473,408 Members | 1,601 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > gridview error : dangerous value

Join Bytes to post your question to a community of 473,408 software developers and data experts.

GridView Error : Dangerous value

Hi there,

I m doing work on a gridview and Im getting an error:
A potentially dangerous Request.Form value was detected from the client (ctl00$Content$GridView1$ctl03$TextBox1="<span class='txtColo...")

Im using an access database. and when ever I try to update this it doesnt work.
Expand|Select|Wrap|Line Numbers
  1. <%@ Page Language="C#" MasterPageFile="Mysite.master" Title="Untitled Page" %>
  2. <script runat = "server">
  3. protected void Page_Load(object sender, EventArgs e)
  4. {
  5. Label7.Visible = false;
  6. if (!IsPostBack)
  7. {
  8. this.DataBind();
  9. }
  10. }
  11. protected void GridView1_SelectedIndexChanged(object sender, EventArgs e)
  12. {
  13. }
  14.  
  15.  
  16. protected void Button1_Click1(object sender, EventArgs e)
  17. {
  18. Label7.Visible = false;
  19. GridView1.FooterRow.Visible = false;
  20. try
  21. {
  22. string page = ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).SelectedItem.Value.ToString();
  23. string val = ((TextBox)GridView1.FooterRow.FindControl("ValueBox")).Text;
  24. string sBox = ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).Text;
  25.  
  26. if ((page != "Select") && (val != "") && (sBox != "Selet"))
  27. {
  28. int page1 = Convert.ToInt32(page);
  29. int sbox1 = Convert.ToInt32(sBox);
  30. DataSet2TableAdapters.Page_ContentTableAdapter pcAdap = new DataSet2TableAdapters.Page_ContentTableAdapter();
  31. pcAdap.Insert(page1, sbox1, val);
  32. DataBind();
  33. }
  34. else
  35. {
  36. GridView1.FooterRow.Visible = true;
  37. Label7.Visible = true;
  38. Label7.Text = "Error : Please select the specified fields and fill the value";
  39. }
  40. }
  41. catch (Exception e1)
  42. {
  43. Label7.Text = "Error : " + e1;
  44. }
  45. }
  46. protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e)
  47. {
  48. GridView1.FooterRow.Visible = true;
  49. try
  50. {
  51. string ID = ((DropDownList)GridView1.HeaderRow.FindControl("DropDownList1")).Text;
  52. int cID = Convert.ToInt32(ID);
  53. if (cID != 0)
  54. {
  55. DataSet2TableAdapters.PageTableAdapter pAdapt = new DataSet2TableAdapters.PageTableAdapter();
  56. //pAdapt.GetDataBydata(cID);
  57. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataSource = pAdapt.GetSelectedDataBy(cID);
  58. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataTextField = "Name";
  59. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataValueField = "ID";
  60. ((DropDownList)GridView1.FooterRow.FindControl("DropDownList2")).DataBind();
  61. DataSet2TableAdapters.Page_DetailTableAdapter pdAdapt = new DataSet2TableAdapters.Page_DetailTableAdapter();
  62. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataSource = pdAdapt.GetDataByPageType(cID);
  63. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataTextField = "Section Name";
  64. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataValueField = "ID";
  65. ((DropDownList)GridView1.FooterRow.FindControl("SectionBox")).DataBind();
  66. }
  67. else
  68. {
  69. GridView1.FooterRow.Visible = false;
  70. }
  71. }
  72. catch (Exception e1)
  73. {
  74. GridView1.FooterRow.Visible = true;
  75. Label7.Visible = true;
  76. Label7.Text = "Error : " + e1;
  77. }
  78.  
  79. }
  80. protected void DropDownList2_SelectedIndexChanged(object sender, EventArgs e)
  81. {
  82. }
  83. protected void Button2_Click(object sender, EventArgs e)
  84. {
  85. GridView1.FooterRow.Visible = false;
  86. }
  87. protected void LinkButton1_Click(object sender, EventArgs e)
  88. {
  89. }
  90.  
  91. protected void DropDownList3_SelectedIndexChanged(object sender, EventArgs e)
  92. {
  93. }
  94. protected void GridView1_SelectedIndexChanged1(object sender, EventArgs e)
  95. {
  96. }
  97. </script>
  98. <asp:Content ID="Content2" ContentPlaceHolderID="Content" Runat="Server">
  99. <asp:GridView ID="GridView1" runat="server" AllowPaging="True" AllowSorting="True"
  100. AutoGenerateColumns="False" CellPadding="4" DataKeyNames="ID" DataSourceID="AccessDataSource1"
  101. ForeColor="#333333" GridLines="None" OnSelectedIndexChanged="GridView1_SelectedIndexChanged1">
  102. <FooterStyle BackColor="#507CD1" Font-Bold="True" ForeColor="White" />
  103. <Columns>
  104. <asp:TemplateField HeaderText="Page" SortExpression="Page">
  105. <EditItemTemplate>
  106. <asp:DropDownList ID="DropDownList3" runat="server" AppendDataBoundItems="True" DataSourceID="PageDataSource1"
  107. DataTextField="Page Name" DataValueField="Page" Font-Size="Smaller" OnSelectedIndexChanged="DropDownList3_SelectedIndexChanged"
  108. SelectedValue='<%# Bind("Page") %>'>
  109. <asp:ListItem Value="0">Select</asp:ListItem>
  110. </asp:DropDownList><asp:AccessDataSource ID="PageDataSource1" runat="server" DataFile="~/App_Data/database.mdb"
  111. SelectCommand="SELECT Page.ID AS Page, Page.Name AS [Page Name] FROM (Page INNER JOIN [Page Type] ON Page.[Page Type] = [Page Type].ID) ">
  112. </asp:AccessDataSource>
  113.  
  114. </EditItemTemplate>
  115. <HeaderTemplate>
  116. <asp:DropDownList ID="DropDownList1" runat="server" AppendDataBoundItems="True"
  117. AutoPostBack="True" DataSourceID="PageDataSource1" DataTextField="Page Type"
  118. DataValueField="ID" OnSelectedIndexChanged="DropDownList1_SelectedIndexChanged">
  119. <asp:ListItem Value="0">Select</asp:ListItem>
  120. </asp:DropDownList><br />
  121. <br />
  122. <asp:Label ID="Label6" runat="server" Text="Page"></asp:Label>
  123. <asp:Label ID="Label5" runat="server" Text="Page Type"></asp:Label>
  124. <asp:ObjectDataSource ID="PageDataSource1" runat="server" DeleteMethod="Delete" InsertMethod="Insert"
  125. OldValuesParameterFormatString="original_{0}" SelectMethod="GetData" TypeName="DataSet2TableAdapters.Page_TypeTableAdapter"
  126. UpdateMethod="Update">
  127. <DeleteParameters>
  128. <asp:Parameter Name="Original_ID" Type="Int32" />
  129. <asp:Parameter Name="Original_Page_Type" Type="String" />
  130. <asp:Parameter Name="Original_Description" Type="String" />
  131. <asp:Parameter Name="Original_Page_Path" Type="String" />
  132. <asp:Parameter Name="Original_Rank" Type="Int32" />
  133. <asp:Parameter Name="Original_Show_Menu" Type="Boolean" />
  134. <asp:Parameter Name="Original_Template" Type="Int32" />
  135. </DeleteParameters>
  136. <UpdateParameters>
  137. <asp:Parameter Name="Page_Type" Type="String" />
  138. <asp:Parameter Name="Description" Type="String" />
  139. <asp:Parameter Name="Page_Path" Type="String" />
  140. <asp:Parameter Name="Rank" Type="Int32" />
  141. <asp:Parameter Name="Show_Menu" Type="Boolean" />
  142. <asp:Parameter Name="Template" Type="Int32" />
  143. <asp:Parameter Name="Original_ID" Type="Int32" />
  144. <asp:Parameter Name="Original_Page_Type" Type="String" />
  145. <asp:Parameter Name="Original_Description" Type="String" />
  146. <asp:Parameter Name="Original_Page_Path" Type="String" />
  147. <asp:Parameter Name="Original_Rank" Type="Int32" />
  148. <asp:Parameter Name="Original_Show_Menu" Type="Boolean" />
  149. <asp:Parameter Name="Original_Template" Type="Int32" />
  150. </UpdateParameters>
  151. <InsertParameters>
  152. <asp:Parameter Name="Page_Type" Type="String" />
  153. <asp:Parameter Name="Description" Type="String" />
  154. <asp:Parameter Name="Page_Path" Type="String" />
  155. <asp:Parameter Name="Rank" Type="Int32" />
  156. <asp:Parameter Name="Show_Menu" Type="Boolean" />
  157. <asp:Parameter Name="Template" Type="Int32" />
  158. </InsertParameters>
  159. </asp:ObjectDataSource>
  160. </HeaderTemplate>
  161. <FooterTemplate>
  162.  
  163. <asp:DropDownList ID="DropDownList2" runat="server" AppendDataBoundItems="True" OnSelectedIndexChanged="DropDownList2_SelectedIndexChanged"
  164. Width="130px">
  165. <asp:ListItem Value="0">Select</asp:ListItem>
  166. </asp:DropDownList>
  167.  
  168. </FooterTemplate>
  169. <ItemTemplate>
  170. <asp:Label ID="Label1" runat="server" Text='<%# Bind("[Page Name]") %>'></asp:Label>
  171. </ItemTemplate>
  172. </asp:TemplateField>
  173. <asp:TemplateField HeaderText="Page Section" SortExpression="Page Section">
  174. <EditItemTemplate>
  175. <asp:DropDownList ID="DropDownList4" runat="server" DataSourceID="SectionDataSource2"
  176. DataTextField="Section Name" DataValueField="Section ID" SelectedValue='<%# Bind("[Page Section]") %>'
  177. Width="155px">
  178. </asp:DropDownList><asp:AccessDataSource ID="SectionDataSource2" runat="server" DataFile="~/App_Data/database.mdb"
  179. SelectCommand="SELECT DISTINCT [Page Detail].[Section Name], [Page Detail].ID AS [Section ID] FROM ([Page Content] INNER JOIN [Page Detail] ON [Page Content].[Page Section] = [Page Detail].ID)">
  180. </asp:AccessDataSource>
  181.  
  182. </EditItemTemplate>
  183. <FooterTemplate>
  184. <asp:DropDownList ID="SectionBox" runat="server" AppendDataBoundItems="True">
  185. <asp:ListItem Value="0">Select</asp:ListItem>
  186. </asp:DropDownList>
  187. </FooterTemplate>
  188. <ItemTemplate>
  189. <asp:Label ID="Label2" runat="server" Text='<%# Bind("[Section Name]") %>'></asp:Label>
  190. </ItemTemplate>
  191. </asp:TemplateField>
  192.  
  193.  
  194. <asp:TemplateField HeaderText="Value" SortExpression="Value">
  195.  
  196.  
Problem lies in this section..
Please do have a look
TextBox1 which is bind with a value
Expand|Select|Wrap|Line Numbers
  1. <EditItemTemplate> 
  2.  
  3.  
  4. <asp:TextBox ID="TextBox1" runat="server" Text='<%# Bind("Value") %>'
  5. TextMode="MultiLine"></asp:TextBox>
  6.  
  7.  
  8. </EditItemTemplate>
  9.  
  10. <FooterTemplate>
  11. <asp:TextBox ID="ValueBox" runat="server" TextMode="MultiLine"></asp:TextBox>
  12. </FooterTemplate>
  13.  
  14. <ItemTemplate>
  15. <asp:TextBox ID="TextBox4" runat="server" BorderColor="Transparent"
  16. BorderStyle="None" ForeColor="Transparent" MaxLength="256" ReadOnly="True"
  17. Rows = "2" Text='<%# Bind("Value", "{0}") %>' TextMode="MultiLine" AutoCompleteType="Notes" Enabled="False" EnableTheming="False"></asp:TextBox>
  18. </ItemTemplate>
  19.  
  20. </asp:TemplateField>
  21. <asp:TemplateField HeaderText="ID" InsertVisible="False" ShowHeader="False" SortExpression="ID"
  22. Visible="False">
  23. <EditItemTemplate>
  24. <asp:Label ID="EditLabel1" runat="server" Text='<%# Eval("ID") %>'></asp:Label>
  25. </EditItemTemplate>
  26. <ItemTemplate>
  27. <asp:Label ID="Label4" runat="server" Text='<%# Bind("ID") %>'></asp:Label>
  28. </ItemTemplate>
  29. </asp:TemplateField>
  30. <asp:TemplateField ShowHeader="False">
  31. <EditItemTemplate>
  32. <asp:LinkButton ID="LinkButton1" runat="server" CausesValidation="True" CommandName="Update"
  33. Text="Update"></asp:LinkButton>
  34. <asp:LinkButton ID="LinkButton2" runat="server" CausesValidation="False" CommandName="Cancel"
  35. Text="Cancel"></asp:LinkButton>
  36. </EditItemTemplate>
  37. <FooterTemplate>
  38. <asp:Button ID="Button1" runat="server" OnClick="Button1_Click1"
  39. Text="Insert" />
  40. <asp:Button ID="Button2" runat="server" OnClick="Button2_Click"
  41. Text="Cancel" Width="53px" />
  42. </FooterTemplate>
  43. <ItemTemplate>
  44. <asp:LinkButton ID="LinkButton1" runat="server" CausesValidation="False" CommandName="Edit"
  45. OnClick="LinkButton1_Click" Text="Edit"></asp:LinkButton>
  46. <asp:LinkButton ID="LinkButton2" runat="server" CausesValidation="False" CommandName="Delete"
  47. Text="Delete"></asp:LinkButton>
  48. </ItemTemplate>
  49. </asp:TemplateField>
  50. </Columns>
  51. <RowStyle BackColor="#EFF3FB" />
  52. <EditRowStyle BackColor="#2461BF" />
  53. <SelectedRowStyle BackColor="#D1DDF1" Font-Bold="True" ForeColor="#333333" />
  54. <PagerStyle BackColor="#2461BF" ForeColor="White" HorizontalAlign="Center" />
  55. <HeaderStyle BackColor="#507CD1" Font-Bold="True" ForeColor="White" />
  56. <AlternatingRowStyle BackColor="White" />
  57. </asp:GridView>
  58. <asp:Label ID="Label7" runat="server" Font-Bold="True" Font-Names="Courier New"
  59. Text="Label"></asp:Label>
  60.  
  61. <asp:AccessDataSource ID="AccessDataSource1" runat="server" DataFile="~/App_Data/database.mdb"
  62. DeleteCommand="DELETE FROM [Page Content] WHERE (ID = ?)" SelectCommand="SELECT PC.Page, PC.[Page Section], PC.[Value], PC.ID, P.Name AS [Page Name], PD.[Section Name] FROM (([Page Content] PC INNER JOIN Page P ON PC.Page = P.ID) INNER JOIN [Page Detail] PD ON PC.[Page Section] = PD.ID)"
  63. UpdateCommand="UPDATE [Page Content] SET Page = ?, [Page Section] = ?, [Value] = ? WHERE (ID = ?)">
  64. </asp:AccessDataSource>
  65. </asp:Content>
  66.  
Can any one help please :)

Thank you

Regards,
Ahmed
Jan 9 '09 #1
6 4246
liawcv
33
In the @Page directive, set its ValidateRequest property to false:
Expand|Select|Wrap|Line Numbers
  1. <%@ Page ... ValidateRequest="false" %>
  2.  
But be reminded that allowing user to post unaltered HTML content could create a security loophole to your page. If you are using this approach, you should encode the input string by using Server.HtmlEncode() method before further process, or disallow dangerous HTML tags such as <script>, etc.
Jan 9 '09 #2
Hi liawcv,

Thank you very much... I figured that out yesterday :) ... but Server.HtmlEncode() ...Can you provide me any examples? I mean where should I use this commandline?

Thank you

Regards,
Ahmed
Jan 10 '09 #3
liawcv
33
Let txtMessage contains "<span>This is the text</span>". Thus,

string s = Server.HtmlEncode(txtMessage.Text);

will cause variable s contains "&lt;span&gt;This is the text&lt;/span&gt;".

Normally we encode the input before it is being updated / inserted into database (or other data store).
Jan 11 '09 #4
So after using this command, how would the result look like in the GRIDVIEW? would be the same as the one before using "Server.HtmlEncode()" or the result wil be encoded?
Jan 11 '09 #5
liawcv
33
&lt; will be displayed as <
&gt; will be displayed as >
&lt;span&gt; will be displayed as <span>
Well, you get the pure text, not the HTML.

If you would like to get back the original input string, use Server.HtmlDecode(). Thus, &lf;script&gt; will be rendered as a real <script> tag in your page. Somehow, if you would like the input to be rendered as HTML, then it is not required to encode and then decode again.

If you want your <span> rendered as HTML rather than pure text, then encode (and decode) it will be pointless. Perhaps, you can filter your input string, so that only a particular HTML tags are accepted, such <span>, <b>, <i>, etc...
Jan 11 '09 #6
Thank you very much this is very helpfull...

Thankyou,

Regards,
Ahmed
Jan 11 '09 #7

Sign in to post your reply or Sign up for a free account.

Similar topics

0
ValidateRequest="false" error
by: Martin Colmenares | last post by:
After I set my <%@ page ValidateRequest="false" %> , I still get the error illustrated below. The msdn mentioned something about filtering using the HTMLEncode. This is a snippet of the code that...
ASP.NET
8
Optimistic concurrency in custom GridView/SqlDataSource
by: Mike Kelly | last post by:
I've chosen to implement the "optimistic concurrency" model in my application. To assist in that, I've added a ROWVERSION (TIMESTAMP) column to my main tables. I read the value of the column in my...
ASP.NET
1
ObjectDataSource & GridView for variable length input lists
by: John_H | last post by:
Re: ASP.NET 2.0 I would like suggestions or code examples on how to collect a variable length list of input data (item# & item quantity specifically). I thought that I could accomplish this...
ASP.NET
0
GridView - Index was out of range.
by: ssims | last post by:
I've got a GridView that's sorted by a stored procedure with ROW_NUMBER: PROCEDURE dbo.GetCalendarsByStatusIDPaged ( @startRowIndex int, @maximumRows int, @statusID int ) AS
ASP.NET
1
c# GridView and FormView write error "An OleDbParameter with ParameterName'@ID' is not contained by this OleDbParameterCollection"
by: DC | last post by:
The problem I'm using the .NET GridView and FormView objects for the first time and im getting the error "An OleDbParameter with ParameterName '@ID' is not contained by this...
ASP.NET
1
Adding Dropdownlist to GridView
by: mitchman10 | last post by:
My Time table has TimeID,Employee,PayPeriod,ChargeCodeID,Hours My Chargecode table has ChargecodeID,c_Text I need an Editable datagrid that will show the TimeID,Employee,PayPeriod,C_Text in a...
Visual Basic .NET
3
GridView as EditItem Template
by: Dariusz Tomon | last post by:
Hello, I have GridView in EditItem Template of DetailsView (in normal - read-only mode there is a label). When I'm in edit mode I can select one item from GridView. The main problem is that as...
ASP.NET
2
Gridview doubling up rows
by: Blasting Cap | last post by:
I've got a gridview (that I converted over from a datagrid, which had been working properly), that is doubling up the number of rows returned. When it was running as a datagrid, the same code sent...
ASP.NET
3
Validating Data in a GridView
by: =?Utf-8?B?V2FubmFiZQ==?= | last post by:
I have a gridview that uses a sqldatasource. The rows of the gridview are editable. When the gridview is in edit mode, one of the columns is a dropdown. In testing the editing, I deleted the...
ASP.NET
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!