I've got an ASP.net webpage that allows the user to change their password. Currently, when a user creates a new password in the form field that ends with the "# sign" it throws the server error stating that a potentially dangerous request.form value was detected from the client. I did some research and found that it's because it thinks it's a MySQL comment that is trying to ignore all code after the "# sign." For example, a user can enter a password such as ABC#& but not ABC&#.
Is there anything I can put in my code on my asp.net page, such as in the header line, etc. to prevent the server from thinking this is a SQL injection? All SQL in my code behind uses parameters so I am not worried about SQL injections at the moment. I just want every user to be able to have any combination of characters possible in their passwords. Thanks for any insight!
Check out this article from Microsoft if this is something you really want to achieve: https://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx
The article mentions you may have to modify your web.config to include the following settings:
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
and
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
Or for an individual page:
<# Page validateRequest="false" %>
Note that these configurations may vary depending on the type of .Net project you are working on. The article I mentioned has more information. I strictly referenced that source.
Related
I am trying to index tables from our MySQL database on the Solr version that came with our ACF 2016 installation. Adobe's docs state that I need to use Solr's Data Import Handler to do this, which they say entails modifying solrconfig.xml and creating a data-config.xml file.
This does not work as is. Further reading leads me to believe that I need to:
Download a solr-dataimporthandler.jar
Copy ColdFusion's MySQL connector so that Solr can use it
Edit solrconfig.xml to account for these changes
Create a data-config.xml
Am I correct so far? Because I've been trying that, and when I try to reload my collection, the CF administrator gives me an error "Error handling 'reload' action." The Solr admin itself says:
org.apache.solr.common.SolrException:org.apache.solr.common.SolrException: Error loading class 'org.apache.solr.handler.dataimport.DataImportHandler'.
I don't know much about this, but it sounds to me like Solr cannot load one or both of the two jar files I added. If this is the case, then:
What solrconfig.xml should I be editing? I've been working on the one in the specific collection I've set up to index our database to.
Do I need both of those jars? Where should I put them? I have tried them in C:\ColdFusion2016\cfusion\jetty\lib and in a custom lib I set up at C:\ColdFusion2016\cfusion\jetty\multicore\lib.
Some sources (not Adobe) say I need to add lib directives to solrconfig.xml, while others say that any jars in a lib in Solr's "root" directory will automatically get added. I've tried both ways, and get the errors described above.
Still other sources say I need to add them to my classpath. I am hesitant to do this on our server if we do not need to.
I know this question is all over the place, but I have gotten myself quite confused and I would really appreciate any help or pushes in the right direction. My hope is that I am just making some dumb mistakes somewhere, because I don't think it should be this complicated!
Note that Solr itself is running fine and some collections I have set up that index directories of PDFs are working, no troubles. None of the solrconfig.xml files in the other collections have any request handlers or libs referring to data import handlers.
Thanks in advance! I appreciate your reading all of this! :-)
Okay so I finally got it working. As suspected, the root issue was Solr not locating the MySQL connector and data import handler jars. For the benefit of any others who might stumble across this, here is what I did. We are using Adobe ColdFusion 2016 and Solr 5.2.1 that shipped with ACF.
You do need the MySQL connector and data import handler jars. I used a version-matched data import handler called solr-dataimporthandler-5.2.1.jar and I downloaded it from here. Make sure you select the jar file in the "files" section to start the download. For the MySQL connector, I just copied the one that came from ColdFusion. Mine was called mysql-connector-java-5.1.38-bin.jar, and for my CF install, it was located at C:\ColdFusion2016\cfusion\lib.
I learned that Solr will automatically look for jars if they are in a particular place. No need for lib directives or any file editing. For me, I created a folder called "lib" in my Solr instance which is at C:\ColdFusion2016\cfusion\jetty\multicore and I put the jars in there. So the full path to the new jars is C:\ColdFusion2016\cfusion\jetty\multicore\lib, but you do not need to edit any file to account for that.
You do need to edit solrconfig.xml to account for the data import handler. For me, the only way I could get this to work was to edit solrconfig.xml for each collection. Editing any of the various other versions would not work. So for my collection called "dmfile," which I had previously created in the CF Admin, the solrconfig.xml to edit was at C:\ColdFusion2016\cfusion\jetty\multicore\collections\vfs_dmfile\conf. I added the following to the file in the section where the other request handlers were:
<requestHandler name="/dataimport" class="org.apache.solr.handler.dataimport.DataImportHandler">
<lst name="defaults">
<str name="config">data-config.xml</str>
</lst>
</requestHandler>
That's all I needed to do for solrconfig.xml.
In that same directory, create a data-config.xml file. Here's mine:
<dataSource type="JdbcDataSource"
driver="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/myDatabase"
user="myUsername"
password="myPassword"/>\
<document>
<entity name="dmfile" query="SELECT filename, ObjectID from dmfile WHERE status = 'approved'">
<field column="filename" name="filename" />
<field column="ObjectID" name="uid" />
<field column="status" name="dmfile_status" />
</entity>
</document>
To get started, I tried to keep things simple. Note how the entity name matches the name of the collection. I matched the unique ID from our database table (ObjectID) to the standard unique ID field that Solr has (uid). "Column" is the column from our database and "name" is whatever name I want Solr to use. Your database of course will likely be different.
Finally I edited schema.xml, also in the same directory:
<field name="filename" type="string" indexed="true" stored="true" required="false" />
<field name="dmfile_status" type="string" indexed="true" stored="true" required="false" />
The "name" attribute needs to match whatever you set in data-config.xml. Note that I did not add a field for uid -- it was already in schema.xml by default.
I am on a Windows server, so I went to services.msc and restarted the ColdFusion 2016 Add-On Services service. NOTE: restarting ColdFusion itself did not work for me. I needed to restart ColdFusion 2016 Add-On Services, and only that.
Finally I could reload my collection, and (more importantly) I could browse the core in the Solr admin at http://localhost:8989/solr/#/. I could select my dmfile core in the "Core Selector" dropdown, and was able to choose the DataImportHandler without getting an error.
That is how I got it to work for me. I found that I needed to repeat steps 3-6 for every core that I wished to connect to MySQL. Some documentation states that you can do at least Step 3 at a global level, but that did not work for me at all.
Anyways, it took me quite a while to figure all of that out, so hopefully this will help any other CFers out there who were stuck like I was.
Hi,
I have an issue on NLB production environment where two application servers are configured. Both have a virtual directory of ReportViewer that renders SSRS reports in an iframe using an .aspx page.
After the "ASP.NET session has expired or could not be found" error, i changed the sessionState mode=SQLServer with custom database, still the error is there. I can see session entries in the DB table as well.
What else could be missing?
-I have read somewhere that having an _ (underscore) in domain name can cause this. I have checked the URLs, there is an underscore in querystring parameter but not the domain name itself, and the querystring is auto-generated by ReporViewer ScriptResource.axd itself.
-KeepSessionAlive is also true & AsyncRendering is also true, checked these in both states, issue did not get resolved.
-cookieless is set to "false"
-ReportViewer version is following :
<add assembly="Microsoft.ReportViewer.WebForms, Version=10.0.0.0, Culture=neutral, PublicKeyToken=xx" />
<add assembly="Microsoft.ReportViewer.Common, Version=10.0.0.0, Culture=neutral, PublicKeyToken=xx" />
Any help to point me in the right direction would be appreciated. Thanks :)
The main thing you need to think about in an NLB scenario with SSRS is ViewState. If a user is hitting a load balanced URL, their traffic could go to any of the SSRS servers in the load balancer pool. You need to set up the same machinekey on all SSRS servers to allow their session to be picked up by any of the servers.
I wrote about all the required steps in the below SQLShack post. As long as SSRS is setup like this, the front end doesn't know/care beyond the fact you are giving it a (load balanced) URL to hit. Hope that helps!
https://www.sqlshack.com/scaling-out-reporting-services-changes-in-sql-server-2016/
I have a report with a list of customers passed in as a parameter. This list has become quite large and found it hit the limit imposed by MaxHttpCollectionKeys. I've found this documented in several posts, but I now have a more specific issue.
I have set this a lot higher in the SSRS web.config file which has solved the problem when I access the report via the report manager (ServerName/Reports). However this doesn't solve the problem when I render via the report server (ServerName/ReportServer).
I do need to access these reports via the report server as we pass some hidden parameters through from our App, as well as having some user selectable parameters. Searching for the solution only gives me posts related to the original solution which I've found.
Does anyone else have any ideas on solutions for this.
Many thanks.
Ok found solution.
I didn't realise there are two web.config files. One for the manager, one for the server. These both needed to have the mod made. Needed to add the following code to the web.config file in
C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer
Between the < system.web > and < runtime > tags.
<appSettings>
<add key="aspnet:MaxHttpCollectionKeys" value="20000" />
</appSettings>
So, appSettings can be set in app.config, web.config, machine,config... But, when you work under IIS 7 you can also have appSettings being applied under applicationHost.config with a specific carve out for your site. So, what's a consistent way for me to know what AppSettings I should be using???
System.Configuration.ConfigurationManager is fine if this is a client profile.
System.Web.Configuration.WebConfigurationManager if this is a web-app ... well, maybe.
Microsoft.Web.Administration if I expect values in applicationHosting.config - ouch ... and even then they don't roll-up hierarchically so it seems that you're left holding that process.
Does anyone have a consistent approach to processing AppSettings that accounts for applicationHost.config?
You can't actually specify <appSettings> in your applicationHost.config file. This is because applicationHost.config defines settings specific to IIS only. You can review the applicationHost.config schema to confirm this:
%systemroot%\System32\inetsrv\config\schema\IIS_schema.xml
If you try to edit applicationHost.config and add an <appSetting> section to a site or under a <location path="..."> section you will get an error (IIS may not start and IIS MMC console will display a configuration error).
If you configure a global application setting in IIS manager this actually gets configured in the master web.config file that matches the default .NET Framework version setting in IIS.
<appSettings/> is specific to the .NET Framework and can only be configured in:
%SYSTEMROOT%\Microsoft.NET\Framework\[framework version]\CONFIG\machine.config
%SYSTEMROOT%\Microsoft.NET\Framework\[framework version]\CONFIG\web.config
%SYSTEMROOT%\Microsoft.NET\Framework64\[framework version]\CONFIG\machine.config
%SYSTEMROOT%\Microsoft.NET\Framework64\[framework version]\CONFIG\web.config
and of course your application's app.config or web.config files.
My advice would be to keep these settings local to your application unless there is the rare occasion where you need some value to be available globally.
Update:
Now that I understand your problem - you have multiple IIS sites which all point to the same physical folder - there is a way to approach this.
You could have a configuration table in your database that has a primary key of whatever the HTTP_HOST value is. This maps to a prefix, for example:
Host SitePrefix
==== ======
domain1.com D001
domain2.com D002
In your web.config:
In your application's Application_Start event in Global.asax.cs initialise an application wide value:
void Application_Start(object sender, EventArgs e)
{
// Code that runs on application startup
string httpHost = HttpContext.Current.Request.ServerVariables["HTTP_HOST"];
Application["SitePrefix"] = GetSiteKeyFromDb(httpHost);
}
This value will be available across the whole application but unique to the site.
When you need to read a setting that is specific to the site:
string siteSetting = ConfigurationManager.AppSettings[
HttpContext.Current.Application["SitePrefix"] + "_Setting1"
];
But if you're hitting the database in Application_Start then it may actually be expedient to store all these site specific settings in the database then read and cache them in Application instead of using <appSettings />.
I used the information provided by Anti-Santa's answer to accomplish this but I didn't want to parse the URL and have another database to look up information. The same codebase is used on-premise and I wouldn't have those pieces in that scenario.
Just add the appSettings to the .NET Framework web.config with a location node.
In %SYSTEMROOT%\Microsoft.NET\Framework64\[framework version]\Config\web.config, add the following where Site1 and Site2 are my two applications pointing to the same physical directory:
<?xml version="1.0" encoding="utf-8"?>
<!-- the root web configuration file -->
<configuration>
<!-- App settings for the different applications -->
<location path="Default Web Site/Site1">
<appSettings>
<add key="ConnectionString" value="the cnn str"/>
</appSettings>
</location>
<location path="Default Web Site/Site2">
<appSettings>
<add key="ConnectionString" value="the cnn str"/>
</appSettings>
</location>
...
</configuration>
The web.config in the physical folder will override this appSetting so I also needed to remove it from that file.
I'm having a strange issue with my project. It was a Web Site that is now converted to a Web Application that is in a solution. Initially classes were setup using Linq to Sql .dbml file, which stored its connection string in /MyProject/web.config. Now the project ('Web Application') is in a solution and when I modify the Linq to Sql dbml file it creates a web.config file with only its connection string one level above, in /MySolution/web.config, while I still have /MySolution/MyProject/web.config. That gives errors with duplicate connection string names. So, how can I have Linq to Sql just use the web.config file in /MySolution/MyProject/web.config, or is my entire web.config file supposed to be in MySolution/web.config (I would prefer to keep it where it is) Thanks!
PS: the datacontext is in /MySolution/MyProject/MyCode/Models/MyDataContext.dbml
It appears as though updating the dbml will always force only the root web.config to be updated. It will likely be easiest to maintain your project if you do only use that root web.config, but you do have another option.
Each folder can have its own config, which is why you're getting the duplicate name exception. If you want to get around this, you can first remove then add a connection string with the same name. If you do this, your connectionStrings block (within /MySolution/MyProject/web.config) will look similar to the following:
<connectionStrings>
<remove name="MyConnectionString"/>
<add name="MyConnectionString" connectionString="XXXXXXXXXX"
providerName="System.Data.SqlClient" />
</connectionStrings>
Like I said, I can't really recommend that you do this, as your dbml will still save to the root web.config, so it might not be easy for other developers to realize what is going on.