Monday, August 27, 2007

Error in using Local Resources

Sometimes, in an ASP.NET application, when you try to access a localized resource, you get following error message:

"System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture."

Reason:

This problem occurs if you use a localized resource that exists in a satellite assembly that you created by using a .resources file that has an inappropriate file name. This problem typically occurs if you manually create a satellite assembly.

To manually create a satellite assembly, you must first run the Resource File Generator (Resgen.exe), and then you must run the Assembly Linker (Al.exe). When you run Resgen.exe, if you do not specify the file name of the output file while you convert an XML-based resource format (.resx) file to a .resources file, Resgen.exe creates a .resources file that has the same file name as the input file. If the file name of your XML-based resource format file does not start with the namespace name of your application, the file name of the .resources file will not contain this namespace name either. You may run Al.exe to create a satellite assembly that contains the localized resources that exist in the .resources file. However, when you try to access a localized resource that exists in the satellite assembly, the behavior that is mentioned in the "Symptoms" section occurs.

Solution:

To work around this problem, specify the file name of the .resources file when you run Resgen.exe. While you specify the file name of the .resources file, make sure that the file name starts with the namespace name of your application. For example, run the following command at the Microsoft Visual Studio .NET command prompt to create a .resources file that has the namespace name of your application at the beginning of the file name:
Resgen strings.CultureIdentifier.resx MyApp.strings.CultureIdentifier.resources

Reference:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;839861

Satellite Assemblies

Creating Satellite Assembly

Satellite Assemblies are used to store local resources.To create satellite assembly from the .resx file, following steps are taken.

1. Use Resgen.exe utility to generate resource file from .resx file
2. Use Al.exe to generate satellite assembly

For Example
Suppose you have resource file that stores resource in German language.

1. Resgen.exe Resource.de.resx MyApp.Resource.de.resources

Note - Though its not necessary to give .resources file name but its recommanded to give it prefixed with namespace.

2. Al.exe /t:lib /embed:MyApp.Resource.de.resources /culture:de /out:MyApp.German.dll

Note - For including multiple resource file in a single satellite assembly, you can use /embed: option multiple times in the command like...

Al.exe /t:lib /embed:MyApp.Resource1.de.resources /embed:MyApp.Resource2.de.resources /culture:de /out:MyApp.German.dll

Using Satellite Assembly

ResourceManager class in .net can be used to access resources in the satellite assembly.

Example: following is the page load event handler of login.aspx page.

protected void Page_Load(object sender, EventArgs e)
{
static ResourceManager _resourceManager;string Str = Server.MapPath("bin/MyApp.German.dll");
_resourceManager = new ResourceManager("MyApp.Resource.de", Assembly.LoadFrom(Str));
Page.Culture =CultureInfo.CreateSpecificCulture("de").Name;
Page.UICulture = CultureInfo.CreateSpecificCulture("de").Name;
lblUserName.Text = ResManager.GetString("UserName");
lblPassword.Text = ResManager.GetString("Password");
btnSubmit.Text = ResManager.GetString("Login");
}

Note - The first parameter of the ResourceManager class constructor is the base name of the resource that the satellite assembly contains, which is the qualified name of the .resources file from which satellite assembly is created using Al.exe

Tuesday, August 21, 2007

SQL Statement Exploits

A variation on a script exploit is one that causes malicious SQL statements to be executed. This can occur if an application prompts users for information and then concatenates the user's input into a string representing the SQL statement. For example, an application might prompt for a customer name with the intention of executing a statement, such as the following:

"Select * From Customers where CustomerName = " & txtCustomerName.Value

But a malicious user who knows something about the database could use the text box to enter an embedded SQL statement with the customer name, resulting in a statement like the following:

Select * From Customers Where CustomerName = 'a' Delete From Customers Where CustomerName > ''

Now when the above query is executed, it will delete all the customers records from the DB.

Protection

To protect against SQL statement exploits, never create SQL queries using string concatenation. Instead, use a parameterized query and assign user input to parameter objects.

Script Exploits

Script exploits is the scenario where web application allows any user to insert malicious code (javascript) in the textbox controls in the web page and stores it in the DB. Now when the same information is sought by another user that malicious code gets executed and can create havoc because from the perspective of a browser, a Web page is simply a long string of characters. The browser processes the string sequentially, displaying some characters while interpreting other characters, such as <> and <> according to special rules. If a malicious user can insert some of those special characters into a page, the browser will not know that the characters are not supposed to be there, and it will process them as part of the page.

Protection

ASP.NET provides you with several ways to help protect against scripting exploits. It performs request validation against query-string and form variables as well as cookie values. By default, if the current Request contains HTML-encoded elements or certain HTML characters (such as — for an em dash), the ASP.NET page framework raises an error.But if you want your application to accept some HTML (for example, some formatting instructions from users), you should encode the HTML at the client before it is submitted to the server using Server.HtmlEncode method.And to display the same code that you have encode, you can use Server.HtmlDecode method to decode it.

Example:
string Str =Server.HtmlEncode("<>");
TextBox1.Text =Server.HtmlDecode(Str);

In the code above, HtmlEncode method will encode value of html tag <> to "<br>" and HtmlDecode method will decode it back to <>.

Note:
This example will only work if you disable request validation in the page by adding the @ Page attribute ValidateRequest="false". It is not recommended that you disable request validation in a production application, so make sure that you enable request validation again after viewing this example.

ValidateRequest

It indicates whether request validation should occur. If true, request validation checks all input data against a hard-coded list of potentially dangerous values. If a match occurs, an HttpRequestValidationException Class is thrown. The default is true.

Reference:
http://msdn2.microsoft.com/en-us/library/w1sw53ds.aspx

Implementing file download functionality

Following is the code for implementing file download functionality in the web application.

function filedownload()
{
Response.Clear();
Response.ClearHeaders();
Response.ContentType = "application/doc";
System.IO.FileInfo myFile = new System.IO.FileInfo("c:\\MyDoc.doc"); Response.AppendHeader("Content-Length", myFile.Length.ToString()); Response.AppendHeader("content-disposition", "attachment; filename=" + System.IO.Path.GetFileName("c:\\MyDoc.doc"));
Response.WriteFile("c:\\MyDoc.doc");
Response.End();
}

In the above code snippet, a word document in the web server's C: drive is used for downloading.