Disabling Request Validation in ASP.Net 4 MVC 3 Beta

December 28, 2010

I had to integrate CKEditor in my current MVC 3 (beta) project (System.Web.Mvc.dll version 3.0.10714.0), and come across this error when posting HTML markup:

Server Error in ‘/MyApp’ Application.

A potentially dangerous Request.Form value was detected from the client

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode=”2.0″. Example: . After setting this value, you can then disable request validation by setting validateRequest=”false” in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Not quite!

I set the requestValidationMode attribute in web.config, and the ValidateRequest attribute in the Page declaration, as described, but this did not change the web page’s behavior.

I found that MVC 3 requires the [ValidateInput(false)] attribute on the controller action (in addition to the requestValidationMode setting) instead of the Page ValidateRequest attribute, and it works indeed, even on asynchronous actions.

However, I am a bit worried about upgrading to MVC 3 RC, since the internets say that request validation cannot be switched off in RC.

From the ASP.Net 4 Breaking Changes page, it is also not clear how to disable request validation and use the ASP.Net 4 request pipeline.

By the way: Using jQuery.ajax() and posting JSON data using the JSON.stringify() function, similar content can be posted without any validation errors.

Leave a Comment » | ASP.Net MVC, Error'd | Permalink
Posted by devio

Searching for String Literals in T-SQL Code

December 25, 2010

If you have ever worked in a multi-language (i.e. localization-aware) project, you know that you should avoid string literals embedded in code.

To make sure that no untranslatable error messages, warnings or other text that might end up in the user interface is embedded in T-SQL code (MS SQL Server stored procedures, functions, and triggers), you’d need to search each of the code blocks for the string delimiter ‘ (single quote).

I’ll sketch a solution called tsqlfindstrings implemented in PowerShell using SMO to access the code stored in a MS SQL Server database, and .Net regular expressions to find string literals. The script tsqlfindstrings.ps1 needs to be configured similarly to my previous PowerShell solution automssqlbackup.

First, the SQL Server-specific SMO libraries are loaded

$mspath = "C:\Program Files\Microsoft SQL Server\100\SDK\Assemblies\"
$dummy = [System.Reflection.Assembly]::LoadFrom($mspath + "Microsoft.SqlServer.ConnectionInfo.dll")
$dummy = [System.Reflection.Assembly]::LoadFrom($mspath + "Microsoft.SqlServer.Smo.dll")
$dummy = [System.Reflection.Assembly]::LoadFrom($mspath + "Microsoft.SqlServer.SmoExtended.dll")

and connection parameters $dbhost, $dbname, $username, and $password are set.

Next, we define string literals to be excluded from the search results, either complete strings or string beginnings, as string arrays:

$excludedStrings = @(" (", ")", "%", "*", " - ", ", ", "(", "true", "false", " ", """", "=""",
  "uniqueidentifier", "datetime", "int", "decimal", "bit", "float", "Z",  "string", "boolean", "guid")
$excludedBegins = @("'")

The example shows T-SQL keywords as excluded strings and the single quote as first character in a string literal (both used for dynamic SQL, so we want to ignore these).

We connect using the standard SMO objects ServerConnection and Server:

$conn = New-Object Microsoft.SqlServer.Management.Common.ServerConnection
$srv = New-Object Microsoft.SqlServer.Management.Smo.Server($conn)
[void] $srv.Initialize($false)
[void] $srv.Refresh()
[void] $srv.SetDefaultInitFields($true)

to find our database $db in $srv.Databases.

In its current version, the script checks these SMO properties for string literals:

  • Tables.Checks.Text
  • Tables.Columns.Default
  • Views.TextBody
  • StoredProcedures.TextBody
  • UserDefinedFunctions.TextBody
  • Triggers.TextBody

If a single quote is found in the property values, the Extract subroutine is called to extract the string literal and match it with the defined excluded strings:

foreach($m in [RegEx]::Matches($s, "'(.+?)'[^']") |
  Where-Object { ($excludedStrings -notcontains $_.Groups[1]) })
{
  $g = $m.Groups[1].Value
  $do = $true

  foreach($b in $excludedBegins)
  {
    if ($g.StartsWith( $b ))
    {
      $do = $false
    }
  }

  if ($do)
  {
    Write-Host ($type + " " + $name + ": '" + $g + "'")
  }
}

The first released version of tsqlfindstrings is available for download here.

Leave a Comment » | Powershell, SMO, SQL Server, tsqlfindstrings | Permalink
Posted by devio

SMOscript 0.18

December 20, 2010

The most recent version of SMOscript fixes an SMO exception caused by duplicate initialization as described in my previous post.

SMOscript is available for download here.

5 Comments | Code Generation, SMOscript, SQL Server | Permalink
Posted by devio

Strange SMO Errors

December 20, 2010

I came across some strange SMO errors today running my SMOscript utility on a new SQL Server 2008 database (10.0.2531.0):

Error: An exception occurred while executing a Transact-SQL statement or batch.

and

Error: Could not find stored procedure ‘msdb.sys.sp_getProcessorUsage’.

A web search did not yield any results.

It turned out that the code was calling Server.Initialize(false) twice, and removing one of the calls caused the program to run without raising exceptions.

Since the last version of SMOscript is dated May 2010, and I have some files created by SMOscript dated July 2010, some magic event must have caused a different behavior in the SMO libraries. I have no idea.

1 Comment | Error'd, SMO, SMOscript | Permalink
Posted by devio

graspx 0.17

December 20, 2010

My command-line tools graspx which allows you to search aspx, ascx and master files has been updated to support Visual Studio 2008.

Visual Studio 2008 generates the Register TagPrefix declaration as “Register tagprefix” in web.config.

The most current version of graspx is available for download here.

Leave a Comment » | graspx, Visual Studio | Permalink
Posted by devio

Installing Creative PD1110 Drivers in Windows 7

December 20, 2010

I wanted to plug-in an old Creative webcam (N10225, PD1110) into my Windows 7 PC, and Windows Update could not find appropriate drivers.

Asking the internets mostly led me to the various driver-download-after-lots-of-ads-and-registration sites, but I finally found a link on answers.com, which led me to the Creative product page of WebCam NX.

I started the driver installation software in XP compatibility mode, and Skype immediately recognized the camera.

However, the installer somehow froze with a dialog box open, and I had to end two install processes from the Task Manager.

2 Comments | Drivers, Windows | Permalink
Posted by devio

Follow

Get every new post delivered to your Inbox.