I am testing a web application which is an attendance submitting page. The functionality is that if two users happen to update same student attendance we shall display a warning of the change with the latest change.
For this Developers have implemented some logic like they will save the value that we enter in text box which are not yet saved in view state.They will be comparing values of view state, current data and database data and display the latest change.
As part of testing, I would like to know is there anyway so that I can modify/hack the data that developer store in view state.
You cannot do that using javascript, You can access the Hidden field "__ViewState" through JavaScript but it is all encrypted. You can only see the encrypted values.
Even if you change it through javascript, server side it will check if the data is tampered.
You can decrypt and see viewstate using below code. For this to work the ViewState must be set as not encrypted More Info
string str = System.Text.Encoding.ASCII.GetString(Convert.FromBase64String(txtViewState.Text));
But tampering viewstate is not quite possible since EnableViewStateMac property is true by default in ASP.NET
More Info
Related
Im making an Xpages application which needs to have server-side validation.
In my form, when a field is cleared and the form submitted - if there is another field which causes the validation to fail - it will be repopulated with the last successfully saved value in the document.
This is not what should happen. The field should stay blank until the page is either refreshed, or the user enters another value.
Does anyone have any idea about what is causing this to happen?
Thanks,
Paul
This depends on your execId and refreshId.
For what happens during partial refresh, read these blog posts, particularly part three http://www.intec.co.uk/tag/partial-refresh/.
If validation (or conversion) fails server-side, the server-side map of the XPage is not updated because the data is not deemed complete enough for server-side processing.
So the partial refresh skips to Render Response, which posts back what HTML should be displayed to the page. That includes values in fields - you're replacing HTML, so it has to.
If you're save button is refreshing the form area, you'll be replacing the HTML there, so overwriting the values entered by the user with the last valid values.
The recommended approach will depend on your page architecture and what you're saving. One is to move validation to the save() function, by which time the values will have been updated in the DominoDocument (the front-end wrapper for the Document on the server). Another is to only refresh the validation area and, if validation was successful, call context.reloadPage() or context.redirectToPage() to effectively skip the partial refresh.
Thanks for the help. As far as I can tell, it was simply due to the way the default converter included with xpages handles the object and/or string. Writing a java custom converter sorted everything out.
I have searched for current solutions, but can't find a set of guidelines or examples as to how to achieve the following:
The original requirements involved models with required fields, so we included annotations to those fields. As usual, there is a last-minute change and we are being asked to allow the users to save drafts. These drafts must allow the user to save the forms without any of the required fields.
I would like to know what the best practices for this problem are.
Solutions I am considering, but I accept they might be a hack (and that's why I am asking the experts)
If the user clicks "Save as Draft" I can capture the fields that have information in another ActionResult and run basic validation on those fields. Since there is a chance that required fields are missing, I am thinking in storing the captured info in a temporal model (without any required annotations). If the user decides to edit such form, I can populate fields in the view with the temp. model until the user clicks on "Submit"
Another option is to remove all required annotations and run client-side validations... but am wondering on the amount of work required to do so.
Any thoughts are very much appreciated.
Just have 2 save methods. 1 which is called from the autosave and 1 that is used to submit the process. In the autosave method do not check if(ModelState.IsValid).
Whether you choose to save the incomplete objects to the same table or a different table is your choice. In a relational world I would likely use a separate table, in a non-relational world I would use a singular object collection.
This will allow you to keep the same set of original models. There is a very high cost to duplicating your models, there are certainly times that warrants pass by value/copy but make sure the cost of mapping is there. In this situtation I do not believe there is value in mapping, except perhaps at the persistence level if you need to map to a different object because of an ORM's constraints.
There is deep value in these partial forms. Recording this on the server will allow you to apply analytics to learn why your users abandon your processes. It also gives you the ability to follow up on users who leave incomplete forms such as sending a reminder (nag) email.
You don't want to save anything to your database until it is complete. Having a duplicate table where everything is nullable is cludgy as hell. Before HTML5, the typical path was to save the information to the session, which you could then pull from to refill the fields, but that's requires having a session with a relatively high expiry to be useful.
Thankfully, HTML5 has local storage, which is really the best way to handle this now. You just watch for onchange events on your fields and then insert that value into local storage. If the user submits the form successfully, you destroy the local storage values. Otherwise, you attempt to read those values from local storage when the page loads and refill the fields.
See: http://diveintohtml5.info/storage.html
There's pretty broad support, so unless you need to worry about IE6 or IE7, you won't have any issues.
Another option (depending on your data obviously) would be to comply with the database but not the model. By this I mean ignore Model.isValid and disable Javascript validation on the front end but then satisfy the database table. In a form, you mostly have:
textboxes - default to "" or " "
checkboxes - easy true/false default
radio buttons - one is probably already selected
dates - default to DateTime.MinValue (or DateTimeUTC)
enums - default to 0 (usually for 'unspecified')
Hopefully you are also saving a flag designating that it is in Draft state so that you know you need to interpret the 'null codes' you have set when it comes to displaying the semi-populated form again.
for hidden field tampering protection: Id, RowVersion, I use a version of Adam Tuliper AntiModelInjection.
I'm currently investigating a way to prevent tampering of valid options found in select lists/drop downs. Consider a multitenant shared database solution where fk isn't safe enough and options are dynamic filtered in cascading dropdowns.
In the old days of ASP.NET webforms, there was viewstate that added tampering prevention for free. How is select list tampering prevention accomplished in ajax era? Is there a general solution by comparing hashes rather than re-fetching option values from database and comparing manually?
Is ViewState relevant in ASP.NET MVC?
If you can, the single solution here is to filter by the current user ids permission to that data, and then those permissions are validated once again on the save.
If this isn't possible (and there are multiple ways server side to accomplish this via things like a CustomerId fk in your records, to adding to a temporary security cache on the server side, etc) , then a client side value can provide an additional option.
If a client side option is provided like was done with Web Forms, then consider encrypting based on their
a.) User id plus another key
b.) SessionId (session must be established ahead of time though or session ids can change per request until session is established by a value stored in the session object.
c.) Some other distinct value
HTTPS is extremely important here so these values aren't sniffed. In addition ideally you want to make them unique per page. That could be the second key in A above. Why? We don't want an attacker to figure out a way to create new records elsewhere in your web app and be able to figure out what the hashes or encrypted values are for 1,2,3,4,5,6,etc and create essentially a rainbow table of values to fake.
Leblanc, in my experience, client side validation has been used mostly for user convenience. Not having to POST, to only then find out that something is wrong.
Final validation needs to occurs in the server side, away from the ability to manipulate HTML. Common users will not go on to temper with select lists and drop downs. This is done by people trying to break your page or get illegal access to data. I guess my point is final security needs to exist in the server, instead of the client side.
I think a global solution could be created given a few assumptions. Before i build anything I'll like to propose an open solution to see if anyone can find flaws or potential problems.
Given all dropdowns retrieve their data remotely. - in an ajax era and with cascading boxes this is now more common. (We are using kendo dropdowns.)
public SelectList GetLocations(int dependantarg);
The SelectList will be returned back as json - but not before having newtonsoft serialization converter automatically inject: (done at global level)
EncryptedAndSigned property to the json. This property will contain a Serialized version of the full SelectList containing all valid values that is also encrypted.
EncryptedName property to the json. This property will have the controller actionname - For this example the EncryptedName value would be "GetLocations"
When the http post is made EncryptedName : EncryptedAndSigned must be sent in the post also. For this JSON POST example it would be:
{
Location_Id: 4,
GetLocations: 'EncryptedAndSigned value'
}
On the server side:
[ValidateOptionInjection("GetLocations","Location_Id")
public ActionResult Update(Case case)
{
//access case.Location_Id safety knowing that this was a valid option available to the user.
}
We currently design our solutions using a single form per entity. We have a current set of requirements where the 10 or so entities are similar in terms of functionality and data collection. Ideally we would like to have entity with 10 or so forms and dependent on a lookup value display the correct form on the click of a custom button.
I have previously worked with a supplier who implemented something like this displaying the correct form using the GUID (using the formid querystring parameter) on the load event using JavaScript. Although this worked 95% of the time, depending on the client machine it occassionally did not load the correct form due to timing issues i.e. the code had not properly executed by the time the form loaded.
Is there a best practice for using this kind of technique?
I guess my other options are
1) multiple entities
2) one form with tabs/sections that i show/hide on the form load
I am leaning towards implementing option 2)
Richard
The multiple forms inside of CRM 2011 is only for different roles. It is not designed to handle switching between forms based on entity attributes.
Granted what you are trying to do is possible, but you will encounter
issues and will need JavaScript to switch the user to the right form
type. You'll also cause the user to load the form twice each time (kind of ugly)
Another option is to use JavaScript to show/hide the proper elements
on the form (similar to 4.0)
Or you can just use multiple entities with a common JS file for any
kind of logic.
depending upon any field value you can switch the forms through JavaScript.
In JavaScript redirect page to url:
[serverurl]/main.aspx?etn=[entityname]&extraqs=etc%3d[entitytypecode]%26formid%3d[formguid]%26id%3d%257b[recordguid]%257d&pagetype=entityrecord
Where
entityname = entity name (e.g. incident),
entitytypecode=entity type code (e.g for incident it is 112),
formguid=guid of the form to which you want to redirect,
recordguid = guid of the record. If you skip id parameter, form will open in create mode.
I'm new to the Zend Framework and I have a problem to create an edit form with the Zend_Form.
My problem is that I need to store the entry ID during editing, I've seen some examples that are using a hidden form field, but a hidden field can be manipulated by a user.
So: how can I set a form field which gets populated by $form->populate($data); and is available after submiting the request but is not editabel/visible to the user in any way?
Thanks for any help!
I'm not sure if there's really a point in trying to hide the value.
Consider the following:
To display the correct editor form, you need the ID of the object that is to be edited.
Before allowing the user to edit a certain ID, you would check if the user can edit it or not.
Thus, if you put the ID in the form, it shouldn't really matter:
When you POST the edit form, you should again check that the user can still edit the ID.
If the user changes the hidden ID, it doesn't really matter. They could still go and edit the other ID by finding it on the site. (This is assuming your check didn't tell you the user does not have access)
what kind of data you wanna hide?
data should be in post or get.if you dont put your data in your form,then you will have to use GET which is less secure than POST.
If you have some data and you dont want the user to see those data,then you should not put those data in a form.you can store and retrieve hidden data using forms submitted values.lets suppose your hidden field is users password.you dont need to send password back to the client when client is editing the form.you can manipulate password in your controller according to the user`s submitted first name and last name.
If you still insist, you may wanna try encrypting data using ZF and echo ing your value and setting encrypted data into a hidden form element.
Zend_Form generates an HTML form element with the form elements you specify. So its element capabilities are narrowed to a simple HTML form.
The hidden form element is used to pass those data that the user is not supposed to enter by hand. But as you yourself said it, there is no guaranty it could not be tampered. so no security is provided by using a hidden form value.
Most of times you'd better use server side values (like stored in sessions) to reference to values that are to be protected from user.
I suggest you keep the ID in a session value, and then you could use the session key in the hidden form field. this way the user can not change the target ID. However you are not able to use the $form->populate($values) on this in one step. you would have to set the target value with other steps:
fetch data from the session
set the form element value with the fetched data