Search Results

Search found 59561 results on 2383 pages for 'asp net ajax toolbox'.

Page 27/2383 | < Previous Page | 23 24 25 26 27 28 29 30 31 32 33 34  | Next Page >

  • jquery $.ajax to php problem

    - by Pouya
    hi.i have two problems with jquery $.ajax. first problem is ihave a php file named action.php and here the code: if($_GET['action']=='add'){ //rest of the code here } And i use jquery $.Ajax function to call that when form fills: $.ajax({type:"POST", url:"action.php?action=add", data:$("#form").serialize(), cache:false, timeout:10000}); this works but i wanted to know is there anyway to send the action=add code with data and not the url? and the second problem that i have is that i have a link: <a href="#" onclick="delete(4);">delete row from mysql where id is 4</a> and a jquery function: function deleteUser(id){ $.ajax({type:"POST", url:"action.php?action=delete", data:"id="+id, cache:false, timeout:10000});} and of course the action.php code: if($_GET['action']=='deletestudent'){ mysql_query("DELETE FROM `students` WHERE `student_id` = {$_POST['id']}"); } but it doesn't work.what should i do?

    Read the article

  • Creating an AJAX Searchable Database.

    - by Austin
    Currently I am using MySQLi to parse a CSV file into a Database, that step has been accomplished. However, My next step would be to make this Database searchable and automatically updated via jQuery.ajax(). Some people suggest that I print out the Database in another page and access it externally. I'm quite new to jquery + ajax so if anyone could point me in the right direction that would be greatly appreciated. I understand that the documentation on ajax should be enough to tell me what I'm looking for but it appears to talk only about retrieving data from an external file, what about from a mysql database? The code so far stands: <head> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js"></script> </head> <body> <input type="text" id="search" name="search" /> <input type="submit" value="submit"> <?php show_source(__FILE__); error_reporting(E_ALL);ini_set('display_errors', '1'); $category = NULL; $mc = new Memcache; $mc->addServer('localhost','11211'); $sql = new mysqli('localhost', 'user', 'pword', 'db'); $cache = $mc->get("updated_DB"); $query = 'SELECT cat,name,web,kw FROM infoDB WHERE cat LIKE ? OR name LIKE ? OR web LIKE ? OR kw LIKE ?'; $results = $sql->prepare($query); $results->bind_param('ssss', $query, $query, $query, $query); $results->execute(); $results->store_result(); ?> </body> </html>

    Read the article

  • AJAX event, prevents other page actions

    - by cobaltduck
    Here's a fairly average scenario, using JSF as an example, but this same concept I have observed in ASP.NET, Apache Wicket, and other frameworks with ajax capabilities. <h:inputText id="text1" value="#{myBacker.myBean.myStringVar}" styleClass="goodCSS"> <f:ajax event="change" listener="#{myBacker.text1ChangeEventMethod}" update="someOtherField" /> </h:inputText> <h:selectBooleanCheckbox id="check1" value="#{myBacker.myBean.myBoolVar}" /> Let's suppose that the 'text1ChangeEventListener' is essential to 'someOtherField' and perhaps toggles its disabled attribute, or changes its available options, based on the value of 'myStringVar.' The particulars aren't important, let's just accept that for some reason we need an ajax call when the 'text1' value is changed. So Jane User is working her way down the form. She arrives at the 'text1' field and types some value. The cursor focus is still in the text field, as she moves her mouse to the 'check1' box and clicks. It appears to her that nothing has happened. She clicks again, and this time the checkbox highlights and the icon indicating a selection appears in the box. Jane has to do several entries in the form today, and sees this happen every time, and it becomes very frustrating for her. Likewise, Jeff Admin is also perusing this form, and begins to type in 'text1.' He then realizes he doesn't really want to enter this data, and so moves his mouse to the "cancel" button elsewhere on the page, and clicks. Nothing seems to happen. Jeff clicks again, and after confirming he really does want to cancel, is returned to the home page. Jeff scratches his head. The problem is simply that the first thing the system does after 'text1' looses focus is run the listener and perform the ajax operation. It may only take a fraction of a second, but still, you can click other buttons all you want, but until that ajax has finished, everything else is ignored. I've spent the morning searching and reading, and it seems no one else has even noticed this. I could find not one article, blog, past question here or at SO, or anyting that addresses this obvious and glaring deficiency in ajax. So first of all, am I truly alone in thinking this is a big problem? Second, does anyone have a solution?

    Read the article

  • ASP.NET MCV 2, re-use of SQL-Connection string

    - by cc0
    Hi, so I'm very very far from an expert on MVC or ASP.NET. I just want to make a few simple Controllers in C# at the moment, so I have the following question; Right now I have the connection string used by the controller, -inside- the controller itself. Which is kind of silly when there are multiple controllers using the same string. I'd like to be able to change the connection string in just one place and have it affect all controllers. Not knowing a lot about asp.net or the 'm' and 'v' part of MVC, what would be the best (and simplest) way of going about accomplishing just this? I'd appreciate any input on this, examples would be great too.

    Read the article

  • How to cancel/abort jquery ajax request

    - by user556673
    I've an ajax request which will happen in every 5 seconds. But the problem is before the ajax request if the previous request is not completed I've to abort that request and make a new request. My code is something like this, how to resolve this issue? $(document).ready( var fn = function(){ $.ajax({ url: 'ajax/progress.ftl', success: function(data) { //do something } }); }; var interval = setInterval(fn, 500); ); Thank you.

    Read the article

  • Crawling an ajax based page with both a hash fragment and a meta tag

    - by Christofian
    According to google's documentation on crawling ajax based web pages, if a url contains a hash fragment, or something at the end of an url that looks like #helloworld, and if there is an ! after the #, as in #!helloworld, google will then request the url url?_escaped_fragment_=helloworld. I currently have an ajax based webpage that I want google to be able to crawl. Sometimes, the page uses hash fragments, and for those situations I set up the server so it will return an html snapshot for that page using _escaped_fragment_. However, that webpage often does not load a hash fragment, and when that happens the webpage still loads content using ajax. I couldn't find a good solution to enable ajax crawling for pages that sometimes have a hash fragment and sometimes don't. How can I tell google to use _escaped_fragment_ when there is a hash fragment, and to use something else to get an html snapshot of a page when there isn't a hash fragment?

    Read the article

  • Displaying a message in a dialog box using AJAX, jQuery, and CakePHP

    - by LainIwakura
    I have a form, and when users submit this form, it should pass the data along to a function using AJAX. Then, the result of that is displayed to the user in a dialog box. I'm using CakePHP (1.3) and jQuery to try and accomplish this but I feel like I'm running into the ground. The form will eventually be used for uploading images with tags, but for now I just want to see a message pop up in the box.. The form: <?php echo $this->Form->create('Image', array('type' => 'file', 'controller' => 'images', 'action' => 'upload', 'method' => 'post')); echo $this->Form->input('Wallpaper', array('type' => 'file')); echo $this->Form->input('Tags'); echo $this->Form->end('Upload!'); ?> The AJAX: $(document).ready(function() { $("#ImageUploadForm").submit(function() { $.ajax({ type: "POST", url: "/images/upload/", data: $(this).serialize(), async: false, success: function(html){ $("#dialog-modal").dialog({ $("#dialog-modal").append("<p>"+html+"</p>"); height: 140, modal: true, buttons: { Ok: function() { $(this).dialog('close'); } } }) } }); return false; }); }); NOTE: if I put $("#dialog-modal").dialog({ height: 140, modal: true }); OUTSIDE of the $.ajax but inside the $("#ImageUploadForm").submit(function() { and comment out the $.ajax stuff, I WILL see a dialog box pop up and then I have to click it for it to go away. After this, it will not forward to the location /images/upload/ The method that AJAX calls: public function upload() { $this->autoRender = false; if ($this->RequestHandler->isAjax()) { echo 'Hi!'; exit(); } } $this-RequestHandler-isAjax() seems to do either absolutely nothing, or it is always returning false. I have never entered an if statement with that as the condition. Thanks for all the help, if you need more information let me know.

    Read the article

  • Which would be a better way to load data via ajax

    - by Mike
    I am using google maps and returning html/lat/long from my MySQL database Currently A user picks a business category e.g; "Video Production". an ajax call is sent to a CodeIgniter controller the Controller then queries the db, and returns the following data via JSON Lat/Long of the marker HTML for the popup window this is approximately 34 rows in the database across two tables per business the ajax call receives this data and then plots the marker along with the html onto the map The data that is returned from the controller is one big json object... This is done for all businesses that exist in the Video Production category (currently approx 40 businesses). As you can see, pulling this data for multiple categories (100s of businesses) can get very very taxing on the server. My question is Would it be more beneficial to modify the process flow as such: a user picks a business category e.g; "Video Production". an ajax call is sent to a CodeIgniter controller the controller then queries the database for the location base information lat/long level (used to change marker icon color) This would be a single row per business with several columns the ajax call receives this data and then plots the marker on the map when the user clicks a marker an ajax call is sent to a CodeIgniter Controller the controller queries the database for the HTML and additional data based on business_id and if not, what are some better suggestions to this problem? In summary this means rather than including the HTML and additional data along for each business, only submitting minimal location information and then re-query for that information when each business marker is clicked. Potential Downsides longer load times when a user clicks a marker icon more code?? more queries to the database

    Read the article

  • Configuring Multiple ASP.NET MVC Sites To Use a Single Database For Authentication/Membership

    - by Maxim Z.
    Is it possible for two or more ASP.NET MVC sites to use a single SQL Server database for authentication and other things? Here's how I'm thinking of setting it up: I will combine the current database of each site into one single database, prefixing the tables with the name of the site they belong to. I currently have authentication tables generated by the asp.net_regsql.exe utility. How should I combine those tables? I'm guessing that the way to do it is to somehow set the "application_id" column in those tables... Thanks in advance.

    Read the article

  • What's missing in ASP.NET MVC?

    - by LukaszW.pl
    Hello programmers, I think there are not many people who don't think that ASP.NET MVC is one of the greatest technologies Microsoft gave us. It gives full control over the rendered HTML, provides separation of concerns and suits to stateless nature of web. Next versions of framework gaves us new features and tools and it's great, but... what solutions should Microsoft include in new versions of framework? What are biggest gaps in comparison with another web frameworks like PHP or Ruby? What could improve developers productivity? What's missing in ASP.NET MVC?

    Read the article

  • ASP.NET 4.5 Bundling in Debug Mode - Stale Resources

    - by RPM1984
    Is there any way we can make the ASP.NET 4.5 Bundling functionality generate GUID's as part of the querystring when running in debug mode (e.g bundling turned OFF). The problem is when developing locally, the scripts/CSS files are generated like this: <script type="text/javascript" src="/Content/Scripts/myscript.js" /> So if i change that file, i need to do a hard-refresh (sometimes a few times) to get the file to be picked up by the browser - annoying. Is there any way we can make it render out like this: <script type="text/javascript" src="/Content/Scripts/myscript.js?v=x" /> Where x is a GUID (e.g always unique). Ideas? I'm on ASP.NET MVC 4.

    Read the article

  • What's missing in ASP.NET MVC?

    - by LukaszW.pl
    Hello stackoverflow, I think there are not many people who don't think that ASP.NET MVC is one of the greatest technologies Microsoft gave us. It gives full control over the rendered HTML, provides separation of concerns and suits to stateless nature of web. Next versions of framework gaves us new features and tools and it's great, but... what solutions should Microsoft include in new versions of framework? What are biggest gaps in comparison with another web frameworks like PHP or Ruby? What could improve developers productivity? What's missing in ASP.NET MVC?

    Read the article

  • ASP.Net MVC2 (RTM) breaks response filtering - "Filtering is not allowed"

    - by womp
    I've just done a test run of upgrading a project to ASP.Net MVC 2 (RTM) in anticipation of the full official .Net 4.0 release coming later this month. Our application is using a minimizer for our CSS and javascript. To do so, it is making use of the HttpResponse.Filter property to set a custom filter. With the upgrade, the setter for this property is throwing an HttpException saying "Filtering is not allowed." Looking that the HttpResponse.Filter property in reflector shows this: set { if (!this.UsingHttpWriter) { throw new HttpException(SR.GetString("Filtering_not_allowed")); } ... private bool UsingHttpWriter { get { return ((this._httpWriter != null) && (this._writer == this._httpWriter)); } } Clearly something has changed in the way the HttpResponse is writing to the output stream in MVC2. Does anyone know what the change is, or at least a workaround for this? EDIT: This seems pretty radical. Some further investigation shows that ASP.Net MVC 2 RTM is using a System.Web.Mvc.ViewPage.SwitchWriter as the Output property of an HttpResponse, whereas MVC 1 was using a plain old HttpWriter. That explains why the exception is being thrown. But that doesn't explain why they've chosen to completely break this functionality. This thread seems to indicate that this is just temporary... but this makes me pretty nervous... this is the RTM after all. Any further comments appreciated on this.

    Read the article

  • Support for nested model and class validation with ASP.NET MVC 2.0

    - by Diep-Vriezer
    I'm trying to validate a model containing other objects with validation rules using the System.ComponentModel.DataAnnotations attributes was hoping the default MVC implementation would suffice: var obj = js.Deserialize(json, objectInfo.ObjectType); if(!TryValidateModel(obj)) { // Handle failed model validation. } The object is composed of primitive types but also contains other classes which also use DataAnnotications. Like so: public class Entry { [Required] public Person Subscriber { get; set; } [Required] public String Company { get; set; } } public class Person { public String FirstName { get; set;} [Required] public String Surname { get; set; } } The problem is that the ASP.NET MVC validation only goes down 1 level and only evaluates the properties of the top level class, as can be read on digitallycreated.net/Blog/54/deep-inside-asp.net-mvc-2-model-metadata-and-validation. Does anyone know an elegant solution to this? I've tried xVal, but they seem to use a non-recursive pattern (http://blog.stevensanderson.com/2009/01/10/xval-a-validation-framework-for-aspnet-mvc/). Someone must have run into this problem before right? Nesting objects in your model doesn't seem so weird if you're designing a web service.

    Read the article

  • Partial view links not working in Fire Fox

    - by user329540
    I have a MVC4 asp.net application, I have two layouts a main layout for the main page and a second layout for the nested pages. The problem I have is with the second layout, on this layout I call a partial view which has my navigation links. In IE the navigation menu displays fine and when each item is clicked it navigates as expected. However in FF when the page renders the navigation bar is displayed but it has no 'click functionality' if you will its as if its simply text. My layout of nested page: <header> <img src="../../Images/fronttop.png" id="nestedPageheader" alt="Background Img"/> <div class="content-wrapper"> <section > <nav> <div id="navcontainer"> </div> </nav> </section> <div> </header> The script to retreive partial view and information for dynamic links on layout page. <script type="text/javascript"> var menuLoaded = false; $(document).ready(function () { if($('#navcontainer')[0].innerHTML.trim() == "") { $.ajax({ url: "@Url.Content("~/Home/MenuLayout")", type: "GET", success: function (response, status, xhr) { var nvContainer = $('#navcontainer'); nvContainer.html(response); menuLoaded = true; }, error: function (XMLHttpRequest, textStatus, errorThrown) { var nvContainer = $('#navcontainer'); nvContainer.html(errorThrown); } }); } }); </script> May partial view: @model Mscl.OpCost.Web.Models.stuffmodel <div class="menu"> <ul> <li><a>@Html.ActionLink("Home", "Index", "Home")</a></li> <li><a>@Html.ActionLink("some stuff", "stuffs", "stuff")</a></li> <li> <h5><a><span>somestuff</span></a></h5> <ul> <li><a>stuffs1s</a> <ul> @foreach (var image in Model.stuffs.Where(g => g.Grouping == 1)) { <li> <a>@Html.ActionLink(image.Title, "stuffs", "stuff", new { Id = image.CategoryId }, null)</a> </li> } </ul> </li> </ul> </il> </ul> </div> I need to know why this works fine in IE but why its not working in FF(all versions). Any assistance would be appreciated.

    Read the article

  • Security Issues with Single Page Apps

    - by Stephen.Walther
    Last week, I was asked to do a code review of a Single Page App built using the ASP.NET Web API, Durandal, and Knockout (good stuff!). In particular, I was asked to investigate whether there any special security issues associated with building a Single Page App which are not present in the case of a traditional server-side ASP.NET application. In this blog entry, I discuss two areas in which you need to exercise extra caution when building a Single Page App. I discuss how Single Page Apps are extra vulnerable to both Cross-Site Scripting (XSS) attacks and Cross-Site Request Forgery (CSRF) attacks. This goal of this blog post is NOT to persuade you to avoid writing Single Page Apps. I’m a big fan of Single Page Apps. Instead, the goal is to ensure that you are fully aware of some of the security issues related to Single Page Apps and ensure that you know how to guard against them. Cross-Site Scripting (XSS) Attacks According to WhiteHat Security, over 65% of public websites are open to XSS attacks. That’s bad. By taking advantage of XSS holes in a website, a hacker can steal your credit cards, passwords, or bank account information. Any website that redisplays untrusted information is open to XSS attacks. Let me give you a simple example. Imagine that you want to display the name of the current user on a page. To do this, you create the following server-side ASP.NET page located at http://MajorBank.com/SomePage.aspx: <%@Page Language="C#" %> <html> <head> <title>Some Page</title> </head> <body> Welcome <%= Request["username"] %> </body> </html> Nothing fancy here. Notice that the page displays the current username by using Request[“username”]. Using Request[“username”] displays the username regardless of whether the username is present in a cookie, a form field, or a query string variable. Unfortunately, by using Request[“username”] to redisplay untrusted information, you have now opened your website to XSS attacks. Here’s how. Imagine that an evil hacker creates the following link on another website (hackers.com): <a href="/SomePage.aspx?username=<script src=Evil.js></script>">Visit MajorBank</a> Notice that the link includes a query string variable named username and the value of the username variable is an HTML <SCRIPT> tag which points to a JavaScript file named Evil.js. When anyone clicks on the link, the <SCRIPT> tag will be injected into SomePage.aspx and the Evil.js script will be loaded and executed. What can a hacker do in the Evil.js script? Anything the hacker wants. For example, the hacker could display a popup dialog on the MajorBank.com site which asks the user to enter their password. The script could then post the password back to hackers.com and now the evil hacker has your secret password. ASP.NET Web Forms and ASP.NET MVC have two automatic safeguards against this type of attack: Request Validation and Automatic HTML Encoding. Protecting Coming In (Request Validation) In a server-side ASP.NET app, you are protected against the XSS attack described above by a feature named Request Validation. If you attempt to submit “potentially dangerous” content — such as a JavaScript <SCRIPT> tag — in a form field or query string variable then you get an exception. Unfortunately, Request Validation only applies to server-side apps. Request Validation does not help in the case of a Single Page App. In particular, the ASP.NET Web API does not pay attention to Request Validation. You can post any content you want – including <SCRIPT> tags – to an ASP.NET Web API action. For example, the following HTML page contains a form. When you submit the form, the form data is submitted to an ASP.NET Web API controller on the server using an Ajax request: <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> </head> <body> <form data-bind="submit:submit"> <div> <label> User Name: <input data-bind="value:user.userName" /> </label> </div> <div> <label> Email: <input data-bind="value:user.email" /> </label> </div> <div> <input type="submit" value="Submit" /> </div> </form> <script src="Scripts/jquery-1.7.1.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { user: { userName: ko.observable(), email: ko.observable() }, submit: function () { $.post("/api/users", ko.toJS(this.user)); } }; ko.applyBindings(viewModel); </script> </body> </html> The form above is using Knockout to bind the form fields to a view model. When you submit the form, the view model is submitted to an ASP.NET Web API action on the server. Here’s the server-side ASP.NET Web API controller and model class: public class UsersController : ApiController { public HttpResponseMessage Post(UserViewModel user) { var userName = user.UserName; return Request.CreateResponse(HttpStatusCode.OK); } } public class UserViewModel { public string UserName { get; set; } public string Email { get; set; } } If you submit the HTML form, you don’t get an error. The “potentially dangerous” content is passed to the server without any exception being thrown. In the screenshot below, you can see that I was able to post a username form field with the value “<script>alert(‘boo’)</script”. So what this means is that you do not get automatic Request Validation in the case of a Single Page App. You need to be extra careful in a Single Page App about ensuring that you do not display untrusted content because you don’t have the Request Validation safety net which you have in a traditional server-side ASP.NET app. Protecting Going Out (Automatic HTML Encoding) Server-side ASP.NET also protects you from XSS attacks when you render content. By default, all content rendered by the razor view engine is HTML encoded. For example, the following razor view displays the text “<b>Hello!</b>” instead of the text “Hello!” in bold: @{ var message = "<b>Hello!</b>"; } @message   If you don’t want to render content as HTML encoded in razor then you need to take the extra step of using the @Html.Raw() helper. In a Web Form page, if you use <%: %> instead of <%= %> then you get automatic HTML Encoding: <%@ Page Language="C#" %> <% var message = "<b>Hello!</b>"; %> <%: message %> This automatic HTML Encoding will prevent many types of XSS attacks. It prevents <script> tags from being rendered and only allows &lt;script&gt; tags to be rendered which are useless for executing JavaScript. (This automatic HTML encoding does not protect you from all forms of XSS attacks. For example, you can assign the value “javascript:alert(‘evil’)” to the Hyperlink control’s NavigateUrl property and execute the JavaScript). The situation with Knockout is more complicated. If you use the Knockout TEXT binding then you get HTML encoded content. On the other hand, if you use the HTML binding then you do not: <!-- This JavaScript DOES NOT execute --> <div data-bind="text:someProp"></div> <!-- This Javacript DOES execute --> <div data-bind="html:someProp"></div> <script src="Scripts/jquery-1.7.1.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { someProp : "<script>alert('Evil!')<" + "/script>" }; ko.applyBindings(viewModel); </script>   So, in the page above, the DIV element which uses the TEXT binding is safe from XSS attacks. According to the Knockout documentation: “Since this binding sets your text value using a text node, it’s safe to set any string value without risking HTML or script injection.” Just like server-side HTML encoding, Knockout does not protect you from all types of XSS attacks. For example, there is nothing in Knockout which prevents you from binding JavaScript to a hyperlink like this: <a data-bind="attr:{href:homePageUrl}">Go</a> <script src="Scripts/jquery-1.7.1.min.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { homePageUrl: "javascript:alert('evil!')" }; ko.applyBindings(viewModel); </script> In the page above, the value “javascript:alert(‘evil’)” is bound to the HREF attribute using Knockout. When you click the link, the JavaScript executes. Cross-Site Request Forgery (CSRF) Attacks Cross-Site Request Forgery (CSRF) attacks rely on the fact that a session cookie does not expire until you close your browser. In particular, if you visit and login to MajorBank.com and then you navigate to Hackers.com then you will still be authenticated against MajorBank.com even after you navigate to Hackers.com. Because MajorBank.com cannot tell whether a request is coming from MajorBank.com or Hackers.com, Hackers.com can submit requests to MajorBank.com pretending to be you. For example, Hackers.com can post an HTML form from Hackers.com to MajorBank.com and change your email address at MajorBank.com. Hackers.com can post a form to MajorBank.com using your authentication cookie. After your email address has been changed, by using a password reset page at MajorBank.com, a hacker can access your bank account. To prevent CSRF attacks, you need some mechanism for detecting whether a request is coming from a page loaded from your website or whether the request is coming from some other website. The recommended way of preventing Cross-Site Request Forgery attacks is to use the “Synchronizer Token Pattern” as described here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet When using the Synchronizer Token Pattern, you include a hidden input field which contains a random token whenever you display an HTML form. When the user opens the form, you add a cookie to the user’s browser with the same random token. When the user posts the form, you verify that the hidden form token and the cookie token match. Preventing Cross-Site Request Forgery Attacks with ASP.NET MVC ASP.NET gives you a helper and an action filter which you can use to thwart Cross-Site Request Forgery attacks. For example, the following razor form for creating a product shows how you use the @Html.AntiForgeryToken() helper: @model MvcApplication2.Models.Product <h2>Create Product</h2> @using (Html.BeginForm()) { @Html.AntiForgeryToken(); <div> @Html.LabelFor( p => p.Name, "Product Name:") @Html.TextBoxFor( p => p.Name) </div> <div> @Html.LabelFor( p => p.Price, "Product Price:") @Html.TextBoxFor( p => p.Price) </div> <input type="submit" /> } The @Html.AntiForgeryToken() helper generates a random token and assigns a serialized version of the same random token to both a cookie and a hidden form field. (Actually, if you dive into the source code, the AntiForgeryToken() does something a little more complex because it takes advantage of a user’s identity when generating the token). Here’s what the hidden form field looks like: <input name=”__RequestVerificationToken” type=”hidden” value=”NqqZGAmlDHh6fPTNR_mti3nYGUDgpIkCiJHnEEL59S7FNToyyeSo7v4AfzF2i67Cv0qTB1TgmZcqiVtgdkW2NnXgEcBc-iBts0x6WAIShtM1″ /> And here’s what the cookie looks like using the Google Chrome developer toolbar: You use the [ValidateAntiForgeryToken] action filter on the controller action which is the recipient of the form post to validate that the token in the hidden form field matches the token in the cookie. If the tokens don’t match then validation fails and you can’t post the form: public ActionResult Create() { return View(); } [ValidateAntiForgeryToken] [HttpPost] public ActionResult Create(Product productToCreate) { if (ModelState.IsValid) { // save product to db return RedirectToAction("Index"); } return View(); } How does this all work? Let’s imagine that a hacker has copied the Create Product page from MajorBank.com to Hackers.com – the hacker grabs the HTML source and places it at Hackers.com. Now, imagine that the hacker trick you into submitting the Create Product form from Hackers.com to MajorBank.com. You’ll get the following exception: The Cross-Site Request Forgery attack is blocked because the anti-forgery token included in the Create Product form at Hackers.com won’t match the anti-forgery token stored in the cookie in your browser. The tokens were generated at different times for different users so the attack fails. Preventing Cross-Site Request Forgery Attacks with a Single Page App In a Single Page App, you can’t prevent Cross-Site Request Forgery attacks using the same method as a server-side ASP.NET MVC app. In a Single Page App, HTML forms are not generated on the server. Instead, in a Single Page App, forms are loaded dynamically in the browser. Phil Haack has a blog post on this topic where he discusses passing the anti-forgery token in an Ajax header instead of a hidden form field. He also describes how you can create a custom anti-forgery token attribute to compare the token in the Ajax header and the token in the cookie. See: http://haacked.com/archive/2011/10/10/preventing-csrf-with-ajax.aspx Also, take a look at Johan’s update to Phil Haack’s original post: http://johan.driessen.se/posts/Updated-Anti-XSRF-Validation-for-ASP.NET-MVC-4-RC (Other server frameworks such as Rails and Django do something similar. For example, Rails uses an X-CSRF-Token to prevent CSRF attacks which you generate on the server – see http://excid3.com/blog/rails-tip-2-include-csrf-token-with-every-ajax-request/#.UTFtgDDkvL8 ). For example, if you are creating a Durandal app, then you can use the following razor view for your one and only server-side page: @{ Layout = null; } <!DOCTYPE html> <html> <head> <title>Index</title> </head> <body> @Html.AntiForgeryToken() <div id="applicationHost"> Loading app.... </div> @Scripts.Render("~/scripts/vendor") <script type="text/javascript" src="~/App/durandal/amd/require.js" data-main="/App/main"></script> </body> </html> Notice that this page includes a call to @Html.AntiForgeryToken() to generate the anti-forgery token. Then, whenever you make an Ajax request in the Durandal app, you can retrieve the anti-forgery token from the razor view and pass the token as a header: var csrfToken = $("input[name='__RequestVerificationToken']").val(); $.ajax({ headers: { __RequestVerificationToken: csrfToken }, type: "POST", dataType: "json", contentType: 'application/json; charset=utf-8', url: "/api/products", data: JSON.stringify({ name: "Milk", price: 2.33 }), statusCode: { 200: function () { alert("Success!"); } } }); Use the following code to create an action filter which you can use to match the header and cookie tokens: using System.Linq; using System.Net.Http; using System.Web.Helpers; using System.Web.Http.Controllers; namespace MvcApplication2.Infrastructure { public class ValidateAjaxAntiForgeryToken : System.Web.Http.AuthorizeAttribute { protected override bool IsAuthorized(HttpActionContext actionContext) { var headerToken = actionContext .Request .Headers .GetValues("__RequestVerificationToken") .FirstOrDefault(); ; var cookieToken = actionContext .Request .Headers .GetCookies() .Select(c => c[AntiForgeryConfig.CookieName]) .FirstOrDefault(); // check for missing cookie or header if (cookieToken == null || headerToken == null) { return false; } // ensure that the cookie matches the header try { AntiForgery.Validate(cookieToken.Value, headerToken); } catch { return false; } return base.IsAuthorized(actionContext); } } } Notice that the action filter derives from the base AuthorizeAttribute. The ValidateAjaxAntiForgeryToken only works when the user is authenticated and it will not work for anonymous requests. Add the action filter to your ASP.NET Web API controller actions like this: [ValidateAjaxAntiForgeryToken] public HttpResponseMessage PostProduct(Product productToCreate) { // add product to db return Request.CreateResponse(HttpStatusCode.OK); } After you complete these steps, it won’t be possible for a hacker to pretend to be you at Hackers.com and submit a form to MajorBank.com. The header token used in the Ajax request won’t travel to Hackers.com. This approach works, but I am not entirely happy with it. The one thing that I don’t like about this approach is that it creates a hard dependency on using razor. Your single page in your Single Page App must be generated from a server-side razor view. A better solution would be to generate the anti-forgery token in JavaScript. Unfortunately, until all browsers support a way to generate cryptographically strong random numbers – for example, by supporting the window.crypto.getRandomValues() method — there is no good way to generate anti-forgery tokens in JavaScript. So, at least right now, the best solution for generating the tokens is the server-side solution with the (regrettable) dependency on razor. Conclusion The goal of this blog entry was to explore some ways in which you need to handle security differently in the case of a Single Page App than in the case of a traditional server app. In particular, I focused on how to prevent Cross-Site Scripting and Cross-Site Request Forgery attacks in the case of a Single Page App. I want to emphasize that I am not suggesting that Single Page Apps are inherently less secure than server-side apps. Whatever type of web application you build – regardless of whether it is a Single Page App, an ASP.NET MVC app, an ASP.NET Web Forms app, or a Rails app – you must constantly guard against security vulnerabilities.

    Read the article

  • New Location for .NET 4 GAC

    - by Ricardo Peres
    .NET 4 newcomers may have realised that the old GAC location (%WINDIR%\Assembly) does not contain .NET 4 global assembly cache assemblies. Indeed, they have moved to %WINDIR%\Microsoft.NET\Assembly. It is worth noting that this folder does not use the shell extension that the older one uses, which prevents us from directly looking at the folder's contents, which, IMO, is nice (I mean, the new behavior). The old folder continues to host pre-.NET 4 assemblies.

    Read the article

  • HTML input not working correctly with AJAX update panels used else where on page

    - by Sean P
    I have some update panels on my page that do some asyncpostbacks to keep some dropdownlists correctly populated. My problem is that on my page i have an HTML input that is handling some file uploads. With the AJAX on the page with asyncpostbacks, and while i step through my code behind, the files arent being uploaded. Using a postbacktrigger (non-async) is not possible because of my layout. Here is my code: <div id="divFileInputs" runat="server"> <input id="file1" name="fileInput" type="file" runat="server" size="50" style="width: 50em" onfocus="AddFileInput()" class="textbox" /></div> <select id="selectFileList" name="ListBox1" size="5" style="width: 50em; text-align: left;" class="textbox" /> <input id="RemoveAttachmentButton" type="button" value="Remove" onclick="RemoveFileInput()" class="removebutton " /> </div> Here is my code behind: Protected Sub CopyAttachments(ByVal issueId As String) Dim files As HttpFileCollection = Request.Files Dim myStream As System.IO.Stream Dim service As New SubmitService.Service For i As Integer = 0 To files.Count - 1 Dim postedFile As HttpPostedFile = files(i) Dim fileNameWithoutPath As String = System.IO.Path.GetFileName(postedFile.FileName) If fileNameWithoutPath.Length > 0 And issueId.Length > 0 Then Dim fileLength As Integer = postedFile.ContentLength Dim fileContents(fileLength) As Byte ' Read the file into the byte array. Send it to the web service. myStream = postedFile.InputStream myStream.Read(fileContents, 0, fileLength) service.ClearQuestAttachToIssue(issueId, fileNameWithoutPath, fileContents) End If Next service = Nothing End Sub When I put a breakpoint in at the declaration of service and then check the value of "files", the count is 0. I am expecting it to be 2 when i have one file uploaded. Anyone know how to fix this?

    Read the article

  • How to publish an ASP.NET MVC website

    - by Luke Puplett
    Hello -- I've a site that I'd like to publish to a co-located live server. I'm finding this simple task quite hard. My problems begin with the Web Deploy tool (1.1) giving me a 401 Unauthorized as the adminstrator because port :8172 comes up in the errors and this port is blocked - but the documentation says "The default ListenURL is http://+:80/MsDeployAgentService"! I'm loathe to open another port and I've little patience these days so I thought bu66er it, I'll create a Web Deploy package and import it into IIS on the server over RDP. I notice first that Visual Studio doesn't use a dialog box to gather settings, or use my Publish profiles but seems to use a tab in the project properties, although I think these are ignored when importing the package anyway? I'm now sitting in the import wizard with Application Path and Connection String. I've cleared the conn string as I think this is for some ASP stuff I don't use but when I enter nothing in the Application Path, the wizard barks at me saying that basically I'm a weirdo because most people publish to folders beneath the root site. Now, I want my site to be site.com/Home/About and not site.com/subfolder/Home/About and I think being an MVC routed site that a subfolder will introduce other headaches. Should I go ahead and use the root? Finally, I also want to publish a web service to www.site.com/services/soap which I think IIS can handle. While typing this question, Amazon have delivered my IIS 7 Resource Kit, and I've been scouring the internet but actually I'm getting more confused. Comment here seems to show consensus opinion that Publish isn't for production sites and that real men roll their own. http://stackoverflow.com/questions/260525/asp-net-website-publish-vs-web-deployment-project ...I guess this was pre- Web Deployment Tool era? I'm going to experiment on a spare box for now but any assistance is welcome. Luke

    Read the article

  • AJAX is reloading page on a SharePoint site (SharePoint 2007 AJAX-enabled)

    - by Josh
    I have an AJAX-enabled SharePoint 2007 site. I have also created a user control that has an interactive ajax form. It obviuosly works like a charm locally, but I am trying to get it working on the SharePoint site. The problem is that once I load up the user control on to an aspx page inside SharePoint, the form (which has ajax), causes the page to reload every time a postback occurs. Can someone help point me in the direction of debugging this? - I really need to eliminate the page refreshes and have the ajax work correctly in SharePoint. I read that the ScriptManager has to be in the SharePoint masterpage, but that did not work either... Page still reloads everytime. Thanks.

    Read the article

  • ASP.NET VB.NET GridView adding anchor tag to a cell

    - by user3036965
    I have an GridView control with some data in the first cell throughout the column. Ineed to make that cell data into a hyperlink (anchor tag) like the following. <a href=""myPage.aspx?r=" & strParam & """>" & strData & "</a>" Can anyone advise on the most effective way to do this? I am using a datatable and then assigning the datatable to the gridview. Any advice would be greatly appreciated. I need to use the Sub GridView1_RowDataBound(ByVal sender As Object, ByVal e As GridViewRowEventArgs). So I could add a hyperlink whatabout getting the parameters into the RowDataBound event is where my skills are falling down. Thank you

    Read the article

  • Two asp.net applications to use the same membership tables - specifically user login data

    - by Lk
    HI, I have created a asp.net solution with two applications. They bothe use the same database which is setup with .net membership and roles. Application 1 uses the membership for sauthentication to an administration area - this works fine. Application 2 - has a different applicationID to App1. I want to be able to use the existing user account to manage App2's authentication needs. How is this best achieved? Do I just match App2 appliactionID to App1's or is there another way? Many Thanks, Lk

    Read the article

  • How can I perform a normal postback on an ASP.NET page with AJAX history enabled?

    - by Nick
    I have an ASP.NET 3.5 page with an update panel and history enabled. It works fine when I perform async postbacks but I get problems when I want to perform a normal postback. The page load happens fine for the normal postback but then I get asynchronous page loads from the script manager which load the ajax history in. If I could have the ajax history not loading for the times I want to perform a normal postback then everything would be fine. Is there anyway to do this?

    Read the article

  • Issues with RegularExpressionValidator in VB .NET 2005 using ASP File Uploader

    - by JFV
    I'm looking to validate a single word: detail (upper/lower/mix-case) prior to submitting my VB .NET 2005 page. I used Regex Builder and the below code validates, but it's not working in my web page... Does anyone have any ideas? Input file location: <input id="btnBrowseForFile" runat="server" enableviewstate="true" name="btnBrowseForFile" style="width: 500px" type="file" /> <asp:RequiredFieldValidator ID="RequiredFieldValidator2" runat="server" ControlToValidate="btnBrowseForFile" ErrorMessage="*Please select an input file." Display="Dynamic"></asp:RequiredFieldValidator> <asp:RegularExpressionValidator ID="RegularExpressionValidator1" runat="server" ControlToValidate="btnBrowseForFile" Display="Dynamic" ErrorMessage='*Please select a file that contains the word "detail"' ValidationExpression="(\b|\s|\w)(d|D)(e|E)(t|T)(a|A)(i|I)(l|L)(\s|\b|\w)"></asp:RegularExpressionValidator>&nbsp; Thanks!!! JFV

    Read the article

  • Asp.net MVC jQuery Ajax calls to JsonResult return no data

    - by Maslow
    I have this script loaded on a page: (function() { window.alert('bookmarklet started'); function AjaxSuccess(data, textStatus, xmlHttpRequest) { if (typeof (data) == 'undefined') { return alert('Data is undefined'); } alert('ajax success' + (data || ': no data')); } function AjaxError(xmlHttpRequest, textStatus, errorThrown) { alert('ajax failure:' + textStatus); } /*imaginarydevelopment.com/Sfc*/ var destination = { url: 'http://localhost:3041/Bookmarklet/SaveHtml', type: 'POST', success: AjaxSuccess, error: AjaxError, dataType: 'text',contentType: 'application/x-www-form-urlencoded' }; if (typeof (jQuery) == 'undefined') { return alert('jQuery not defined'); } if (typeof ($jq) == 'undefined') { if (typeof ($) != 'undefined') { $jq = $; } else { return alert('$jq->jquerify not defined'); } } if ($jq('body').length <= 0) { return alert('Could not query body length'); } if ($jq('head title:contains(BookmarkletTest)').length > 0) { alert('doing test'); destination.data = { data: 'BookmarkletTestAjax' }; $jq.ajax(destination); return; } })(); when it is run locally in VS2008's cassini the ajax success shows the returned string from Asp.net MVC, when it is run remotely the ajax success data is null. Here's the controller method that is firing both locally and when run remotely: [AcceptVerbs(HttpVerbs.Post | HttpVerbs.Get)] public string SaveHtml(string data) { var path = getPath(Server.MapPath); System.IO.File.WriteAllText(path,data); Console.WriteLine("SaveHtml called"); Debug.WriteLine("SaveHtml called"); //return Json(new { result = "SaveHtml Success" }); return "SaveHtml Success"; } Once i have it working I was going to remove the GET, but currently accessing the SaveHtml method directly from the webbrowser produces the expected results when testing. So there's something wrong in my javascript I believe, because when I step through there with chrome's developer tools, I see the data is null, and the xmlHttpRequest doesn't appear to have the expected result in it anywhere either. I'm loading jquery via http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js

    Read the article

< Previous Page | 23 24 25 26 27 28 29 30 31 32 33 34  | Next Page >