472,331 Members | 1,469 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

home > topics > asp.net > questions > gridview error : dangerous value

Join Bytes to post your question to a community of 472,331 software developers and data experts.

GridView Error : Dangerous value

Hi there,

I m doing work on a gridview and Im getting an error:
A potentially dangerous Request.Form value was detected from the client (ctl00$Content$GridView1$ctl03$TextBox1="<span class='txtColo...")

Im using an access database. and when ever I try to update this it doesnt work.
Expand|Select|Wrap|Line Numbers
  1. <%@ Page Language="C#" MasterPageFile="Mysite.master" Title="Untitled Page" %>
  2. <script runat = "server">
  3. protected void Page_Load(object sender, EventArgs e)
  4. {
  5. Label7.Visible = false;
  6. if (!IsPostBack)
  7. {
  8. this.DataBind();
  9. }
  10. }
  11. protected void GridView1_SelectedIndexChanged(object sender, EventArgs e)
  12. {
  13. }
  14.  
  15.  
  16. protected void Button1_Click1(object sender, EventArgs e)
  17. {
  18. Label7.Visible = false;
  19. GridView1.FooterRow.Visible = false;
  20. try
  21. {
  22. string page = ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).SelectedItem.Value.ToString();
  23. string val = ((TextBox)GridView1.FooterRow.FindControl("ValueBox")).Text;
  24. string sBox = ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).Text;
  25.  
  26. if ((page != "Select") && (val != "") && (sBox != "Selet"))
  27. {
  28. int page1 = Convert.ToInt32(page);
  29. int sbox1 = Convert.ToInt32(sBox);
  30. DataSet2TableAdapters.Page_ContentTableAdapter pcAdap = new DataSet2TableAdapters.Page_ContentTableAdapter();
  31. pcAdap.Insert(page1, sbox1, val);
  32. DataBind();
  33. }
  34. else
  35. {
  36. GridView1.FooterRow.Visible = true;
  37. Label7.Visible = true;
  38. Label7.Text = "Error : Please select the specified fields and fill the value";
  39. }
  40. }
  41. catch (Exception e1)
  42. {
  43. Label7.Text = "Error : " + e1;
  44. }
  45. }
  46. protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e)
  47. {
  48. GridView1.FooterRow.Visible = true;
  49. try
  50. {
  51. string ID = ((DropDownList)GridView1.HeaderRow.FindControl("DropDownList1")).Text;
  52. int cID = Convert.ToInt32(ID);
  53. if (cID != 0)
  54. {
  55. DataSet2TableAdapters.PageTableAdapter pAdapt = new DataSet2TableAdapters.PageTableAdapter();
  56. //pAdapt.GetDataBydata(cID);
  57. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataSource = pAdapt.GetSelectedDataBy(cID);
  58. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataTextField = "Name";
  59. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataValueField = "ID";
  60. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataBind();
  61. DataSet2TableAdapters.Page_DetailTableAdapter pdAdapt = new DataSet2TableAdapters.Page_DetailTableAdapter();
  62. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataSource = pdAdapt.GetDataByPageType(cID);
  63. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataTextField = "Section Name";
  64. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataValueField = "ID";
  65. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataBind();
  66. }
  67. else
  68. {
  69. GridView1.FooterRow.Visible = false;
  70. }
  71. }
  72. catch (Exception e1)
  73. {
  74. GridView1.FooterRow.Visible = true;
  75. Label7.Visible = true;
  76. Label7.Text = "Error : " + e1;
  77. }
  78.  
  79. }
  80. protected void DropDownList2_SelectedIndexChanged(object sender, EventArgs e)
  81. {
  82. }
  83. protected void Button2_Click(object sender, EventArgs e)
  84. {
  85. GridView1.FooterRow.Visible = false;
  86. }
  87. protected void LinkButton1_Click(object sender, EventArgs e)
  88. {
  89. }
  90.  
  91. protected void DropDownList3_SelectedIndexChanged(object sender, EventArgs e)
  92. {
  93. }
  94. protected void GridView1_SelectedIndexChanged1(object sender, EventArgs e)
  95. {
  96. }
  97. </script>
  98. <asp:Content ID="Content2" ContentPlaceHolderID="Content" Runat="Server">
  99. <asp:GridView ID="GridView1" runat="server" AllowPaging="True" AllowSorting="True"
  100. AutoGenerateColumns="False" CellPadding="4" DataKeyNames="ID" DataSourceID="AccessDataSource1"
  101. ForeColor="#333333" GridLines="None" OnSelectedIndexChanged="GridView1_SelectedIndexChanged1">
  102. <FooterStyle BackColor="#507CD1" Font-Bold="True" ForeColor="White" />
  103. <Columns>
  104. <asp:TemplateField HeaderText="Page" SortExpression="Page">
  105. <EditItemTemplate>
  106. <asp:DropDownList ID="DropDownList3" runat="server" AppendDataBoundItems="True" DataSourceID="PageDataSource1"
  107. DataTextField="Page Name" DataValueField="Page" Font-Size="Smaller" OnSelectedIndexChanged="DropDownList3_SelectedIndexChanged"
  108. SelectedValue='<%# Bind("Page") %>'>
  109. <asp:ListItem Value="0">Select</asp:ListItem>
  110. </asp:DropDownList><asp:AccessDataSource ID="PageDataSource1" runat="server" DataFile="~/App_Data/database.mdb"
  111. SelectCommand="SELECT Page.ID AS Page, Page.Name AS [Page Name] FROM (Page INNER JOIN [Page Type] ON Page.[Page Type] = [Page Type].ID) ">
  112. </asp:AccessDataSource>
  113.  
  114. </EditItemTemplate>
  115. <HeaderTemplate>
  116. <asp:DropDownList ID="DropDownList1" runat="server" AppendDataBoundItems="True"
  117. AutoPostBack="True" DataSourceID="PageDataSource1" DataTextField="Page Type"
  118. DataValueField="ID" OnSelectedIndexChanged="DropDownList1_SelectedIndexChanged">
  119. <asp:ListItem Value="0">Select</asp:ListItem>
  120. </asp:DropDownList><br />
  121. <br />
  122. <asp:Label ID="Label6" runat="server" Text="Page"></asp:Label>
  123. <asp:Label ID="Label5" runat="server" Text="Page Type"></asp:Label>
  124. <asp:ObjectDataSource ID="PageDataSource1" runat="server" DeleteMethod="Delete" InsertMethod="Insert"
  125. OldValuesParameterFormatString="original_{0}" SelectMethod="GetData" TypeName="DataSet2TableAdapters.Page_TypeTableAdapter"
  126. UpdateMethod="Update">
  127. <DeleteParameters>
  128. <asp:Parameter Name="Original_ID" Type="Int32" />
  129. <asp:Parameter Name="Original_Page_Type" Type="String" />
  130. <asp:Parameter Name="Original_Description" Type="String" />
  131. <asp:Parameter Name="Original_Page_Path" Type="String" />
  132. <asp:Parameter Name="Original_Rank" Type="Int32" />
  133. <asp:Parameter Name="Original_Show_Menu" Type="Boolean" />
  134. <asp:Parameter Name="Original_Template" Type="Int32" />
  135. </DeleteParameters>
  136. <UpdateParameters>
  137. <asp:Parameter Name="Page_Type" Type="String" />
  138. <asp:Parameter Name="Description" Type="String" />
  139. <asp:Parameter Name="Page_Path" Type="String" />
  140. <asp:Parameter Name="Rank" Type="Int32" />
  141. <asp:Parameter Name="Show_Menu" Type="Boolean" />
  142. <asp:Parameter Name="Template" Type="Int32" />
  143. <asp:Parameter Name="Original_ID" Type="Int32" />
  144. <asp:Parameter Name="Original_Page_Type" Type="String" />
  145. <asp:Parameter Name="Original_Description" Type="String" />
  146. <asp:Parameter Name="Original_Page_Path" Type="String" />
  147. <asp:Parameter Name="Original_Rank" Type="Int32" />
  148. <asp:Parameter Name="Original_Show_Menu" Type="Boolean" />
  149. <asp:Parameter Name="Original_Template" Type="Int32" />
  150. </UpdateParameters>
  151. <InsertParameters>
  152. <asp:Parameter Name="Page_Type" Type="String" />
  153. <asp:Parameter Name="Description" Type="String" />
  154. <asp:Parameter Name="Page_Path" Type="String" />
  155. <asp:Parameter Name="Rank" Type="Int32" />
  156. <asp:Parameter Name="Show_Menu" Type="Boolean" />
  157. <asp:Parameter Name="Template" Type="Int32" />
  158. </InsertParameters>
  159. </asp:ObjectDataSource>
  160. </HeaderTemplate>
  161. <FooterTemplate>
  162.  
  163. <asp:DropDownList ID="DropDownList2" runat="server" AppendDataBoundItems="True" OnSelectedIndexChanged="DropDownList2_SelectedIndexChanged"
  164. Width="130px">
  165. <asp:ListItem Value="0">Select</asp:ListItem>
  166. </asp:DropDownList>
  167.  
  168. </FooterTemplate>
  169. <ItemTemplate>
  170. <asp:Label ID="Label1" runat="server" Text='<%# Bind("[Page Name]") %>'></asp:Label>
  171. </ItemTemplate>
  172. </asp:TemplateField>
  173. <asp:TemplateField HeaderText="Page Section" SortExpression="Page Section">
  174. <EditItemTemplate>
  175. <asp:DropDownList ID="DropDownList4" runat="server" DataSourceID="SectionDataSource2"
  176. DataTextField="Section Name" DataValueField="Section ID" SelectedValue='<%# Bind("[Page Section]") %>'
  177. Width="155px">
  178. </asp:DropDownList><asp:AccessDataSource ID="SectionDataSource2" runat="server" DataFile="~/App_Data/database.mdb"
  179. SelectCommand="SELECT DISTINCT [Page Detail].[Section Name], [Page Detail].ID AS [Section ID] FROM ([Page Content] INNER JOIN [Page Detail] ON [Page Content].[Page Section] = [Page Detail].ID)">
  180. </asp:AccessDataSource>
  181.  
  182. </EditItemTemplate>
  183. <FooterTemplate>
  184. <asp:DropDownList ID="SectionBox" runat="server" AppendDataBoundItems="True">
  185. <asp:ListItem Value="0">Select</asp:ListItem>
  186. </asp:DropDownList>
  187. </FooterTemplate>
  188. <ItemTemplate>
  189. <asp:Label ID="Label2" runat="server" Text='<%# Bind("[Section Name]") %>'></asp:Label>
  190. </ItemTemplate>
  191. </asp:TemplateField>
  192.  
  193.  
  194. <asp:TemplateField HeaderText="Value" SortExpression="Value">
  195.  
  196.  
Problem lies in this section..
Please do have a look
TextBox1 which is bind with a value
Expand|Select|Wrap|Line Numbers
  1. <EditItemTemplate> 
  2.  
  3.  
  4. <asp:TextBox ID="TextBox1" runat="server" Text='<%# Bind("Value") %>'
  5. TextMode="MultiLine"></asp:TextBox>
  6.  
  7.  
  8. </EditItemTemplate>
  9.  
  10. <FooterTemplate>
  11. <asp:TextBox ID="ValueBox" runat="server" TextMode="MultiLine"></asp:TextBox>
  12. </FooterTemplate>
  13.  
  14. <ItemTemplate>
  15. <asp:TextBox ID="TextBox4" runat="server" BorderColor="Transparent"
  16. BorderStyle="None" ForeColor="Transparent" MaxLength="256" ReadOnly="True"
  17. Rows = "2" Text='<%# Bind("Value", "{0}") %>' TextMode="MultiLine" AutoCompleteType="Notes" Enabled="False" EnableTheming="False"></asp:TextBox>
  18. </ItemTemplate>
  19.  
  20. </asp:TemplateField>
  21. <asp:TemplateField HeaderText="ID" InsertVisible="False" ShowHeader="False" SortExpression="ID"
  22. Visible="False">
  23. <EditItemTemplate>
  24. <asp:Label ID="EditLabel1" runat="server" Text='<%# Eval("ID") %>'></asp:Label>
  25. </EditItemTemplate>
  26. <ItemTemplate>
  27. <asp:Label ID="Label4" runat="server" Text='<%# Bind("ID") %>'></asp:Label>
  28. </ItemTemplate>
  29. </asp:TemplateField>
  30. <asp:TemplateField ShowHeader="False">
  31. <EditItemTemplate>
  32. <asp:LinkButton ID="LinkButton1" runat="server" CausesValidation="True" CommandName="Update"
  33. Text="Update"></asp:LinkButton>
  34. <asp:LinkButton ID="LinkButton2" runat="server" CausesValidation="False" CommandName="Cancel"
  35. Text="Cancel"></asp:LinkButton>
  36. </EditItemTemplate>
  37. <FooterTemplate>
  38. <asp:Button ID="Button1" runat="server" OnClick="Button1_Click1"
  39. Text="Insert" />
  40. <asp:Button ID="Button2" runat="server" OnClick="Button2_Click"
  41. Text="Cancel" Width="53px" />
  42. </FooterTemplate>
  43. <ItemTemplate>
  44. <asp:LinkButton ID="LinkButton1" runat="server" CausesValidation="False" CommandName="Edit"
  45. OnClick="LinkButton1_Click" Text="Edit"></asp:LinkButton>
  46. <asp:LinkButton ID="LinkButton2" runat="server" CausesValidation="False" CommandName="Delete"
  47. Text="Delete"></asp:LinkButton>
  48. </ItemTemplate>
  49. </asp:TemplateField>
  50. </Columns>
  51. <RowStyle BackColor="#EFF3FB" />
  52. <EditRowStyle BackColor="#2461BF" />
  53. <SelectedRowStyle BackColor="#D1DDF1" Font-Bold="True" ForeColor="#333333" />
  54. <PagerStyle BackColor="#2461BF" ForeColor="White" HorizontalAlign="Center" />
  55. <HeaderStyle BackColor="#507CD1" Font-Bold="True" ForeColor="White" />
  56. <AlternatingRowStyle BackColor="White" />
  57. </asp:GridView>
  58. <asp:Label ID="Label7" runat="server" Font-Bold="True" Font-Names="Courier New"
  59. Text="Label"></asp:Label>
  60.  
  61. <asp:AccessDataSource ID="AccessDataSource1" runat="server" DataFile="~/App_Data/database.mdb"
  62. DeleteCommand="DELETE FROM [Page Content] WHERE (ID = ?)" SelectCommand="SELECT PC.Page, PC.[Page Section], PC.[Value], PC.ID, P.Name AS [Page Name], PD.[Section Name] FROM (([Page Content] PC INNER JOIN Page P ON PC.Page = P.ID) INNER JOIN [Page Detail] PD ON PC.[Page Section] = PD.ID)"
  63. UpdateCommand="UPDATE [Page Content] SET Page = ?, [Page Section] = ?, [Value] = ? WHERE (ID = ?)">
  64. </asp:AccessDataSource>
  65. </asp:Content>
  66.  
Can any one help please :)

Thank you

Regards,
Ahmed
Jan 9 '09 #1
6 4142
liawcv
33
In the @Page directive, set its ValidateRequest property to false:
Expand|Select|Wrap|Line Numbers
  1. <%@ Page ... ValidateRequest="false" %>
  2.  
But be reminded that allowing user to post unaltered HTML content could create a security loophole to your page. If you are using this approach, you should encode the input string by using Server.HtmlEncode() method before further process, or disallow dangerous HTML tags such as <script>, etc.
Jan 9 '09 #2
Hi liawcv,

Thank you very much... I figured that out yesterday :) ... but Server.HtmlEncode() ...Can you provide me any examples? I mean where should I use this commandline?

Thank you

Regards,
Ahmed
Jan 10 '09 #3
liawcv
33
Let txtMessage contains "<span>This is the text</span>". Thus,

string s = Server.HtmlEncode(txtMessage.Text);

will cause variable s contains "&lt;span&gt;This is the text&lt;/span&gt;".

Normally we encode the input before it is being updated / inserted into database (or other data store).
Jan 11 '09 #4
So after using this command, how would the result look like in the GRIDVIEW? would be the same as the one before using "Server.HtmlEncode()" or the result wil be encoded?
Jan 11 '09 #5
liawcv
33
&lt; will be displayed as <
&gt; will be displayed as >
&lt;span&gt; will be displayed as <span>
Well, you get the pure text, not the HTML.

If you would like to get back the original input string, use Server.HtmlDecode(). Thus, &lf;script&gt; will be rendered as a real <script> tag in your page. Somehow, if you would like the input to be rendered as HTML, then it is not required to encode and then decode again.

If you want your <span> rendered as HTML rather than pure text, then encode (and decode) it will be pointless. Perhaps, you can filter your input string, so that only a particular HTML tags are accepted, such <span>, <b>, <i>, etc...
Jan 11 '09 #6
Thank you very much this is very helpfull...

Thankyou,

Regards,
Ahmed
Jan 11 '09 #7

Sign in to post your reply or Sign up for a free account.

Similar topics

0
ValidateRequest="false" error
by: Martin Colmenares | last post by:
After I set my <%@ page ValidateRequest="false" %> , I still get the error illustrated below. The msdn mentioned something about filtering using...
ASP.NET
8
Optimistic concurrency in custom GridView/SqlDataSource
by: Mike Kelly | last post by:
I've chosen to implement the "optimistic concurrency" model in my application. To assist in that, I've added a ROWVERSION (TIMESTAMP) column to my...
ASP.NET
1
ObjectDataSource & GridView for variable length input lists
by: John_H | last post by:
Re: ASP.NET 2.0 I would like suggestions or code examples on how to collect a variable length list of input data (item# & item quantity...
ASP.NET
0
GridView - Index was out of range.
by: ssims | last post by:
I've got a GridView that's sorted by a stored procedure with ROW_NUMBER: PROCEDURE dbo.GetCalendarsByStatusIDPaged ( @startRowIndex int,...
ASP.NET
1
c# GridView and FormView write error "An OleDbParameter with ParameterName'@ID' is not contained by this OleDbParameterCollection"
by: DC | last post by:
The problem I'm using the .NET GridView and FormView objects for the first time and im getting the error "An OleDbParameter with ParameterName...
ASP.NET
1
Adding Dropdownlist to GridView
by: mitchman10 | last post by:
My Time table has TimeID,Employee,PayPeriod,ChargeCodeID,Hours My Chargecode table has ChargecodeID,c_Text I need an Editable datagrid that will...
Visual Basic .NET
3
GridView as EditItem Template
by: Dariusz Tomon | last post by:
Hello, I have GridView in EditItem Template of DetailsView (in normal - read-only mode there is a label). When I'm in edit mode I can select one...
ASP.NET
2
Gridview doubling up rows
by: Blasting Cap | last post by:
I've got a gridview (that I converted over from a datagrid, which had been working properly), that is doubling up the number of rows returned. When...
ASP.NET
3
Validating Data in a GridView
by: =?Utf-8?B?V2FubmFiZQ==?= | last post by:
I have a gridview that uses a sqldatasource. The rows of the gridview are editable. When the gridview is in edit mode, one of the columns is a...
ASP.NET
0
Tips for Saving Money on Buying a Gaming Laptop
by: tammygombez | last post by:
Hey everyone! I've been researching gaming laptops lately, and I must say, they can get pretty expensive. However, I've come across some great...
Computer Hardware
0
The Top 5 Skills You Need in a PowerApps Developer
by: concettolabs | last post by:
In today's business world, businesses are increasingly turning to PowerApps to develop custom business applications. PowerApps is a powerful tool...
.NET Framework
0
better678
Discuss your understanding of the Java platform.
by: better678 | last post by:
Question: Discuss your understanding of the Java platform. Is the statement "Java is interpreted" correct? Answer: Java is an object-oriented...
General
0
List of Topmost 8 Electronics Engineering Forum Websites
by: teenabhardwaj | last post by:
How would one discover a valid source for learning news, comfort, and help for engineering designs? Covering through piles of books takes a lot of...
General
0
how to collapse a custom toolbar in VBA
by: CD Tom | last post by:
This only shows up in access runtime. When a user select a report from my report menu when they close the report they get a menu I've called Add-ins...
General
0
Basic concepts of WebLogic Admin training?
by: Naresh1 | last post by:
What is WebLogic Admin Training? WebLogic Admin Training is a specialized program designed to equip individuals with the skills and knowledge...
Oracle Database
0
jalbright99669
https redirect with reverse proxy
by: jalbright99669 | last post by:
Am having a bit of a time with URL Rewrite. I need to incorporate http to https redirect with a reverse proxy. I have the URL Rewrite rules made...
IIS / Internet Information Server
0
How to layout php header location with a variable as the location?
by: Matthew3360 | last post by:
Hi there. I have been struggling to find out how to use a variable as my location in my header redirect function. Here is my code. ...
PHP
0
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computer
by: AndyPSV | last post by:
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computerHOW CAN I CREATE AN AI with an .executable...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2023
About Bytes
Advertise
Terms Of Use
Privacy Policy

Sitemap

Follow us! Get the Latest Bytes Updates