Error: The resource cannot be found.
-
You're passing the username through the querystring but then never using it, at least not in the data you showed.
There are only 10 types of people in the world, those who understand binary and those who don't.
How would I do that, Ryan? This is my first venture into asp.net.
-
How would I do that, Ryan? This is my first venture into asp.net.
I suggest getting a book or going through online tutorials. A simple method is to add a label and then in Page_Load take the value from Request.QueryString and put it into the label. But this is such basic stuff that I think you'll learn a lot more if you go through tutorials.
There are only 10 types of people in the world, those who understand binary and those who don't.
-
I suggest getting a book or going through online tutorials. A simple method is to add a label and then in Page_Load take the value from Request.QueryString and put it into the label. But this is such basic stuff that I think you'll learn a lot more if you go through tutorials.
There are only 10 types of people in the world, those who understand binary and those who don't.
-
Yes, OK, I will do. Thanks
A word of warning: Don't do what Ryan said. (Or at least, not exactly what he said!) When you take a value from the request and want to re-display it, you need to make sure it's properly encoded. In this case, since you're display it as text within the HTML of the page, you need to use the
HttpUtility.HtmlEncodemethod[^] to encode the string before showing it in a label. The reason you need to encode it before displaying it is to prevent a cross-site scripting (XSS)[^] attack. Since the query-string could be modified by the user, they could pass in any HTML or javascript. If your code blindly copies that to the response, they can execute that script within your page. Since it's just a link, they could send that out to anyone they think might use your site, and anyone who clicked on the link would suddenly find that their authentication cookies have been stolen, or that your site has installed malware on their device. You should never trust any input that comes from the user, whether it's in the query-string, part of a POST request, or even the HTTP headers. Always assume that all users are trying to hack into your site, and use the appropriate defences. :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
A word of warning: Don't do what Ryan said. (Or at least, not exactly what he said!) When you take a value from the request and want to re-display it, you need to make sure it's properly encoded. In this case, since you're display it as text within the HTML of the page, you need to use the
HttpUtility.HtmlEncodemethod[^] to encode the string before showing it in a label. The reason you need to encode it before displaying it is to prevent a cross-site scripting (XSS)[^] attack. Since the query-string could be modified by the user, they could pass in any HTML or javascript. If your code blindly copies that to the response, they can execute that script within your page. Since it's just a link, they could send that out to anyone they think might use your site, and anyone who clicked on the link would suddenly find that their authentication cookies have been stolen, or that your site has installed malware on their device. You should never trust any input that comes from the user, whether it's in the query-string, part of a POST request, or even the HTTP headers. Always assume that all users are trying to hack into your site, and use the appropriate defences. :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Hello Richard Thanks for your post. So in addition to this if I can get it to work:
Public Class success
Inherits System.Web.UI.PageProtected Sub Page\_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load If Request("Name") IsNot Nothing Then Name.Text = String.Format("{0}, ", Request("Name")) End If End SubEnd Class
I would also need the basis of something like this (which looks complicated!):
Imports System
Imports System.Web
Imports System.IOClass MyNewClass
Public Shared Sub Main()
Dim myString As String
Console.WriteLine("Enter a string having '&' or '""' in it: ")
myString = Console.ReadLine()
Dim myEncodedString As String
' Encode the string.
myEncodedString = HttpUtility.HtmlEncode(myString)
Console.WriteLine("HTML Encoded string is " + myEncodedString)
Dim myWriter As New StringWriter()
' Decode the encoded string.
HttpUtility.HtmlDecode(myEncodedString, myWriter)
Console.Write("Decoded string of the above encoded string is " + myWriter.ToString())
End Sub 'Main
End Class 'MyNewClassAs an aside, my 'you have successfully registered' page tells me after I complete the form myself: 'System.Web.UI.WebControls.TextBox, You have successfully registered'. I can see 'System.Web.UI.WebControls.TextBox' if I hover my mouse over the word 'username' in my Register.aspx.vb file, but I don't know what the source of the error is. Thanks again, Richard.
-
A word of warning: Don't do what Ryan said. (Or at least, not exactly what he said!) When you take a value from the request and want to re-display it, you need to make sure it's properly encoded. In this case, since you're display it as text within the HTML of the page, you need to use the
HttpUtility.HtmlEncodemethod[^] to encode the string before showing it in a label. The reason you need to encode it before displaying it is to prevent a cross-site scripting (XSS)[^] attack. Since the query-string could be modified by the user, they could pass in any HTML or javascript. If your code blindly copies that to the response, they can execute that script within your page. Since it's just a link, they could send that out to anyone they think might use your site, and anyone who clicked on the link would suddenly find that their authentication cookies have been stolen, or that your site has installed malware on their device. You should never trust any input that comes from the user, whether it's in the query-string, part of a POST request, or even the HTTP headers. Always assume that all users are trying to hack into your site, and use the appropriate defences. :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Richard Deeming wrote:
it is to prevent a cross-site scripting (XSS)[^] attack.
Yes, I intentionally left that out as to not overwhelm, but valid point. Note, most browsers do a good job preventing that anyway.
There are only 10 types of people in the world, those who understand binary and those who don't.
-
Hello Richard Thanks for your post. So in addition to this if I can get it to work:
Public Class success
Inherits System.Web.UI.PageProtected Sub Page\_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load If Request("Name") IsNot Nothing Then Name.Text = String.Format("{0}, ", Request("Name")) End If End SubEnd Class
I would also need the basis of something like this (which looks complicated!):
Imports System
Imports System.Web
Imports System.IOClass MyNewClass
Public Shared Sub Main()
Dim myString As String
Console.WriteLine("Enter a string having '&' or '""' in it: ")
myString = Console.ReadLine()
Dim myEncodedString As String
' Encode the string.
myEncodedString = HttpUtility.HtmlEncode(myString)
Console.WriteLine("HTML Encoded string is " + myEncodedString)
Dim myWriter As New StringWriter()
' Decode the encoded string.
HttpUtility.HtmlDecode(myEncodedString, myWriter)
Console.Write("Decoded string of the above encoded string is " + myWriter.ToString())
End Sub 'Main
End Class 'MyNewClassAs an aside, my 'you have successfully registered' page tells me after I complete the form myself: 'System.Web.UI.WebControls.TextBox, You have successfully registered'. I can see 'System.Web.UI.WebControls.TextBox' if I hover my mouse over the word 'username' in my Register.aspx.vb file, but I don't know what the source of the error is. Thanks again, Richard.
You don't really need the console application, unless you want to play with the methods. All you really need is:
Public Class success
Inherits System.Web.UI.PageProtected Sub Page\_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load ' Store this in a local variable, so you're not repeatedly looking up the same item. ' Also, use Request.QueryString("Name") instead of Request("Name"), as you already know it's in the query string. Dim theName As String = Request.QueryString("Name") ' The value might be Nothing, or it might be an empty string: If Not String.IsNullOrEmpty(theName) Then ' Encode the value to display as text within an HTML context: Name.Text = HttpUtility.HtmlEncode(theName) End If End SubEnd Class
As for the page displaying your name as
System.Web.UI.WebControls.TextBox, it sounds like you're doing something like:Response.Redirect(String.Format("success.aspx?name={0}", UserNameTextBox))
You need to pass the value of the
TextBox, which is in the.Textproperty. You should also make sure that you properly encode the value - this time, for a URL:Dim theName As String = UserNameTextBox.Text
Dim encodedName = HttpUtility.UrlEncode(theName)
Response.Redirect(String.Format("success.aspx?name={0}", encodedName))
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
You don't really need the console application, unless you want to play with the methods. All you really need is:
Public Class success
Inherits System.Web.UI.PageProtected Sub Page\_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load ' Store this in a local variable, so you're not repeatedly looking up the same item. ' Also, use Request.QueryString("Name") instead of Request("Name"), as you already know it's in the query string. Dim theName As String = Request.QueryString("Name") ' The value might be Nothing, or it might be an empty string: If Not String.IsNullOrEmpty(theName) Then ' Encode the value to display as text within an HTML context: Name.Text = HttpUtility.HtmlEncode(theName) End If End SubEnd Class
As for the page displaying your name as
System.Web.UI.WebControls.TextBox, it sounds like you're doing something like:Response.Redirect(String.Format("success.aspx?name={0}", UserNameTextBox))
You need to pass the value of the
TextBox, which is in the.Textproperty. You should also make sure that you properly encode the value - this time, for a URL:Dim theName As String = UserNameTextBox.Text
Dim encodedName = HttpUtility.UrlEncode(theName)
Response.Redirect(String.Format("success.aspx?name={0}", encodedName))
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Thanks for that, Richard. This finally worked: register.aspx.vb
Dim target = String.Format("~/Success.aspx?Name={0}", username.Text)
' Perform your Redirect '
Response.Redirect(target, True)success.aspx.vb
Public Class success
Inherits System.Web.UI.PageProtected Sub Page\_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load If Request("Name") IsNot Nothing Then ' It exists, so set your label (and a trailing comma) to display your name ' Name.Text = String.Format("{0}, ", Request("Name")) End If End SubEnd Class
Thanks for your help and for giving me an idea of what to look for.
-
Thanks for that, Richard. This finally worked: register.aspx.vb
Dim target = String.Format("~/Success.aspx?Name={0}", username.Text)
' Perform your Redirect '
Response.Redirect(target, True)success.aspx.vb
Public Class success
Inherits System.Web.UI.PageProtected Sub Page\_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load If Request("Name") IsNot Nothing Then ' It exists, so set your label (and a trailing comma) to display your name ' Name.Text = String.Format("{0}, ", Request("Name")) End If End SubEnd Class
Thanks for your help and for giving me an idea of what to look for.
That looks very much like the original code you posted. You're missing all of the required encoding. For example, try entering a username of
<script>alert("Test")</script>- you'll either get a message box pop up when the success page loads, or your browser will prevent access to the page with a warning about cross-site scripting. You need to encode the value according to the context: register.aspx.vb:Dim name As String = HttpUtility.UrlEncode(username.Text)
Dim target As String = String.Format("~/Success.aspx?Name={0}", name)
Response.Redirect(target, True)success.aspx.vb:
Public Class success
Inherits System.Web.UI.PageProtected Sub Page\_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load Dim theName As String = Request.QueryString("Name") If Not String.IsNullOrEmpty(theName) Then Dim encodedName As String = HttpUtility.HtmlEncode(theName) Name.Text = String.Format("{0}, ", encodedName) End If End SubEnd Class
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
That looks very much like the original code you posted. You're missing all of the required encoding. For example, try entering a username of
<script>alert("Test")</script>- you'll either get a message box pop up when the success page loads, or your browser will prevent access to the page with a warning about cross-site scripting. You need to encode the value according to the context: register.aspx.vb:Dim name As String = HttpUtility.UrlEncode(username.Text)
Dim target As String = String.Format("~/Success.aspx?Name={0}", name)
Response.Redirect(target, True)success.aspx.vb:
Public Class success
Inherits System.Web.UI.PageProtected Sub Page\_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load Dim theName As String = Request.QueryString("Name") If Not String.IsNullOrEmpty(theName) Then Dim encodedName As String = HttpUtility.HtmlEncode(theName) Name.Text = String.Format("{0}, ", encodedName) End If End SubEnd Class
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Hello Richard Thanks for that. I actually have in aspx.vb:
Dim target = String.Format("~/Success.aspx?Name={0}", username.Text)
' Perform your Redirect '
Response.Redirect(target, True)and in success.aspx.vb:
Public Class success
Inherits System.Web.UI.PageProtected Sub Page\_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load If Request("Name") IsNot Nothing Then ' It exists, so set your label (and a trailing comma) to display your name ' Name.Text = String.Format("{0}, ", Request("Name")) End If End SubEnd Class
That seems to work, but I don't have HttpUtility.UrlEncode or HttpUtility.HtmlEncode. Thanks again for your time.
