searchbox error

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
13 years ago
hi,there is a error.

Server Error in '/' Application.
A potentially dangerous Request.Form value was detected from the client (ctl00$ctl00$cph1$cph1$ctrlSearch$txtSearchTerm="...*(())_+:"><?").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$ctl00$cph1$cph1$ctrlSearch$txtSearchTerm="...*(())_+:"><?").
0
13 years ago
This is asp.net throw an error because someone tried to "attack" your site.  Asp.net threw an error because the input text was not plain text.  Look up ValidRequest in google.
BEST nopCommerce Hosting http://members.softsyshosting.com/aff.php?aff=110

visit my blog at http://skiltzonnet.blogspot.com - after a nopCommerce developer? Contact me for a quote.
0
13 years ago
I am having the same issue.
My nop_log table gets filled with those exceptions every days.

I am not live yet (but visible over the net) so I am wondering who could be trying to attack my site already...

I know this is not a nopCommerce issue but, anyone has a hints on what could be done?
0
13 years ago
This should be filtered out in the first place, so that it does not throw exceptions. Isn't there SQL Injection prevention code on every client input field in the shop?

Here is a array of possible injections:


badchars = array( _
"select(.*)(from|with|by){1}", "insert(.*)(into|values){1}", "update(.*)set", "delete(.*)(from|with){1}", _
"drop(.*)(from|aggre|role|assem|key|cert|cont|credential|data|endpoint|event|f ulltext|function|index|login|type|schema|procedure|que|remote|role|route|sign| stat|syno|table|trigger|user|view|xml){1}", _
"alter(.*)(application|assem|key|author|cert|credential|data|endpoint|fulltext |function|index|login|type|schema|procedure|que|remote|role|route|serv|table|u ser|view|xml){1}", _
"xp_", "sp_", "restore\s", "grant\s", "revoke\s", _
"dbcc", "dump", "use\s", "set\s", "truncate\s", "backup\s", _
"load\s", "save\s", "shutdown", "cast(.*)\(", "convert(.*)\(", "execute\s", _
"updatetext", "writetext", "reconfigure", _
"/\*", "\*/", ";", "\-\-", "\[", "\]", "char(.*)\(", "nchar(.*)\(")


You could regex function this on the input and do a replace.
"Mascleta: the most accurate simulation of thunder"
1
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.