public static string MakeResetRequest(string userId, string token) { try { string resetId = FooStringHelper.RandomString(16); using (var conn = new NpgsqlConnection()) { // App-DB connection. conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO Resets (resetId, userId, resetTime) VALUES (@RESETID, @USERID, @RESETTIME);", CommandType = CommandType.Text, Connection = conn }; var resetParam = new NpgsqlParameter { ParameterName = "@RESETID", NpgsqlDbType = NpgsqlDbType.Varchar, Direction = ParameterDirection.Input, Value = resetId }; cmd.Parameters.Add(resetParam); var idParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Direction = ParameterDirection.Input, Value = FooCryptHelper.Encrypt(userId, token) }; cmd.Parameters.Add(idParam); var timeParam = new NpgsqlParameter { ParameterName = "@RESETTIME", NpgsqlDbType = NpgsqlDbType.Timestamp, Direction = ParameterDirection.Input, Value = DateTime.Now }; cmd.Parameters.Add(timeParam); cmd.ExecuteNonQuery(); cmd.Dispose(); return(resetId); } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); return(null); } }
protected void submitButton_Click(object sender, EventArgs e) { string alias = aliasText.Text; string email = emailText.Text; string address = addressText.Text; string city = cityText.Text; string country = countryText.Text; string username = usernameText.Text; string pass = passText.Text; if (!String.IsNullOrEmpty(alias) && FooStringHelper.IsValidEmailAddress(email) && !String.IsNullOrEmpty(address) && !String.IsNullOrEmpty(city) && !String.IsNullOrEmpty(country) && !String.IsNullOrEmpty(username) && !String.IsNullOrEmpty(pass)) { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { string userId = FooStringHelper.RandomString(16); if (!CheckIfUsernameExists(username) && !FooEmailHelper.CheckIfEmailExists(email, username)) { errorPanel.Visible = false; formPanel.Visible = false; successPanel.Visible = true; string defaultGroup = ConfigurationManager.AppSettings["User Group ID"] ?? "ri3EKpc5Z5gN4FEu"; bool insertedUser = RegisterNewUser(userId, alias, email, address, city, country, username, pass, defaultGroup); successLabel.Text = insertedUser ? "Your account has been successfully created. You can proceed to <a href=\"login.aspx\">log on</a>." : "Failed to create account. The administrator has been notified. Please try again."; errorPanel.Visible = false; errorLabel.Text = ""; } else { errorPanel.Visible = true; errorLabel.Text = "Some details already exist in this application."; } } else { errorPanel.Visible = true; errorLabel.Text = "Invalid request."; } } else { errorPanel.Visible = true; errorLabel.Text = "Incomplete or invalid details."; } RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); }
public static string SetToken(HttpContext context) { string value = FooStringHelper.RandomString(24); string encryptedValue = FooCryptHelper.MachineEncrypt(value); string cookieName = ConfigurationManager.AppSettings["CSRF Cookie Name"]; var ck = new HttpCookie(cookieName, encryptedValue) { Path = FormsAuthentication.FormsCookiePath }; context.Response.Cookies.Add(ck); return(value); }
protected void submitButton_Click(object sender, EventArgs e) { string reviewBody = reviewText.Text; string userId = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current).UserId; string merchId = Request.QueryString["id"]; if (string.IsNullOrEmpty(reviewBody)) { RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); reviewErrorLabel.Text = "Incomplete input."; return; } if (!FooStringHelper.IsValidAlphanumeric(merchId, 16)) { RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); reviewErrorLabel.Text = "Invalid input."; return; } try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO reviews(reviewid, reviewtime, userid, merchid, reviewbody) VALUES (@REVIEWID, @REVIEWTIME, @USERID, @MERCHID, @REVIEWBODY)", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@REVIEWID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RandomString(16) }; cmd.Parameters.Add(idParam); var timeParam = new NpgsqlParameter { ParameterName = "@REVIEWTIME", NpgsqlDbType = NpgsqlDbType.Timestamp, Size = 32, Direction = ParameterDirection.Input, Value = DateTime.Now }; cmd.Parameters.Add(timeParam); var userParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(userParam); var merchParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = merchId }; cmd.Parameters.Add(merchParam); var bodyParam = new NpgsqlParameter { ParameterName = "@REVIEWBODY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 1024, Direction = ParameterDirection.Input, Value = reviewBody }; cmd.Parameters.Add(bodyParam); cmd.ExecuteNonQuery(); cmd.Dispose(); reviewErrorLabel.Text = ""; reviewText.Text = ""; } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); reviewErrorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); Load_Forms(merchId); }
protected void submitButton_Click(object sender, EventArgs e) { string email = emailText.Text.Trim(); if (!String.IsNullOrEmpty(email) || !FooStringHelper.IsValidEmailAddress(email)) { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { if (FooEmailHelper.CheckIfEmailExists(email, null)) { UserObject user = GetUserObjByEmail(email); if (user != null) { string resetToken = FooStringHelper.RandomString(24); string resetId = MakeResetRequest(user.UserId, resetToken); string resetUrl = FooStringHelper.MakeResetUrl(resetId, resetToken); string emailBody = String.Format( "Hi {0},<br/><br/>Your FooBlog password for account '{1}' can be reset by visiting the following link:<br/><br/><a href=\"{2}\">{3}</a><br/><br/>The link is valid for 24 hours. If you did not request this reset, simply do not visit the link - your current password will remain unchanged.<br/><br/>Cheers,<br/>The FooBlog Team.", user.UserAlias, user.Username, resetUrl, resetUrl); const string emailSubject = "FooBlog Password Reset"; var mailObj = new EmailObject { Body = emailBody, Subject = emailSubject, ToAddress = email }; bool sendMail = FooEmailHelper.SendEmail(mailObj); if (sendMail) { errorPanel.Visible = false; formPanel.Visible = false; successPanel.Visible = true; successLabel.Text = "A reset link has been sent to your registered email account."; } } else { errorPanel.Visible = true; errorLabel.Text = "Invalid details."; } } else { errorPanel.Visible = true; errorLabel.Text = "Invalid request."; } } else { errorPanel.Visible = true; errorLabel.Text = "Invalid details."; } } else { errorPanel.Visible = true; errorLabel.Text = "Incomplete or invalid details."; } RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); }
protected void CategoryGrid_Command(object sender, GridViewCommandEventArgs e) { int postId = Convert.ToInt32(postView.SelectedValue); var txtCatNameFooter = (TextBox)categoryGrid.FooterRow.FindControl("txtCatNameFooter"); if (!string.IsNullOrEmpty(txtCatNameFooter.Text)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { if (e.CommandName.Equals("AddNew")) { // Define connection string. using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO categories(catid, catname) VALUES (@CATID, @NAME)", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@CATID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RandomString(16) }; cmd.Parameters.Add(idParam); var nameParam = new NpgsqlParameter { ParameterName = "@NAME", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtCatNameFooter.Text }; cmd.Parameters.Add(nameParam); cmd.ExecuteNonQuery(); cmd.Dispose(); } } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } else { errorLabel.Text = "Incomplete or invalid input."; } Reset_Page(postId); }
protected void MerchView_ItemInserting(object sender, DetailsViewInsertEventArgs e) { string merchId = FooStringHelper.RandomString(16); var txtMerchName = (TextBox)merchView.FindControl("txtMerchName"); var txtMerchPrice = (TextBox)merchView.FindControl("txtMerchPrice"); var txtMerchBrief = (TextBox)merchView.FindControl("txtMerchBrief"); var txtMerchBody = (TextBox)merchView.FindControl("txtMerchBody"); var imageUploadForm = (FileUpload)merchView.FindControl("imageUploadForm"); var merchEnabledCheckbox = (CheckBox)merchView.FindControl("merchEnabledCheckbox"); if (!string.IsNullOrEmpty(txtMerchName.Text) && !string.IsNullOrEmpty(txtMerchPrice.Text) && FooStringHelper.IsValidPrice(txtMerchPrice.Text) && !string.IsNullOrEmpty(txtMerchBrief.Text) && !string.IsNullOrEmpty(txtMerchBody.Text)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { // Define connection string. using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO merchandise (merchid, merchname, merchprice, merchbrief, merchbody, merchenabled) VALUES (@MERCHID, @MERCHNAME, @MERCHPRICE, @MERCHBRIEF, @MERCHBODY, @MERCHENABLED)", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = merchId }; cmd.Parameters.Add(idParam); var nameParam = new NpgsqlParameter { ParameterName = "@MERCHNAME", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 64, Direction = ParameterDirection.Input, Value = txtMerchName.Text }; cmd.Parameters.Add(nameParam); var priceParam = new NpgsqlParameter { ParameterName = "@MERCHPRICE", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 8, Direction = ParameterDirection.Input, Value = txtMerchPrice.Text }; cmd.Parameters.Add(priceParam); var briefParam = new NpgsqlParameter { ParameterName = "@MERCHBRIEF", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 1024, Direction = ParameterDirection.Input, Value = txtMerchBrief.Text }; cmd.Parameters.Add(briefParam); var bodyParam = new NpgsqlParameter { ParameterName = "@MERCHBODY", NpgsqlDbType = NpgsqlDbType.Varchar, Direction = ParameterDirection.Input, Value = txtMerchBody.Text }; cmd.Parameters.Add(bodyParam); var enabledParam = new NpgsqlParameter { ParameterName = "@MERCHENABLED", NpgsqlDbType = NpgsqlDbType.Boolean, Direction = ParameterDirection.Input, Value = merchEnabledCheckbox.Checked }; cmd.Parameters.Add(enabledParam); cmd.ExecuteNonQuery(); cmd.Dispose(); } if (imageUploadForm.HasFile) { HttpPostedFile file = HttpContext.Current.Request.Files[0]; Insert_NewImage(merchId, file); } else { Insert_NewImage(merchId, null); } } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } else { errorLabel.Text = "Incomplete or invalid input."; } Reset_Page(string.Empty); }
protected void submitButton_Click(object sender, EventArgs e) { string commentBody = commentText.Text; string userId = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current).UserId; string postId = Request.QueryString["id"]; if (!string.IsNullOrEmpty(commentBody)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO comments(commentid, commenttime, userid, postid, commentbody) VALUES (@COMMENTID, @COMMENTTIME, @USERID, @POSTID, @COMMENTBODY)", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@COMMENTID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RandomString(16) }; cmd.Parameters.Add(idParam); var timeParam = new NpgsqlParameter { ParameterName = "@COMMENTTIME", NpgsqlDbType = NpgsqlDbType.Timestamp, Size = 32, Direction = ParameterDirection.Input, Value = DateTime.Now }; cmd.Parameters.Add(timeParam); var userParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(userParam); var postParam = new NpgsqlParameter { ParameterName = "@POSTID", NpgsqlDbType = NpgsqlDbType.Integer, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(postId) }; cmd.Parameters.Add(postParam); var bodyParam = new NpgsqlParameter { ParameterName = "@COMMENTBODY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 1024, Direction = ParameterDirection.Input, Value = commentBody }; cmd.Parameters.Add(bodyParam); cmd.ExecuteNonQuery(); cmd.Dispose(); commentText.Text = ""; commentErrorLabel.Text = ""; } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); commentErrorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } Load_Forms(); } else { commentErrorLabel.Text = "Incomplete input."; } RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); }
protected void GridView_Command(object sender, GridViewCommandEventArgs e) { string userId = FooStringHelper.RandomString(16); var txtUserNameFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserNameFooter"); var txtUserAliasFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserAliasFooter"); var txtEmailFooter = (TextBox)userGrid.FooterRow.FindControl("txtEmailFooter"); var txtUserPasswordFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserPasswordFooter"); var groupDropdownFooter = (DropDownList)userGrid.FooterRow.FindControl("groupDropdownFooter"); if (!string.IsNullOrEmpty(txtUserNameFooter.Text) && !string.IsNullOrEmpty(txtUserAliasFooter.Text) && !string.IsNullOrEmpty(txtEmailFooter.Text) && FooStringHelper.IsValidEmailAddress(txtEmailFooter.Text) && !string.IsNullOrEmpty(txtUserPasswordFooter.Text)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { if (e.CommandName.Equals("AddNew")) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO users(userid,username,useralias,groupid,email,passwordhash,profileimg) VALUES (@USERID,@NAME,@DISP,@GROUP,@EMAIL,@HASH,'profile_default.jpg')", CommandType = CommandType.Text, Connection = conn }; var userIdParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = userId }; cmd.Parameters.Add(userIdParam); var nameParam = new NpgsqlParameter { ParameterName = "@NAME", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserNameFooter.Text }; cmd.Parameters.Add(nameParam); var dispParam = new NpgsqlParameter { ParameterName = "@DISP", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserAliasFooter.Text }; cmd.Parameters.Add(dispParam); var groupParam = new NpgsqlParameter { ParameterName = "@GROUP", NpgsqlDbType = NpgsqlDbType.Varchar, Direction = ParameterDirection.Input, Value = groupDropdownFooter.SelectedValue }; cmd.Parameters.Add(groupParam); var emailParam = new NpgsqlParameter { ParameterName = "@EMAIL", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 64, Direction = ParameterDirection.Input, Value = txtEmailFooter.Text }; cmd.Parameters.Add(emailParam); var hashParam = new NpgsqlParameter { ParameterName = "@HASH", NpgsqlDbType = NpgsqlDbType.Varchar, Direction = ParameterDirection.Input, Value = FooCryptHelper.CreateShaHash(txtUserPasswordFooter.Text) }; cmd.Parameters.Add(hashParam); cmd.ExecuteNonQuery(); cmd.Dispose(); } } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } else { errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } Reset_Page(); }
protected void genButton_Click(object sender, EventArgs e) { outLabel.Text = FooStringHelper.RandomString(int.Parse(lenBox.Text)); }