Search Results

Search found 15878 results on 636 pages for 'hidden field'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 146/636 | < Previous Page | 142 143 144 145 146 147 148 149 150 151 152 153  | Next Page >

  • how do I integrate the aspnet_users table (asp.net membership) into my existing database

    - by ooo
    i have a database that already has a users table COLUMNS: userID - int loginName - string First - string Last - string i just installed the asp.net membership table. Right now all of my tables are joined into my users table foreign keyed into the "userId" field How do i integrate asp.net_users table into my schema? here are the ideas i thought of: Add a membership_id field to my users table and on new inserts, include that new field in my users table. This seems like the cleanest way as i dont need to break any existing relationships. break all existing relationship and move all of the fields in my user table into the asp.net_users table. This seems like a pain but ultimately will lead to the most simple, normalized solution any thoughts?

    Read the article

  • trying to set a dropdown in MVC

    - by RJ
    I almost have this solved but need a little push. Here's what I have: In the database I have a field called active that is a bit field (True/False) I have placed a dropdownlist on the View form like this: <%= Html.DropDownList("lstActive", new SelectList((IEnumerable)ViewData["ActiveList"])) %> In my controller, I simply have this code to generate the True/False in the dropdown: List<string> activeList = new List<string>(); activeList.Add("True"); activeList.Add("False"); ViewData["ActiveList"] = new SelectList(activeList); I want to bind to the field in the database called active and select it in the dropdown. When I view it like this I get this: So the questions are these: Obviously I am not pointing to the Value and Text property but what is that in this case? And how do I select the value that is in the database? Any help would be appreciated.

    Read the article

  • Importing CSV with line breaks in Excel 2007

    - by ph0enix
    I'm working on a feature to export search results to a CSV file to be opened in Excel. One of the fields is a free-text field, which may contain line breaks, commas, quotations, etc. In order to counteract this, I have wrapped the field in double quotes ("). However, when I import the data into Excel 2007, set the appropriate delimiter, and set the text qualifier to double quote, the line breaks are still creating new records at the line breaks, where I would expect to see the entire text field in a single cell. I've also tried replacing CR/LF (\r\n) with just CR (\r), and again with just LF (\n), but no luck. Has anyone else encountered this behavior, and if so, how did you fix it? TIA, -J

    Read the article

  • How to get last 12 digits from a string in MySQL?

    - by Nick Gorbikoff
    Hello. How would I get last 12 digits of a string using mysql? Let's say I have a varchar field with a tracking number, that may be anywhere from 5 to 20 varchars long. But I only need to select last 12 digits or less if there are less. so in a field = 12345678123456789012 I would only need to get what's in brackets field = 12345678[123456789012] I saw a few examples using mid, etc, but they dont' produce the desired result or I can't find an example that makes sense :-( Thank you.

    Read the article

  • jquery text area length count?

    - by Nimesh
    Hi All, I have a text area field where i need to provide information about the word count when the user enters some text in the field. Length of the field is supposed to be 500 Characters. Initialy it must show min characters:100 | 0 of 500 // 0 of 500 must be in red color and once the user enters come character need to update the count as well. Once the user reaches the count say the min character 100, i need to display min characters:100 | 100 of 500 // 100 of 500 must be in green color. How can i do this?? is there any plugin for the same??? let me know your thoughts on this.

    Read the article

  • Javascript Autocomplete Text

    - by WPS
    Hi All, I need to implement an autocomplete text field using JavaScript and JSF. When the user types some character in a text field, I need to make an AJAX request and get the values based on the values entered. I've an input text field, on "keyup" I'm triggering a function which submits the value to the server side. var timeoutid = 0; function intitiateTypeAhead(){ clearTimeout(timeoutid); if (document.getElementById("inputText").value.length >= 2) { timeoutid = setTimeout('clickButton', 500); } return false; } function clickButton(){ //submits the value to the server } <h:inputText id="inputText" onkeyup="intitiateTypeAhead()"></h:inputText> This works properly, but certain times the request is made for each character entered by the user. I'm not sure if there is anything wrong with the implementation. Can someone please help me to fix this?

    Read the article

  • sql unite fields to one result

    - by none
    i know this is a "not build in" or "the way dba thinks" but a programmer aproach , How could one request from 3 fields to get the one that is not null, into a result filed. lets say we have a table with f1,f2,f3,f4,f5. lets say f2,f3,f4 are the same type. lets say the content of the table be tupples of (key1,null,null,value1,value2) (key2,null,value3,value4,value5) (key3,null,null,null,value6) now if we return the first tupple then we get (key1) we get (key1,value1,value2) if we ask for key2 we get (key1,value3,value5) if we ask for key3 we get (key1,null,value6) how is it possible to get the fields in the priority of if you have value in f2, then its set into the returned field, only then if we have value in f3 then its set into the middle returned field, only then if we have value in f4 then its set into the middle returned field the main goal is to get the result into a sigel feild and prevent the overhead work needed at the result end.

    Read the article

  • MySQL query with 2 COUNT() of other tables with where conditions

    - by Isern Palaus
    Hello, I've a table called sports that contains a list of list of sports, other called seasons that contains the seasons for a specific sport and competitions that have the competitions of a specific sport and season. I need one MySQL query to print the list of sports with how much seasons and competitions has each. My tables structure: sports +--------------------+------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +--------------------+------------------+------+-----+---------+----------------+ | id | int(10) unsigned | NO | PRI | NULL | auto_increment | | name | varchar(32) | NO | | NULL | | | slug | varchar(45) | NO | | NULL | | | description | varchar(128) | NO | | NULL | | +--------------------+------------------+------+-----+---------+----------------+ seasons +--------------------+------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +--------------------+------------------+------+-----+---------+----------------+ | id | int(10) unsigned | NO | PRI | NULL | auto_increment | | id_sport | int(10) unsigned | NO | MUL | NULL | | | name | varchar(32) | NO | | NULL | | | slug | varchar(32) | NO | | NULL | | +--------------------+------------------+------+-----+---------+----------------+ competitions +--------------------+------------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +--------------------+------------------+------+-----+---------+----------------+ | id | int(10) unsigned | NO | PRI | NULL | auto_increment | | id_season | int(10) unsigned | NO | MUL | NULL | | | name | varchar(32) | NO | | NULL | | | slug | varchar(64) | NO | | NULL | | | description | varchar(128) | YES | | NULL | | +--------------------+------------------+------+-----+---------+----------------+ The result of my query needs to contain: sports.*, total_seasons (SUM of seasons where seasons.id_sport=sports.id) and total_competitions (SUM of competitions where competitions.id_season=seasons.id AND seasons.id_sport=sports.id). Thank you in advance!

    Read the article

  • inheritance from the django user model results in error when changing password

    - by Jerome
    I inherited form the django user model like so: from django.db import models from django.contrib.auth.models import User, UserManager from django.utils.translation import ugettext_lazy as _ class NewUserModel(User): custom_field_1 = models.CharField(_('custom field 1'), max_length=250, null=True, blank=True) custom_field_2 = models.CharField(_('custom field 2'), max_length=250, null=True, blank=True) objects = UserManager() When i go to the admin and add an entry into this model, it saves fine, but below the "Password" field where it has this text "Use '[algo]$[salt]$[hexdigest]' or use the change password form.", if i click on the "change password form' link, it produces this error Truncated incorrect DOUBLE value: '7/password' What can i do to fix this?

    Read the article

  • Get data from Joomla jos_users table

    - by RobertR
    Hello, world! I'm trying to build a little bit advanced users system using Joomla, but I stuck at one spot. I added new field on Joomla's jos_users table, but when I wanted to get that field out, like "echo" - it didn't worked at all. Any other data, even password field I can get without problems. Of course, I added new value in /var/www/<project>/libraries/joomla/user/user.php like this after line 40. /** * The users address name * @var string */ var $address = null; What might be the problem here? Or what I did wrong, or what I didn't do at all? Thanks for replies! Cheerio

    Read the article

  • Hex characters in varchar() is actually ascii. Need to decode it.

    - by csauve
    This is such an edge-case of a question, I'd be surprised if there is an easy way to do this. I have a MS SQL DB with a field of type varchar(255). It contains a hex string which is actually a Guid when you decode it using an ascii decoder. I know that sounds REALLY weird but here's an example: The contents of the field: "38353334373838622D393030302D343732392D383436622D383161336634396339663931" What it actually represents: "8534788b-9000-4729-846b-81a3f49c9f91" I need a way to decode this, and just change the contents of the field to the actual guid it represents. I need to do this in T-SQL, I cannot use .Net (which if I could, that is remarkably simple).

    Read the article

  • Best way of invoking getter by reflection

    - by Javi
    Hello, I need to get the value of a field with a specific annotation, So with reflection I am able to get this Field Object. The problem is that this field will be always private though I know in advance it will always have a getter method. I know that I can use setAccesible(true) and get its value (when there is no PermissionManager), though I prefer to invoke its getter method. I know that I could look for the method by looking for "get+fieldName" (though I know for example for boolean fields are sometimes named as "is+fieldName"). I wonder if there is a better way to invoke this getter (many frameworks use getters/setters to access the attributes so maybe they do in another way). Thanks

    Read the article

  • problem in jdbc preparestatement

    - by akshay
    i am geting error when i try to use following,why is it so? ResultSet findByUsername(String tablename,String field,String value) { pStmt = cn.prepareStatement("SELECT * FROM" + tablename +" WHERE ? = ? "); pStmt.setString(1, tablename); pStmt.setString(2,field); pStmt.setString(3,value); return(pStmt.executeQuery()); } also i tried following , but its not working too ResultSet findByUsername(String tablename,String field,String value) { String sqlQueryString = " SELECT * FROM " + tablename +" WHERE " + filed + "= ? ") cn.prepareStatement(sqlQuery); pStmt.setString(1, value); return(pStmt.executeQuery()); }

    Read the article

  • Lucene boost: I need to make it work better

    - by zvikico
    I'm using Lucene to index components with names and types. Some components are more important, thus, get a bigger boost. However, I cannot get my boost to work properly. I sill get some components appear later (get worse score), even though they have a higher boost. Note that the indexing is done on one field only and I've set the boost to that field alone. I'm using Lucene in Java. I don't think it has anything to do with the field length. I've seen components with the same name (but different type) get the wrong score.

    Read the article

  • How to query one table and add rows to another using that first query? MySQL

    - by Nickelbids
    Hello, I have some users setup in a MySQL table with different variables. I am trying to figure out what would be the best way to do this. Basically I want to award all of my registered and active users with bids which are stored in another table. So for the Table "users" I have ran this query: SELECT * FROM users WHERE active = 1 AND admin = 0 ORDER BY users.id ASC Which will show all active users who are not administrators. Now I would like to give each one of these users which are identified by the "ID" field in another table. So in the "bids" table I would need to add a new row for each one of those users with all of the same values except for the "user_id" field which will basically match the "id" field of the table "users" What would be the best approach for this. There are approximately 6,000+ users coming up in the first query. Please be gentle as I am not a programmer. Just need some friendly advice.

    Read the article

  • Operations in table data with javascript

    - by Zangrandi
    I'm working with rails and I don't know javascript. I have a table with a select_tag field and I want to have another field that capture the option selected, multiply for the price captured in another field and display the total. Like this <table> <tr> <td>(select_tag)</td> <td>price</td> <td>total</td> </tr> </table

    Read the article

  • How do I deal with drupal hook_views_tables?

    - by wamp
    For the title field,I want to return node.title,but what I tried is not working: return array('og' => array('name' => 'og', 'join' => array('left' => array('table' => 'node', 'field' => 'nid' ), 'right' => array('field' => 'nid' ), ), 'fields' => array( 'title' => array('name' => t('OG: Group: Group name'), 'table' => 'node', 'handler' => 'og_handler_field_title', 'help' => t('show group name.'), 'sortable' => true, 'sort_handler' => 'views_og_query_ogname', 'notafield' => false, ),

    Read the article

  • Order mysql results without identifier

    - by Alex Crooks
    Usually I would have a table field called ID on auto increment. That way I could order using this field etc. However I have no control over the structure of a table, and wondered how to get the results in reverse order to default. I'm currently using $q = mysql_query("SELECT * FROM ServerChat LIMIT 15"); However like I said there is no field I can order on, so is there a way to tell mysql to reverse the order it gets the results? I.e last row to first row instead of the default.

    Read the article

  • IE7 and IE8 change event not being thrown for text input

    - by Sam
    I have a form that I auto focus at startup of the page with jquery. I also have change event handlers in place for whenever an input changes. If I change the value of the first field that was autofocused, and then move to the next field, the change event handler doesn't fire. If I remove the autofocusing, and just focus manually, then change it then move to the next field, the change event does fire. This only happens on IE. It works fine on firefox and chrome. Anyone experience this before?

    Read the article

  • how to integrate my users database table with the aspnet_users table that comes with asp.net members

    - by ooo
    i have a database that already has a users table COLUMNS: userID - int loginName - string First - string Last - string i just installed the asp.net membership table. Right now all of my tables are joined into my users table foreign keyed into the "userId" field How do i integrate asp.net_users table into my schema? here are the ideas i thought of: Add a membership_id field to my users table and on new inserts, include that new field in my users table. This seems like the cleanest way as i dont need to break any existing relationships. break all existing relationship and move all of the fields in my user table into the asp.net_users table. This seems like a pain but ultimately will lead to the most simple, normalized solution any thoughts?

    Read the article

  • django: how to use many-to-many relationships in values()?

    - by john
    i need to group results by a field that requires a few joins from the original model: // response_filter_args is created dynamically responses = Response.objects.filter(**response_filter_args) \ .values('customer__tags__tag') \ # django doesn't like this .annotate(average_score=Avg('rating__score')) Response - customer - tags (many-to-many field pointing to Tag) - tag (the tag as a string) Models are: class Response(models.Model): customer = models.ForeignKey(Customer) ... class Customer(models.Model): tags = models.ManyToManyField(Tag) ... class Tag(models.Model): tag = models.CharField(max_length=255) ... i'm trying to calculate average ratings. to make it work i need to tell django to group by 'tag', but it refuses to. it gives an error: Invalid field name: 'customer__tags__tag' anyone know how i can get it to group by tag? i've tried all the combinations of underscores in customer_tags_tag that i can think of, but nothing works.

    Read the article

  • Android TextWatcher for more than one EditText

    - by Creative MITian
    I want to implement the TextWatcher interface for more than one EditText fields. Currently I am using : text1.addTextChangedListener(this); text2.addTextChangedListener(this); then overriding the methods in my Activity: public void afterTextChanged(Editable s) {} public void beforeTextChanged(CharSequence s, int start, int count, int after) {} public void onTextChanged(CharSequence s, int start, int before, int count) { // do some operation on text of text1 field // do some operation on text of text2 field } However this is working fine but I'm looking for other ways so that I can explicitly identify that in which EditText field the SoftKeyboard is currently focused.

    Read the article

  • VBA WinHTTPRequest and submitting forms

    - by Hazerider
    Hi. I spent all day yesterday trying to figure out how to submit a form using WinHTTPRequest. I can do it pretty easily with an InternetExplorer object, but the problem is that I need to save a PDF file that gets returned, and I am not sure how to do this with the IE object. Here is the relevant HTML code snippet: <div class="loginHome-left"> <fieldset> <h3>Log in Using</h3> <form> <label for="standardLogin" accesskey="s"> <input name="useLogin" id="standardLogin" value="standard" type="radio" checked="true">Standard Login</label> &nbsp; <label for="rsaSecurID" accesskey="r"> <input name="useLogin" value="rsaSecur" type="radio" id="rsaSecurID" onclick="redirectLogin('ct_logon_securid');return false;">RSA SecurID</label> &nbsp; <label for="employeeNTXP" accesskey="e"> <input name="useLogin" id="employeeNTXP" value="employee" type="radio" onclick="redirectLogin('ct_logon_external_nt');return false; "> Employee Windows Login<br></label> </form> <br> <div class="error">Error: ...</div><br> <form onSubmit="if(validate(this)) {formSubmit();} return false;" name="passwdForm" method="post" action="/UAB/ct_logon"> <input value="custom" name="pageId" type="hidden"> <input value="custom" name="auth_mode" type="hidden"> <input value="/UAB/ct_logon" name="ct_orig_uri" type="hidden"> <INPUT VALUE="" NAME="orig_url" TYPE="hidden"> <input value="" name="lpSp" type="hidden"> <label for="user"> <strong>Username</strong> </label> <input autocomplete="off" name="user" type="text" value="" class="txtFld" onkeypress="return handleEnter(this, event);"> <br> <label for="EnterPassword"> <strong>Password</strong>&nbsp;&nbsp;(<a tabindex="-1" href="/UAB/BCResetWithSecrets">Forgot Your Password?</a>) </label> <input autocomplete="off" name="password" type="password" class="txtFld" onkeypress="return handleEnter(this, event);"> <INPUT id="rememberLogin" name="lpCookie" type="checkbox"> <label for="rememberLogin">Remember My Login Information</label><br> </form> <div class="right"> <br> <input type="image" src="/BC_S/images/bclogin/btn_login.gif" name="" value="Submit" onClick="if(validate(document.forms['passwdForm'])){formSubmit();}return false;"> </div> <div class="clearfix"></div> </fieldset> </div> In order to log in through InternetExplorer, I do the following: Sub TestLogin() Dim ie As InternetExplorer, doc As HTMLDocument, form As HTMLFormElement, inp As Variant Set ie = New InternetExplorer ie.Visible = True ie.navigate "https://URL of the login page" Do Until ie.readyState = READYSTATE_COMPLETE Loop Set doc = ie.document For Each form In doc.forms If InStr(form.innerText, "Password") <> 0 Then form.elements("user").Value = "my_name" form.elements("password").Value = "my_password" Exit For Else End If Next 'This is the unnamed input with an image that is used to submit the form' doc.all(78).Click ie.navigate "https://url of the PDF" Do Until ie.readyState = READYSTATE_COMPLETE Loop Dim filename As String, filenum As Integer filename = "somefile.pdf" filenum = FreeFile Open filename For Binary Access Write As #filenum Write #filenum, doc.DocumentElement.innerText Close #filenum ie.Quit Debug.Print Set ie = Nothing End Sub What I really would like to do is something along the lines of the following: Sub TestLogin3() Dim whr As New WinHttpRequest, postData As String whr.Open "POST", "https://live.barcap.com/UAB/ct_logon", False whr.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" whr.setRequestHeader "Connection", "Keep-Alive" whr.Send whr.WaitForResponse postData = "user=paschom1&password=change01" 'Or the following?' postData = "user=paschom1&password=change01&orig_url=&pageId=custom&auth_mode=custom&ct_orig_uri=/BC/dispatcher&lpSp=&lpCookie=off" whr.Send postData whr.WaitForResponse Debug.Print whr.responseText End Sub It just refuses to work though. Not sure if I need to use more setRequestHeader with Content-Form or something similar, and if I do, not sure what exactly I am supposed to pass it. If anyone has any advice regarding this, it would be hugely appreciated. I could probably use a perl module to do it, but I would rather keep it all in VBA if possible. Thanks, Marc.

    Read the article

  • Model binding nested collections in ASP.NET MVC

    - by MartinHN
    Hi I'm using Steve Sanderson's BeginCollectionItem helper with ASP.NET MVC 2 to model bind a collection if items. That works fine, as long as the Model of the collection items does not contain another collection. I have a model like this: -Product --Variants ---IncludedAttributes Whenever I render and model bind the Variants collection, it works jusst fine. But with the IncludedAttributes collection, I cannot use the BeginCollectionItem helper because the id and names value won't honor the id and names value that was produced for it's parent Variant: <div class="variant"> <input type="hidden" value="bbd4fdd4-fa22-49f9-8a5e-3ff7e2942126" autocomplete="off" name="Variants.index"> <input type="hidden" value="0" name="Variants[bbd4fdd4-fa22-49f9-8a5e-3ff7e2942126].SlotAmount" id="Variants_bbd4fdd4-fa22-49f9-8a5e-3ff7e2942126__SlotAmount"> <table class="included-attributes"> <input type="hidden" value="0" name="Variants.IncludedAttributes[c5989db5-b1e1-485b-b09d-a9e50dd1d2cb].Id" id="Variants_IncludedAttributes_c5989db5-b1e1-485b-b09d-a9e50dd1d2cb__Id" class="attribute-id"> <tr> <td> <input type="hidden" value="0" name="Variants.IncludedAttributes[c5989db5-b1e1-485b-b09d-a9e50dd1d2cb].Id" id="Variants_IncludedAttributes_c5989db5-b1e1-485b-b09d-a9e50dd1d2cb__Id" class="attribute-id"> </td> </tr> </table> </div> If you look at the name of the first hidden field inside the table, it is Variants.IncludedAttributes - where it should have been Variants[bbd4fdd4-fa22-49f9-8a5e-3ff7e2942126].IncludedAttributes[...]... That is because when I call BeginCollectionItem the second time (On the IncludedAttributes collection) there's given no information about the item index value of it's parent Variant. My code for rendering a Variant looks like this: <div class="product-variant round-content-box grid_6" data-id="<%: Model.AttributeType.Id %>"> <h2><%: Model.AttributeType.AttributeTypeName %></h2> <div class="box-content"> <% using (Html.BeginCollectionItem("Variants")) { %> <div class="slot-amount"> <label class="inline" for="slotAmountSelectList"><%: Text.amountOfThisVariant %>:</label> <select id="slotAmountSelectList"><option value="1">1</option><option value="2">2</option></select> </div> <div class="add-values"> <label class="inline" for="txtProductAttributeSearch"><%: Text.addVariantItems %>:</label> <input type="text" id="txtProductAttributeSearch" class="product-attribute-search" /><span><%: Text.or %> <a class="select-from-list-link" href="#select-from-list" data-id="<%: Model.AttributeType.Id %>"><%: Text.selectFromList.ToLowerInvariant() %></a></span> <div class="clear"></div> </div> <%: Html.HiddenFor(m=>m.SlotAmount) %> <div class="included-attributes"> <table> <thead> <tr> <th><%: Text.name %></th> <th style="width: 80px;"><%: Text.price %></th> <th><%: Text.shipping %></th> <th style="width: 90px;"><%: Text.image %></th> </tr> </thead> <tbody> <% for (int i = 0; i < Model.IncludedAttributes.Count; i++) { %> <tr><%: Html.EditorFor(m => m.IncludedAttributes[i]) %></tr> <% } %> </tbody> </table> </div> <% } %> </div> </div> And the code for rendering an IncludedAttribute: <% using (Html.BeginCollectionItem("Variants.IncludedAttributes")) { %> <td> <%: Model.AttributeName %> <%: Html.HiddenFor(m => m.Id, new { @class = "attribute-id" })%> <%: Html.HiddenFor(m => m.ProductAttributeTypeId) %> </td> <td><%: Model.Price.ToCurrencyString() %></td> <td><%: Html.DropDownListFor(m => m.RequiredShippingTypeId, AppData.GetShippingTypesSelectListItems(Model.RequiredShippingTypeId)) %></td> <td><%: Model.ImageId %></td> <% } %>

    Read the article

  • Anti-Forgery Request Helpers for ASP.NET MVC and jQuery AJAX

    - by Dixin
    Background To secure websites from cross-site request forgery (CSRF, or XSRF) attack, ASP.NET MVC provides an excellent mechanism: The server prints tokens to cookie and inside the form; When the form is submitted to server, token in cookie and token inside the form are sent in the HTTP request; Server validates the tokens. To print tokens to browser, just invoke HtmlHelper.AntiForgeryToken():<% using (Html.BeginForm()) { %> <%: this.Html.AntiForgeryToken(Constants.AntiForgeryTokenSalt)%> <%-- Other fields. --%> <input type="submit" value="Submit" /> <% } %> This invocation generates a token then writes inside the form:<form action="..." method="post"> <input name="__RequestVerificationToken" type="hidden" value="J56khgCvbE3bVcsCSZkNVuH9Cclm9SSIT/ywruFsXEgmV8CL2eW5C/gGsQUf/YuP" /> <!-- Other fields. --> <input type="submit" value="Submit" /> </form> and also writes into the cookie: __RequestVerificationToken_Lw__= J56khgCvbE3bVcsCSZkNVuH9Cclm9SSIT/ywruFsXEgmV8CL2eW5C/gGsQUf/YuP When the above form is submitted, they are both sent to server. In the server side, [ValidateAntiForgeryToken] attribute is used to specify the controllers or actions to validate them:[HttpPost] [ValidateAntiForgeryToken(Salt = Constants.AntiForgeryTokenSalt)] public ActionResult Action(/* ... */) { // ... } This is very productive for form scenarios. But recently, when resolving security vulnerabilities for Web products, some problems are encountered. Specify validation on controller (not on each action) The server side problem is, It is expected to declare [ValidateAntiForgeryToken] on controller, but actually it has be to declared on each POST actions. Because POST actions are usually much more then controllers, this is a little crazy Problem Usually a controller contains actions for HTTP GET and actions for HTTP POST requests, and usually validations are expected for HTTP POST requests. So, if the [ValidateAntiForgeryToken] is declared on the controller, the HTTP GET requests become invalid:[ValidateAntiForgeryToken(Salt = Constants.AntiForgeryTokenSalt)] public class SomeController : Controller // One [ValidateAntiForgeryToken] attribute. { [HttpGet] public ActionResult Index() // Index() cannot work. { // ... } [HttpPost] public ActionResult PostAction1(/* ... */) { // ... } [HttpPost] public ActionResult PostAction2(/* ... */) { // ... } // ... } If browser sends an HTTP GET request by clicking a link: http://Site/Some/Index, validation definitely fails, because no token is provided. So the result is, [ValidateAntiForgeryToken] attribute must be distributed to each POST action:public class SomeController : Controller // Many [ValidateAntiForgeryToken] attributes. { [HttpGet] public ActionResult Index() // Works. { // ... } [HttpPost] [ValidateAntiForgeryToken(Salt = Constants.AntiForgeryTokenSalt)] public ActionResult PostAction1(/* ... */) { // ... } [HttpPost] [ValidateAntiForgeryToken(Salt = Constants.AntiForgeryTokenSalt)] public ActionResult PostAction2(/* ... */) { // ... } // ... } This is a little bit crazy, because one application can have a lot of POST actions. Solution To avoid a large number of [ValidateAntiForgeryToken] attributes (one for each POST action), the following ValidateAntiForgeryTokenAttribute wrapper class can be helpful, where HTTP verbs can be specified:[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)] public class ValidateAntiForgeryTokenWrapperAttribute : FilterAttribute, IAuthorizationFilter { private readonly ValidateAntiForgeryTokenAttribute _validator; private readonly AcceptVerbsAttribute _verbs; public ValidateAntiForgeryTokenWrapperAttribute(HttpVerbs verbs) : this(verbs, null) { } public ValidateAntiForgeryTokenWrapperAttribute(HttpVerbs verbs, string salt) { this._verbs = new AcceptVerbsAttribute(verbs); this._validator = new ValidateAntiForgeryTokenAttribute() { Salt = salt }; } public void OnAuthorization(AuthorizationContext filterContext) { string httpMethodOverride = filterContext.HttpContext.Request.GetHttpMethodOverride(); if (this._verbs.Verbs.Contains(httpMethodOverride, StringComparer.OrdinalIgnoreCase)) { this._validator.OnAuthorization(filterContext); } } } When this attribute is declared on controller, only HTTP requests with the specified verbs are validated:[ValidateAntiForgeryTokenWrapper(HttpVerbs.Post, Constants.AntiForgeryTokenSalt)] public class SomeController : Controller { // GET actions are not affected. // Only HTTP POST requests are validated. } Now one single attribute on controller turns on validation for all POST actions. Maybe it would be nice if HTTP verbs can be specified on the built-in [ValidateAntiForgeryToken] attribute, which is easy to implemented. Submit token via AJAX The browser side problem is, if server side turns on anti-forgery validation for POST, then AJAX POST requests will fail be default. Problem For AJAX scenarios, when request is sent by jQuery instead of form:$.post(url, { productName: "Tofu", categoryId: 1 // Token is not posted. }, callback); This kind of AJAX POST requests will always be invalid, because server side code cannot see the token in the posted data. Solution The tokens are printed to browser then sent back to server. So first of all, HtmlHelper.AntiForgeryToken() must be called somewhere. Now the browser has token in HTML and cookie. Then jQuery must find the printed token in the HTML, and append token to the data before sending:$.post(url, { productName: "Tofu", categoryId: 1, __RequestVerificationToken: getToken() // Token is posted. }, callback); To be reusable, this can be encapsulated into a tiny jQuery plugin:/// <reference path="jquery-1.4.2.js" /> (function ($) { $.getAntiForgeryToken = function (tokenWindow, appPath) { // HtmlHelper.AntiForgeryToken() must be invoked to print the token. tokenWindow = tokenWindow && typeof tokenWindow === typeof window ? tokenWindow : window; appPath = appPath && typeof appPath === "string" ? "_" + appPath.toString() : ""; // The name attribute is either __RequestVerificationToken, // or __RequestVerificationToken_{appPath}. tokenName = "__RequestVerificationToken" + appPath; // Finds the <input type="hidden" name={tokenName} value="..." /> from the specified. // var inputElements = $("input[type='hidden'][name='__RequestVerificationToken" + appPath + "']"); var inputElements = tokenWindow.document.getElementsByTagName("input"); for (var i = 0; i < inputElements.length; i++) { var inputElement = inputElements[i]; if (inputElement.type === "hidden" && inputElement.name === tokenName) { return { name: tokenName, value: inputElement.value }; } } return null; }; $.appendAntiForgeryToken = function (data, token) { // Converts data if not already a string. if (data && typeof data !== "string") { data = $.param(data); } // Gets token from current window by default. token = token ? token : $.getAntiForgeryToken(); // $.getAntiForgeryToken(window). data = data ? data + "&" : ""; // If token exists, appends {token.name}={token.value} to data. return token ? data + encodeURIComponent(token.name) + "=" + encodeURIComponent(token.value) : data; }; // Wraps $.post(url, data, callback, type). $.postAntiForgery = function (url, data, callback, type) { return $.post(url, $.appendAntiForgeryToken(data), callback, type); }; // Wraps $.ajax(settings). $.ajaxAntiForgery = function (settings) { settings.data = $.appendAntiForgeryToken(settings.data); return $.ajax(settings); }; })(jQuery); In most of the scenarios, it is Ok to just replace $.post() invocation with $.postAntiForgery(), and replace $.ajax() with $.ajaxAntiForgery():$.postAntiForgery(url, { productName: "Tofu", categoryId: 1 }, callback); // Token is posted. There might be some scenarios of custom token. Here $.appendAntiForgeryToken() is provided:data = $.appendAntiForgeryToken(data, token); // Token is already in data. No need to invoke $.postAntiForgery(). $.post(url, data, callback); And there are scenarios that the token is not in the current window. For example, an HTTP POST request can be sent by iframe, while the token is in the parent window. Here window can be specified for $.getAntiForgeryToken():data = $.appendAntiForgeryToken(data, $.getAntiForgeryToken(window.parent)); // Token is already in data. No need to invoke $.postAntiForgery(). $.post(url, data, callback); If you have better solution, please do tell me.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 142 143 144 145 146 147 148 149 150 151 152 153  | Next Page >