've just finished going through the answer from Stopping XSS when using WebAPI
This is probably the closest one to what I am looking for. Except I don't want to encode the data, as I don't want to store it in my database, so I'll see if I can figure out how to throw an error but I'm not sure what the condition will be. Maybe I should just look for characters such as <, >, ; , etc... as these will not likely be used in any of our fields.
You need to consider where your data will be used when you think about encoding, so that data with in it is only a problem if it's rendered as HTML so if you are going to display data that has been provided by users anywhere, it's probably at the point you are going to display it that you would want to html encode it for display (you want to avoid repeatedly html encoding the same string when saving it for example).
Again, it depends what the response is going to be used for... you probably want to html encode it at the point it's going to be displayed... remember if you are encoding something in the response it may not match whats in data so if the calling code could do something like call your API to search for a company with that name that could cause problems. If the browser does display the html encoded version it might look ugly but it's better than users being compromised by XSS attacks.
It's quite difficult to sanitize text for things like tags if you allow most characters for normal use. It's easier if you can whitelist characters allowed and only allow, say, alphanumeric but that isn't often possible. This can be done using a regex validation attribute on the DTO object. The best approach I think is to encode values for display if you can't stop certain characters. It's really difficult to try to allow all characters but avoid things like as people can start using ascii characters etc.
I have an Android app and I'm attempting to use PHP/MySQL.
I'm having a lot of trouble getting my results from PHP accessible in C#/Android.
This is my PHP so far:
$sql = "SELECT Name FROM Employees WHERE Password='$password'";
if(!$result = $mysqli->query($sql)) {
echo "Sorry, the query was unsuccessful";
}
while($employee = $result->fetch_assoc()) {
$jsonResult = json_encode($employee);
$employee->close();
}
I've left out the basic connection code as I have all that up and running. Here is my C#:
private void OnLoginButtonClick()
{
var mClient = new WebClient();
mClient.DownloadDataAsync(new Uri("https://127.0.0.1/JMapp/Login.php?password=" + _passwordEditText.Text));
}
As you can see I really am at a very basic stage. I've installed Newtonsoft so I'm ready to deal with the Json that is coming back, however I have a few questions.
I'm well aware of SQL injection, and the way that my variable (password) is passed to the PHP concerns me. Is there a safer way of doing this?
Secondly, I am now unsure of how to get the 'Employees' that match the MySQL command in PHP back into C#. How am I able to access the object that is passed back from PHP?
Leaving aside other aspects of the code in the question, I sugest some reading on sanitizing and escaping user data.
For this specific case of a password see #Jay Blanchard comments. For other input you would not trasform upon input, the idea is to sanitize it as soon as you receive it.
This is to make sure you receive what you were expecting. In the case of a String, trim() the text, match it against a regex of allowed characters. If you allow html tags or not you can match it against a white list of them. Max length.
Then you would validate it. This is that it makes sense and meets the business requirements.
At the time of storing it in the database you can avoid sqlinjection by using prepared statements. By doing this it is clear what is text to be stored and what is sql instructions.
At the time of using the data, you will escape it accoring to where it is going to be used, for example, if it is html content you escape it for html content, if it is an html attribute, or an URL parameter, you do the escaping accordingly for each case. (Wordpress has a nice suite of functions that do this)
Also don't send passwords as URL parameters. Use a form instead with method POST. Urls are seen in the Browser's address widget. And they also get copy pasted in emails, facebook, etc
I'm making an ecommerce application and I want the user to be able to put content at a URL they have specified. IF a user were to put in something like "/thank-you!", how can I clean the string to either be a valid URL or check this is valid URL format? I would want the url to basically always be hyphened between words so like "/thank-you" from "/thankyou". What's the best approach for achieving such a thing. I'm within c# using .NET MVC 4.
Alas, I cannot comment 'possible duplicate' yet (How to check whether a string is a valid HTTP URL?).
As this must be an answer however, one way to validate a string URL would be using the URI.TryCreate functioanlity. See here also https://msdn.microsoft.com/en-us/library/system.uri.trycreate(v=vs.110).aspx
URI is also the preferred data type for URLs, rather than strings.
I need to implement a "Search" box on a C# MVC application that I'm writting.
I've never had to implement a "Search" box before and I've been looking for some best practices and I'm not quite finding what I'm looking for.
I really like how the search works on stackoverflow.
If I type in a few random words, it navigates to the url http://stackoverflow/search?q=few+random+words.
If I type in title:random, it navigates to the url https://stackoverflow.com/search?q=title%3Arandom
What is happening both on the client (when I hit the enter key) and on the server to make the search happen?
I've purposely left out any thoughts I've already had on what is happening because I don't want to bias the answers (or show my ignorance).
EDIT: I'm adding some specifics to this question.
Where and how are the search terms transformed into the querystring parameters? ie few random words transformed into few+random+words,title:random transformed into title%3Arandom
Where and how is few+random+words tranformed into variables used in a query?
Is the query just one big Where clause that keeps appending "and" for each item that lands between the + signs?
I guess you could parse through the strings and do some replaces to achieve 1 and 2 but it sure looks like there is something already available that would automatically convert (and revert) the search strings. I'm trying to be prepared for my user's typing ANYTHING in the search box.
These posts will help you in understanding how it works
https://blog.stackoverflow.com/2008/10/stack-overflow-search-now-51-less-crappy/
https://blog.stackoverflow.com/2009/07/stack-overflow-search-now-61-less-crappy/
https://blog.stackoverflow.com/2011/01/stack-overflow-search-now-81-less-crappy/
Those URL's use what is called a query string. It is a "GET" request that allows the client script (javascript) as well as the back end code retrieve the users "query". In a URL whenever you see a '?' it is the beginning of the query string. This allows somebody to be like:
http://google.com?q=Stuff%20to%20Search%20here
Multiple parameters can be added via &anothercommand=somethingelse
Thus allowing a program or script to invoke a search on google without having to type anything into the box.
You can get access to the query string using the C# "Request.QueryString["parameter"]" where in this case the parameter for those stack overflow URL's would be "q".
After that, you query your database and return the results. Since I'm not sure how good at coding you are, I am not sure if you're trying to ask for the Web site, or the C# SQL side. If I am wrong, apologies.
On the Client:
The way I imagine it is happening on the client is that the script on the textbox when the form is submitted redirects to the url you mentioned and adds in those query parameters into the url string. Don't forget to url encode. This is built into javascript. i.e. space ' ' becomes '%20'
When the form submits, the server code does a check to see if there are any query string parameters of the form "q". If there are, and it is not null, it would query the database, returning that in one of a few ways, most likely through a server control.
1) That is what URL encoding is. It is a list of characters that are not supported in a URL. Thus they need to be changed. There is a standard set such as %20 for space. In javascript, you would redirect to the results page with the query string you want. prior to redirecting, use the information here to encode it. i.e. change ' ' into + or %20 (it really should be %20, I find + is usually the internet explorer way.
)
2) Query string works like a hashtable of key pair values. Using the Request.QueryString, you can select the key "q" and receive the string "few random words". That would then get substituted into your SQL query. This is done on the C# side as a very first check to see if the parameter q exists.
3) you can do your query many different ways. However, searching for "and" etc will give you many different results. What you can do is parse out a list of common words, and then rank results based on the number of results of each word. i.e. in the most simplistic of searches which would be ill advised for LARGE databases "..... Where like '%word% or '%word2%' etc. To get each word, do a string.split.
As much as I hate to do it, I have to answer my own question. What I couldn't understand is how the search words where seemingly automatically transformed into querystring encoded parameters (ie all spaces where replaced with the + sign vs. being replace with %20). I didn't understand how that was being achieved and I like it so I wanted the same abilities.
In the end, what I should have done was copy the html from SO and tried it out on my own MVC site because it turns out that the encoding is built in/automatic. I didn't have to do anything to get the functionality.
Here is the basic HTML for the search box:
<form id="frmsearch" action="~/Catalog/Search" method="get">
<input id="q" name="q" value="#q" style="width:275px;"/>
<input id="submit" name="submit" type="submit" style="font-weight:bold;" value="Search" />
</form>
Now, if you type "few random words" in the text box named "q" and click the submit button, the form action automatically takes you to "~/Catalog/Search?q=few+random+words" without any additional coding.
Now for the best part, in the controller code, the "q" parameter is automatically available as "few random words" without any additional coding as well.
Example:
public ActionResult Search(string q)
{
//q = "few random words" (no need to remove '+' signs)
var model = GetSearchResults(q)
return View(model);
}
The only thing I haven't tested out it how it would handle scripting attacks but I think I'm going to get that for free as well. : )
Hope this helps anyone who stumbles across this answer. Thank you to everyone who submitted answers trying to help. I'm sorry if my question wasn't clear enough.
If I have a series of "pattern" Urls of the form:
http://{username}.sitename.com/
http://{username}.othersite.net/
http://mysite.com/{username}
and I have an actual Url of the form:
http://joesmith.sitename.com/
Is there any way that I can match a pattern Url and in turn use it to extract the username portion out the actual Url? I've thought of nasty ways to do it, but it just seems like there should be a more intuitive way to accomplish this.
ASP.NET MVC uses a similar approach to extract the various segments of the URL when it is building its routes. Given the example:
{controller}/{action}
So given the Url of the form, Home/Index, it knows that it is the Home controller calling the Index action method.
Not sure I understand this question correctly but you can just use a regular expression to match anything between 'http://' and the first dot.
A very simple regex will do:
':https?://([a-z0-9\.-]*[a-z0-9])\.sitename\.com'
This will allow any subdomain that only contains valid subdomain characters. Example of allowed subdomains:
joesmith.sitename.com
joe.smith.sitename.com
joe-smith.sitename.com
a-very-long-subdomain.sitename.com
As you can see, you might want to complicate the regex slightly. For instance, you could limit it to only allow a certain amount of characters in the subdomain.
It seems the the quickest and easiest solution is going off of Machine's answer.
var givenUri = "http://joesmith.sitename.com/";
var patternUri = "http://{username}.sitename.com/";
patternUri = patternUri.Replace("{username}", #"([a-z0-9\.-]*[a-z0-9]");
var result = Regex.Match(givenUri, patternUri, RegexOptions.IgnoreCase).Groups;
if(!String.IsNullOrEmpty(result[1].Value))
return result[1].Value;
Seems to work great.
Well, this "pattern URL" is a format you've made up, right? You basically you'll just need to process it.
If the format of it is:
anything inside "{ }" is a thing to capture, everything else must be as is
Then you'd just find the start/end index of those brackets, and match everything else. Then when you get to a place where one is, make sure you only look for chars such that they don't match whatever 'token' comes after the next ending '}'.
There are definitely different ways - ultimately though your server must be configured to handle (and possibly route) these different subdomain requests.
What I would do would be to answer all subdomain requests (except maybe some reserved words, like 'www', 'mail', etc.) on sitename.com with a single handler or page (I'm assuming ASP.NET here based on your C# tag).
I'd use the request path, which is easy enough to get, with some simple string parsing/regex routines (remove the 'http://', grab the first token up until '.' or '/' or '\', etc.) and then use that in a session, making sure to observe URL changes.
Alternately, you could map certain virtual paths to request urls ('joesmith.sitename.com' => 'sitename.com/index.aspx?username=joesmith') via IIS but that's kind of nasty too.
Hope this helps!