Thursday, August 6, 2015

Prevent full post back, when using update panels and AjaxControlToolkit with dynamically loading controls

Update panels which support us in every ASP.NET development are really useful, but when we added AjaxControlToolkit reference to the project and if we are loading dynamic controls that cause a post-back then update panel's behavior is not working as we expected. It should be a compatible issue.

But how to over come this. Let's look at a simple example.

I'm creating a project that's have a repeater controller and it has drop-downs inside with some values and those drop-downs will post-back to the server once the selected index changed (for no reason).
And to show the update panels are working I'm using a <img> and with java-script I will load a Image to that, and then when drop-downs selection change image should not be refreshed.

Here is the full html and the coding to bind the repeater that i'm using. And <img> with file input is inside a update-panel and it's update mode is set to conditional while in the repeater's update panel mode is set to default(to always).

If you look at the reference list AjaxControlToolkit is not added.Now this works perfectly, you can change the drop down index and it will cause a partial post back but still the image will be there.

image is loaded and drop-downs are in default selection.
drop-down selection changed and still the image is there because update panels are working fine

Problems comes when you adding the AjaxControlToolkit  as a reference to the project, suddenly update panels will not work and when you change the drop-down selection, full page will be refreshed and image will be gone.
(No need to use AjaxControlToolkit in your page if you add it to the solution then it will not work)

So what actually went wrong, this is a compatible issue, what happening is those drop downs are not registered into the update panel, cause they are dynamically adding.

How to overcome this :
There are two ways we can overcome this,

  1. When repeater item bound you can find the item and then you can register it as a async post back control, which is the hard way.(ScriptManager.GetCurrent(this).RegisterAsyncPostBackControl(dropdown1);)
  2. The easy way is to change your page's property client id mode to "AutoID". Then all the dynamic controls will assign an id when its's creating and registered with the update-panel.

So that's it, hope you will find this help full one day. Cheers and  Happy Coding.

Sunday, May 10, 2015

How to prevent SQL Injection basics

In my career I have seen couple of ways that coders use when they dealing with databases.

  • One is direct calling of sql command string coded inside of the system. (I also used to use the same way once as I can remember).
  • Using stored procedures to work with the system 
  • Using EF to connect the system and the database { I'm .NET guy :); }

From above methods if you use the first mechanism, because it's easy and you are lazy, your system will be end up with some serious SQL Injection capabilities.

In this case the sql command is send to the SQL server like a string and the it's build inside the SQL server and after that it's executed and provided the result. This process is same like creating a runtime sql command and executing it. Screenshot below is an example of a scenario like that.

 {So who starting coding like this :)  (I did ) ;}

Developer thinks and code for what he sees, In his point of view this is easy and does the work, Let's look at the SQL side;

This is a sample what SQL server will create for the above code. So simply it's correct but what can go wrong is some one can inject sql codes at runtime like below.

In normal scenario  variable  @login_name will equal to a name,
 like : SET @login_name='''chathura''';
And the script genarated will be like this.

SELECT [id] FROM [user_list] 
WHERE [user_name] = 'chathura'  AND [password] = ''

 this is a perfect scenario but what happens someone inserted their user_name like this;

 SET @login_name='''chathura''' +' OR 1=1'

This is gonna hurt big time, because your sql code is generating on the fly, now the result will be like this :

SELECT [id] FROM [user_list] 
WHERE [user_name] = 'chathura' OR 1=1 AND [password] = ''

So it's up to you, you want to enable SQL Injection feature to your application or not :);

Baseline : don not use sql statements like the above, either use store procedures or parameterized query;

{This is my first article so feel free to comment what I have to improve; thanks;}