473,320 Members | 1,766 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

validateRequest

If put this into my Web.config. Shouldn't this turn off the ValiateRequest
app wide?

<configuration>

<system.web>

<pages buffer="true" validateRequest="false" />

I pass SQL around to pages, and sometimes, this causes the 'Cross Site
Attack' warning. I just want to turn it off comepltely.

I also tried just putting it in the page header, I still ghet the error. Am
I missing something else? I only get it on a new server I just setup, not
any of my others.

Ideas? Thanks, Dave


Nov 19 '05 #1
4 2123
Dave H wrote:
If put this into my Web.config. Shouldn't this turn off the
ValiateRequest app wide?

<configuration>

<system.web>

<pages buffer="true" validateRequest="false" />

I pass SQL around to pages, and sometimes, this causes the 'Cross Site
Attack' warning. I just want to turn it off comepltely.

I also tried just putting it in the page header, I still ghet the
error. Am I missing something else? I only get it on a new server I
just setup, not any of my others.

Ideas? Thanks, Dave

Ummmm - stop passing SQL around to pages?
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.
Nov 19 '05 #2

I'm really wondering more, why this one server has this behavior, and others
don't.

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:OV****************@TK2MSFTNGP09.phx.gbl...
Dave H wrote:
If put this into my Web.config. Shouldn't this turn off the
ValiateRequest app wide?

<configuration>

<system.web>

<pages buffer="true" validateRequest="false" />

I pass SQL around to pages, and sometimes, this causes the 'Cross Site
Attack' warning. I just want to turn it off comepltely.

I also tried just putting it in the page header, I still ghet the
error. Am I missing something else? I only get it on a new server I
just setup, not any of my others.

Ideas? Thanks, Dave

Ummmm - stop passing SQL around to pages?
--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

Nov 19 '05 #3
Hi Dave,

Welcome here.
From your description, you're encountering some "Cross Site Attack"
exceptions when you've turned off the pages/@validateRequest setting in
web.config, yes?

As you mentioned that the problem occured sometimes, so this is a randomly
occurs behavior ,yes? If so, I'm wondering whether it is something else
which cause this problem. Have you tried put a simple aspx page with some
entry fields on this and use some SQL injections code to post that page to
see whether it will raise such error? (remain the valiationRequest turn
off..)
Also, is it possible that we isolate the problem to a particular page? If
possible, would you provide some detaild code description on that page so
that we can perform some tests on our side.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| NNTP-Posting-Date: Thu, 10 Nov 2005 22:52:17 -0600
| From: "Dave H" <Da***@noemail.nospam>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| References: <yO********************@comcast.com>
<OV**************@TK2MSFTNGP09.phx.gbl>
| Subject: Re: validateRequest
| Date: Thu, 10 Nov 2005 20:52:15 -0800
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1506
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
| Message-ID: <eY********************@comcast.com>
| Lines: 34
| NNTP-Posting-Host: 67.180.218.69
| X-Trace:
sv3-g4cR4RmDza6WKwOL6Lvbyv3bHAhbMvXwk8HxXHcmVysDeSoDNp Pr54iYxnjb6gptgWAIbn2T
gxG7oh0!O7MKn8SlJCbWOL7RqtNLBM/N0b5lTzkTMqFK/UWgVtDjAHyBsefo3d7F+G/9BtIvzvbG
YFMxfnUa!fXU4
| X-Complaints-To: ab***@comcast.net
| X-DMCA-Complaints-To: dm**@comcast.net
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfee d00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.d ca.giganews.com!nntp.gigan
ews.com!local01.nntp.dca.giganews.com!nntp.comcast .com!news.comcast.com.POST
ED!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:357274
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
|
| I'm really wondering more, why this one server has this behavior, and
others
| don't.
|
| "Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
| news:OV****************@TK2MSFTNGP09.phx.gbl...
| > Dave H wrote:
| > > If put this into my Web.config. Shouldn't this turn off the
| > > ValiateRequest app wide?
| > >
| > > <configuration>
| > >
| > > <system.web>
| > >
| > > <pages buffer="true" validateRequest="false" />
| > >
| > > I pass SQL around to pages, and sometimes, this causes the 'Cross Site
| > > Attack' warning. I just want to turn it off comepltely.
| > >
| > > I also tried just putting it in the page header, I still ghet the
| > > error. Am I missing something else? I only get it on a new server I
| > > just setup, not any of my others.
| > >
| > > Ideas? Thanks, Dave
| > Ummmm - stop passing SQL around to pages?
| > --
| > Microsoft MVP -- ASP/ASP.NET
| > Please reply to the newsgroup. The email account listed in my From
| > header is my spam trap, so I don't check it very often. You will get a
| > quicker response by posting to the newsgroup.
| >
| >
|
|
|

Nov 19 '05 #4
Thanks.. here's an example, same page,the one that doesn't work, it was
encoded using HTMLEncode (I tried that, same result)

In web.config

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<pages buffer="true" validateRequest="false" />

In Page Directives

Page Language="vb" AutoEventWireup="false" ValidateRequest="false"
Does not work:

http://mywebserver/reporting/Pages/ReportsDisplay.Aspx?Colname=Admin&RunSQL=Select%20 T2.Userid,%20T2.UserName,%20Min(T1.LogDate)%20As%2 0FirstLogin,%20Max(T1.LogDate)%20As%20LastLogin,%2 0Count(*)%20As%20LoginCount%20from%20SystemControl ..UserLogins%20T1%20Join%20SystemControl..Users%20 T2%20On%20T2.UserID%20=%20T1.UserID%20Where%20T1.L ogDate%20>'11/16/2005'%20Group%20By%20T2.UserId,%20T2.UserName&RunX SL=BuildXSLGeneric&ShowSecondLink=Y
Does Work:

http://mywebserver/reporting/Pages/R...owSecondLink=Y
--
Dave
"Steven Cheng[MSFT]" wrote:
Hi Dave,

Welcome here.
From your description, you're encountering some "Cross Site Attack"
exceptions when you've turned off the pages/@validateRequest setting in
web.config, yes?

As you mentioned that the problem occured sometimes, so this is a randomly
occurs behavior ,yes? If so, I'm wondering whether it is something else
which cause this problem. Have you tried put a simple aspx page with some
entry fields on this and use some SQL injections code to post that page to
see whether it will raise such error? (remain the valiationRequest turn
off..)
Also, is it possible that we isolate the problem to a particular page? If
possible, would you provide some detaild code description on that page so
that we can perform some tests on our side.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| NNTP-Posting-Date: Thu, 10 Nov 2005 22:52:17 -0600
| From: "Dave H" <Da***@noemail.nospam>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| References: <yO********************@comcast.com>
<OV**************@TK2MSFTNGP09.phx.gbl>
| Subject: Re: validateRequest
| Date: Thu, 10 Nov 2005 20:52:15 -0800
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1506
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
| Message-ID: <eY********************@comcast.com>
| Lines: 34
| NNTP-Posting-Host: 67.180.218.69
| X-Trace:
sv3-g4cR4RmDza6WKwOL6Lvbyv3bHAhbMvXwk8HxXHcmVysDeSoDNp Pr54iYxnjb6gptgWAIbn2T
gxG7oh0!O7MKn8SlJCbWOL7RqtNLBM/N0b5lTzkTMqFK/UWgVtDjAHyBsefo3d7F+G/9BtIvzvbG
YFMxfnUa!fXU4
| X-Complaints-To: ab***@comcast.net
| X-DMCA-Complaints-To: dm**@comcast.net
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfee d00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.d ca.giganews.com!nntp.gigan
ews.com!local01.nntp.dca.giganews.com!nntp.comcast .com!news.comcast.com.POST
ED!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:357274
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
|
| I'm really wondering more, why this one server has this behavior, and
others
| don't.
|
| "Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
| news:OV****************@TK2MSFTNGP09.phx.gbl...
| > Dave H wrote:
| > > If put this into my Web.config. Shouldn't this turn off the
| > > ValiateRequest app wide?
| > >
| > > <configuration>
| > >
| > > <system.web>
| > >
| > > <pages buffer="true" validateRequest="false" />
| > >
| > > I pass SQL around to pages, and sometimes, this causes the 'Cross Site
| > > Attack' warning. I just want to turn it off comepltely.
| > >
| > > I also tried just putting it in the page header, I still ghet the
| > > error. Am I missing something else? I only get it on a new server I
| > > just setup, not any of my others.
| > >
| > > Ideas? Thanks, Dave
| > Ummmm - stop passing SQL around to pages?
| > --
| > Microsoft MVP -- ASP/ASP.NET
| > Please reply to the newsgroup. The email account listed in my From
| > header is my spam trap, so I don't check it very often. You will get a
| > quicker response by posting to the newsgroup.
| >
| >
|
|
|

Nov 20 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: mar | last post by:
Does anybody know what configuration section should i set to false here. I also tried setting the page directive to false but that didn't fix it. Thanks! mc A potentially dangerous...
1
by: Shaun Dore | last post by:
Hi, I have a web form containing a TextBox that allows users to edit XML files. When the page is posted, the changes are saved. This worked fine until the ValidateRequest 'feature' came along in...
1
by: Benny | last post by:
Hello Experts, If the contents of a text box containing a html tag like formmated characters, i.e. <hello>, and if the validateRequest is set to true, it gives an error when post back: A...
4
by: Ray Williams | last post by:
I have a specific page that I have chosen to disable the .NET 1.1 validateRequest options by setting the page directive attribute of "validateRequest" from true to false. I manually validate all...
2
by: Tim Zych | last post by:
I'm trying to stop .Net from validating data entered into a textbox. When I enter < or > .Net returns an error: potentially dangerous Request.Form value was detected from the client... so a...
8
by: Max Metral | last post by:
Ok, I have a global page class derived from System.Web.UI.Page, let's call it BasePage. I have another class derived from that called MemberPage. It checks the Form collection if it's a post for...
2
by: Andy Fish | last post by:
Hi, I have one textbox on the form that needs to have ValidateRequest disabled, but it seems that it can only be enabled/disabled at a page level. assuming I have to disable it at for the...
3
by: Umut Tezduyar | last post by:
I couln't find the code begind property on the Page object that represents the "ValidateRequest" attribute on the @Page element. There must be some property that the PageParser knows what to do...
2
by: \A_Michigan_User\ | last post by:
*WITHOUT* using: ValidateRequest="False" for the whole page (or my whole site).... How would I trap/detect that a textBox contains some illegal characters? (I'm using asp.net v1.1 and vb.net)...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.