I have a report generated by IBM appscanner tool. It scanned my mvc application and on some urls it gave me high alerts. I'm trying to figure out how to perform parameter manipulation on my page like above information provided in the report to find the issue.Example of the link on which the above report is based : localhost:46887/Myproject/country/edit/1
As a rule of a thumb:
Aways cast the values (provided through Request) to concrete type which are you using in the application logic.
If you are using ORM/ODM to access the data storage you recieve built in SQL injection protection :).
This tool may be examins only the the query string and just assumes that injection is possible.
Related
I have an ASP.NET/C# web app in which the user needs to run reports with various criteria that will ALWAYS yield simple, 2-dimensional, tabular data. I'm tempted to use a sophisticated reporting engine like SSRS or Crystal Reports, but these seem like overkill, since there's really nothing to design (all outputs will be to CSV, or JSON for the browser to render in an HTML table).
In this scenario, am I eating too much complexity by trying to use SSRS or Crystal Reports? Should I instead just write custom classes to dynamically assemble SQL statements (based on user selections) that will be fired against the database?
Does SSRS or CR add anything that is of value (within the requirements constraints I've already described)...?
Its depend on your requirement if you want to minimal overhead on your web app then please go ahead and use your custom codes since you are not required any styling or extra functions.
Just get JSON objects and fill in HTML and go Head !!
I am working with ssrs So i will talk just about it:
ssrs is a very useful tool for building a Reports
all You need is sql server Stored Procedure to build your report
then deploy it to report server and use this report from your app
-now all you need in your app just one page for all reports and you path the URL
dynamically with report name
You need to know this :
-ssrs did not work correctly with all browser
for Exp :
-Print Btn just work with IE
so Mozila and Google you need to use java script to print Report
-some issue with criteria section :
there is no way to rename the 'select value' with drop down
so you need to use java scrip to handle it
also you find ( Null and chick box ) any customer did not know what null mean so
you need first to remove null keyword or to rename it to anther Keyword
also you need java script to do this
the most problem i have :
all reports in reports server so
when i go to a new client what i need
just Sql server no need to setup visual studio and ssrs tool
just to deploy all reports on client report server
its very bad ..
i solved this issue with tool i had make to deploy the all the report
and no need to setup VS just to deploy the report
i think that the most important problem i have
and all of it i found a work around to solve .. and it takes more time
finally :
use ssrs or CR its very easy to use and make report very fast no need to create a custom page for report and develop all its control just like print and export
report to PDF,excel or any type
but if you have a few report i think no need to use any reports tool
I am trying to develop a BlackBerry application that will show data from an SQL Database from a server. I was researching the new HTML 5 option for blackberry (WebWorks) and noticed that it apparently cannot connect to any server data by itself. Some links state that I would need javascript coding to obtain it. I looked into the option of PhoneGap (link here: http://phonegap.com/) and decided I'd try using HTML 5 to produce the application. I have never touched SQL databases before and I am wondering how I would connect the two; meaning how do you pull data from the server given that you are working with HTML5?
I have looked at:
Where is data stored when using an HTML 5 Web SQL Database
Process for pulling data from a sql database
among others but I am still unsure as to what to do. I would be looking to "view" the data from the server and display it on the app. It would be something of the sort:
- HomeScreen: What data would you like to view?:
- Dropdown list of categories (from the database)
- Selecting Entry in dropdown leads to available information (from the database)
Any help would be appreciated, and of course thanks in advance.
the new (and pretty awesome) features of HTML5 is happening in the browser on the client side. What you will need is a back-end on the server side doing some magic. It is true that browsers now have databases but these are located on the phone, computer etc and as I understand your question you want these data to communicate with data on your server. To move data across the web you will need to perform HTTP-requests which can easily be done through javascript and ajax. Look a bit into these technologies and make a little server-side script that gathers data from the database and send it in a structured format to the phone (JSON, XML), then make a script in javascript on the client-side that parse these data and utilise them.
Good luck!
I have recently started to look at sql reporting services.
I have data stored in a database which has been encrypted with an AES cypher before being stored away.
I've had a look at building some reports using Microsoft Report Builder 2.0 and it seems quite nice and simple for knocking together some simple reports.
My question is: Can I decrypt this data before displaying it on a report? Is there anyway to run code with these reports?
Use a RDLC (C is for Client), and then look at the Microsoft.Reporting.WebForms and Microsoft.Reporting.WinForms namespaces.
This allows you to use code to generate your data, for example get your data from SQL Server then decrypt it as required before presenting it to the ReportViewer control.
I have a couple of inline SQL in many of our reports on the report manager.
Now I need to do some code change for all of them, is there a way to list all those reports based on the inline SQL and not any SP?
Thanks,
D
You can use the reporting services API to get the report from the web service and do a search for the appropriate tags in the XML. The MSDN documentation for the report definition XML schema and diagrams can be found here and a diagram of the data source related parts here. The API documentation can be found here.
You can write .Net programs that upload and download reports from the Reporting Services API, using ReportingService.GetReportDefinition and SetReportDefinition. You can upload or download the report definition into a buffer, which can be read or written to disk. Somewhere I have an Ironpython prototype that does this, which I'll post if I find it.
To use this, you need to query the WSDL and generate a stub. The tool to do this is called WSDL.EXE. If I can find it I'll post it here, but you could just as easily use C#.
There is also a tool called rs.exe that comes with BIDS which takes a VB.net program and tops and tails it with includes for the Reporting Services API. You can use this to execute a VB.Net script from the command line - essentially it tops and tails the program, compiles it behind the scenes and runs it against a report server.
You can either do what NXC suggested or if this is a one time activity, you can simply open the RDL file for the report in a text editor and search for common SQL strings like "select", "delete" etc in order to find the reports which have inline SQL
I am generating a reports using SQL Reporting services 2005. I need to protect the protect the reports(pdf and excel) with the password while the user is exporting the report to to excel or pdf.
Is there any way to protect the report.
The short answer is that you can't do this from the provided PDF rendering extension from SSRS 2005 (either from the web UI or programmatically from the SSRS web services). You can, however, create your own rendering extension that could provide this functionality. Here are some links that might help get you started:
Introducing Rendering Extensions
Microsoft SQL Server 2005: Reporting Services
You could take a COTS library, some open-source code, or your own custom code that can create password-protected PDF files, then wrap that into a custom rendering extension for SSRS 2005. In my opinion, however, this would be a relatively difficult task. A quick Google search didn't give me any obvious rendering extensions for sale that might provide the functionality you're looking for.