Model binding fails in webapi 2.0 - asp.net-web-api2

I am using Webapi 2.0. I am passing one parameter having value as vb/c4t+UuRLnQ2W/g8SQ== After model binding i am getting the value of authId in my code as vb/c4t UuRLnQ2W/g8SQ== The (+) sign gets replaced with a space. Could you please help me out how can i get that.
Url: api/employee/1234?authId=vb/c4t+UuRLnQ2W/g8SQ==
[HttpGet]
public IHttpActionResult Get(string eid, string authId)
{
}

+ sign has a different meaning in the query string. It is used to represent a space. Another character that has semantic importance in the query string is & which is used to separate the various var=value pairs in the query string.
Most server side scripts would decode the query parameters before using them, so that a + gets properly converted to a space. Now, if you want a literal + to be present in the query string, you need to specify %2B instead.
Example yourString.replace("+","%2b")
Alternative method : You should URLEncode your query string values to make sure you are not loosing the content.
Another alternate way is like create your own code for + sign. for example 12sfdhjsj8722nsn2232dfsdd will represent a + sign. so you can replace the + sign with the code and in your server side you can get it back using the same code.

Related

URL-parameters input seems inconsistent

I have review multiple instructions on URL-parameters which all suggest 2 approaches:
Parameters can follow / forward slashes or be specified by parameter name and then by parameter value. so either:
1) http://numbersapi.com/42
or
2) http://numbersapi.com/random?min=10&max=20
For the 2nd one, I provide parameter name and then parameter value by using the ?. I also provide multiple parameters using ampersand.
Now I have see the request below which works fine but does not fit into the rules above:
http://numbersapi.com/42?json
I understand that the requests sets 42 as a parameter but why is the ? not followed by the parameter name and just by the value. Also the ? seems to be used as an ampersand???
From Wikipedia:
Every HTTP URL conforms to the syntax of a generic URI. The URI generic syntax consists of a hierarchical sequence of five components:
URI = scheme:[//authority]path[?query][#fragment]
where the authority component divides into three subcomponents:
authority = [userinfo#]host[:port]
This is represented in a syntax diagram as:
As you can see, the ? ends the path part of the URL and starts the query part.
The query part is usually a &-separated string of name=value pairs, but it doesn't have to be, so json is a valid value for the query part.
Or, as the Wikipedia articles says it:
An optional query component preceded by a question mark (?), containing a query string of non-hierarchical data. Its syntax is not well defined, but by convention is most often a sequence of attribute–value pairs separated by a delimiter.
It is also fairly common for request processors to treat a name=value pair that is missing the = sign, as if the it was name=.
E.g. if you're writing Servlet code and call servletRequest.getParameter("json"), it would return an empty string ("") for that last URL in the question.

How to replace "%2B" with "+" when calling RedirectToAction()

I'm using the RedirectToAction() method in an ASP.NET Core 2.1 controller called CatalogController:
return RedirectToAction("search", new { search_string = "example+string" });
This redirects to a URL:
catalog/search/?search_string=example%2Bstring
How do I replace the %2B encoding with a + instead?
The URL should instead look like:
catalog/search/?search_string=example+string
The RedirectToAction() method assumes that any values passed via the RouteValues parameter are not encoded; the RedirectToAction() method will take care of the URL encoding on your behalf. As such, when you enter a +, it's treating it as a literal + symbol, not an encoded space.
%2B is the correct encoding for a literal + symbol. If you want a space to be encoded in the URL, then you should enter a space in your RouteValues dictionary (e.g., search_string = "example string"). This will encode the space as a %20.
Note: A %20 is the equivalent of a + in an encoded URL, so I'm assuming that will satisfy your requirements.
If your search_string value is coming from a URL encoded source, you will need to first decode it using e.g. WebUtility.UrlDecode(). That said, if you're retrieving your search_string value from an action parameter or binding model, this decoding should already be done for you.
If, for some reason, you want to treat literal + symbols as spaces, you'll need to explicitly perform that replace on your source value (e.g., search_string.Replace("+", " ")).

Knex, How do I query for strings instead of objects?

I have the following query for a PostgreSQL databse using knex:
knex('mytable').select('name').then(function(rows) {
console.log(rows[1].name);
var a = "Test";
var b = rows[1].name;
console.log(a + " " + b)
})
The query is working however the "rows[1].name" value is a... object thingy whatever which looks like {"value"} instead of simply a string containing the value 'value'.
My question here is: Am I doing something "wrong" ? Are we generally speaking supposed to work with this type of values when using SQL databases rather than plain old string values ? If so how exactly should i treat these objects (say if I wished to display the value inside of it on an html page)?
Furthermore, if I am to convert this object to a string, is there a knex function that allows me to do so (obviously I can do it using plain of js and substr but I'd think it would be rather inefficient, possibly not "The right way" to do such a thing) ?

sql injection in integer field

I have an app, and the username field will convert any given value to the integer value using integer.parseint. The app uses JSP and Oracle database.
The URL has been tested with SQLMap and it is not dynamic. So, the only way I can try is via the login form, but I could not bypass it.
When I put ' or 1=1, -- ,the server return error, error for input string.
I want to inject the field, so, how can it be done?
I don't know whether I can use the alternate encoding because it will convert that to integer anyway.
It can't be done.
If the value is parsed as an integer, it can no longer contain any harmful code.

Codeigniter database query bug - does not return expected results

I tested this query in my database, and it works fine:
select * from variables where value = 'commas-:-)';
I get a result. Now, I stored the value in a variable and use the query class.
$value = 'commas-:-)' <<< this is passed as a parameter
$query = "select * from variables where value = '$value'";
$this->db->query($query);
Now, this query works for every other value except for this one - but what's odd is that if I PRINT out the exact query (print_r of $query) and execute it on the database, it returns the correct result. So I'm left to think that the query class is screwing with my query, which it shouldn't because everything is properly escaped and $value is a string literal.
What is going on?
$sql = "SELECT * FROM variables WHERE value = ?";
$this->db->query($sql, array('commas-:-)'));
More info
$get_data = $this->db->from('variables')
->where('value', $value)
->get();
Hope this will work...!
try to use these things for checking the queries
echo $this->db->last_query();
print_r($this->db->result_array($get_data));
I found the issue - it was the rerouting function that was causing the mishap. More specifically, the segment filtering function within the route folder in the system core.
This is what happened:
I created an anchor with the encoded value (commas:-)) and I configured the route to reroute the uri to a function I had in my controller. Each time I clicked the link, the value gets passed, and (supposedly) rerouted to the function. Which it did, for almost all the values I used. Except this one.
1st assumption: the db query function is escaping the values. But I turned off the escape, as well as checked the query by printing. The value was correct. I then tried other query formats, and still no results. Conclusion: There's nothing wrong with the database query functions.
2nd assumption: the data must be corrupt - although the value is correct (I'm getting commas:-)), it's not returning anything except when I type in the value manually. So I tested this:
I created a seperate value, and set it equals to the one I typed in(the one that works). I then printed the original value(one passed) and the newly created value using VAR_DUMP.
Turns out, the argument value (one that doesn't work) is a string with length 14 whereas my new variable was a string with a length of 10. WTF? Conclusion: Something occured during the rerouting / passing process that changed the variable.
I went back to the config folder, and replace the variable $i in the reroute to the literal string value commas:-). And guess what? It worked perfectly. And just to make sure it wasn't the regex, I wrote my own custom regex and it matched fine, but the value was still being changed. So I decided to get under the hood.
I traced the URI manipulation in the routes class to the _explode_segment() function, which was used to perform the regex and analyse the uri for other variables. It also did this thing ...
_filter_uri($str)
for each part of the uri segment that was matched.
What did it do? It replaces programmable characters like ( and ) with their HTML ENTITY. Now, if you don't know, html entities have long lengths than url encoding. LOL. So what happened was this:
Original segment : commas-%3A-%29 <- very nice!
Filtered segment : commas-%3A-) <- NOOOOOOOOO! (the right paren encoded with &#41.)
urldecode("&#41") = string(4)
urldecode("%29") = string(1)
Fail.
or WIN?!