This is a migrated thread and some comments may be shown as answers.

SqlInjection in edit mode

3 Answers 58 Views
Grid
This is a migrated thread and some comments may be shown as answers.
diego
Top achievements
Rank 1
diego asked on 26 Jun 2012, 11:45 AM
Hello
I am building a page where users can edit data
I have followed a sample case (http://demos.telerik.com/aspnet-ajax/grid/examples/programming/commanditem/defaultcs.aspx)
and here is my sample page (http://gaia.agraria.unitus.it/prova3.aspx)
The problem rise in the second grid after user selects a site: when you switch to edit mode, you can enter anything in the textbox.
In your sample, I tried to enter the string  SELECT * FROM MyTable DELETE FROM MyTable or other attempts with dangerous words (such as delete or drop) and the input was blocked.
But inspecting your code there I could not find anything about sql injection prevenction; that is, when I tried to replicate the test into my page, all data were dangerously inserted.
Is there a way to process data before the update operatione in the database?
Thanks
Diego

3 Answers, 1 is accepted

Sort by
0
Jayesh Goyani
Top achievements
Rank 2
answered on 26 Jun 2012, 03:16 PM
Hello,

private void RadGrid1_ItemCreated(object sender, Telerik.WebControls.GridItemEventArgs e)
{
  if(e.Item is GridEditableItem && e.Item.IsInEditMode)
  {
     GridEditableItem item = e.Item as GridEditableItem;
     GridTextBoxColumnEditor editor = (GridTextBoxColumnEditor)item.EditManager.GetColumnEditor( "ColumnUniuqeName");
     TableCell cell = (TableCell)editor.TextBoxControl.Parent;
  
     RequiredFieldValidator validator = new RequiredFieldValidator();
     editor.TextBoxControl.ID = "ID_for_validation";
     validator.ControlToValidate = editor.TextBoxControl.ID;
     validator.ErrorMessage = "*";
     cell.Controls.Add(validator);
  }
}

In above code snippet i have added RequiredFieldValidator to boundcolumn. But you can also apply Reggularexpressionvalidator or customvalidator to achieve your requirement.


Thanks,
Jayesh Goyani
0
diego
Top achievements
Rank 1
answered on 27 Jun 2012, 10:26 AM
You are my saviour!
I have solved by creating a  customvalidator  and assigning a client side function.
One more question: how can I implement a SERVER validation function with a customvalidator   ?
Many thanks!
0
Radoslav
Telerik team
answered on 02 Jul 2012, 06:09 AM
Hi Diego,

In order to have a server side validation with CustomValidator control you need to handle ServerValidate event of the CustomValidator. On the following link you could find example:
http://asp.net-tutorials.com/validation/custom-validator/

I hope this helps.

All the best,
Radoslav
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
Tags
Grid
Asked by
diego
Top achievements
Rank 1
Answers by
Jayesh Goyani
Top achievements
Rank 2
diego
Top achievements
Rank 1
Radoslav
Telerik team
Share this question
or