public static string MakeResetRequest(string userId, string token) { try { string resetId = FooStringHelper.RandomString(16); using (var conn = new NpgsqlConnection()) { // App-DB connection. conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO Resets (resetId, userId, resetTime) VALUES (@RESETID, @USERID, @RESETTIME);", CommandType = CommandType.Text, Connection = conn }; var resetParam = new NpgsqlParameter { ParameterName = "@RESETID", NpgsqlDbType = NpgsqlDbType.Varchar, Direction = ParameterDirection.Input, Value = resetId }; cmd.Parameters.Add(resetParam); var idParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Direction = ParameterDirection.Input, Value = FooCryptHelper.Encrypt(userId, token) }; cmd.Parameters.Add(idParam); var timeParam = new NpgsqlParameter { ParameterName = "@RESETTIME", NpgsqlDbType = NpgsqlDbType.Timestamp, Direction = ParameterDirection.Input, Value = DateTime.Now }; cmd.Parameters.Add(timeParam); cmd.ExecuteNonQuery(); cmd.Dispose(); return(resetId); } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); return(null); } }
protected void submitButton_Click(object sender, EventArgs e) { string alias = aliasText.Text; string email = emailText.Text; string address = addressText.Text; string city = cityText.Text; string country = countryText.Text; string username = usernameText.Text; string pass = passText.Text; if (!String.IsNullOrEmpty(alias) && FooStringHelper.IsValidEmailAddress(email) && !String.IsNullOrEmpty(address) && !String.IsNullOrEmpty(city) && !String.IsNullOrEmpty(country) && !String.IsNullOrEmpty(username) && !String.IsNullOrEmpty(pass)) { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { string userId = FooStringHelper.RandomString(16); if (!CheckIfUsernameExists(username) && !FooEmailHelper.CheckIfEmailExists(email, username)) { errorPanel.Visible = false; formPanel.Visible = false; successPanel.Visible = true; string defaultGroup = ConfigurationManager.AppSettings["User Group ID"] ?? "ri3EKpc5Z5gN4FEu"; bool insertedUser = RegisterNewUser(userId, alias, email, address, city, country, username, pass, defaultGroup); successLabel.Text = insertedUser ? "Your account has been successfully created. You can proceed to <a href=\"login.aspx\">log on</a>." : "Failed to create account. The administrator has been notified. Please try again."; errorPanel.Visible = false; errorLabel.Text = ""; } else { errorPanel.Visible = true; errorLabel.Text = "Some details already exist in this application."; } } else { errorPanel.Visible = true; errorLabel.Text = "Invalid request."; } } else { errorPanel.Visible = true; errorLabel.Text = "Incomplete or invalid details."; } RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); }
protected void ReviewGrid_Delete(object sender, GridViewDeleteEventArgs e) { string merchId = FooStringHelper.RemoveInvalidChars(merchView.SelectedValue.ToString()); if (!FooStringHelper.IsValidAlphanumeric(merchId, 16)) { errorLabel.Text = "Invalid request."; Reset_Page(string.Empty); return; } try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "DELETE FROM reviews WHERE reviewid= @REVIEWID", CommandType = CommandType.Text, Connection = conn }; var param = new NpgsqlParameter { ParameterName = "@REVIEWID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars( reviewGrid.DataKeys[e.RowIndex].Values[0].ToString()) }; cmd.Parameters.Add(param); cmd.ExecuteNonQuery(); } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } Reset_Page(merchId); }
protected void Page_Load(object sender, EventArgs e) { string catId = Request.QueryString["id"]; if (FooStringHelper.IsValidAlphanumeric(catId, 16)) { Load_Forms(catId); } else { errorLabel.Text = "Invalid category."; } }
protected void Page_Load(object sender, EventArgs e) { string userId = FooStringHelper.RemoveInvalidChars(Request.QueryString["id"]); if (FooStringHelper.IsValidAlphanumeric(userId, 16)) { Load_Forms(userId); } else { errorLabel.Text = "Invalid user."; } }
protected void Load_Forms() { string userId = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current).UserId; if (!FooStringHelper.IsValidAlphanumeric(userId, 16)) { errorLabel.Text = "Invalid request."; return; } try { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "SELECT userid, useralias, email, address, city, country, profilebody, profileimg FROM users WHERE userid= @USERID", conn); var idParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(idParam); using (NpgsqlDataReader dr = cmd.ExecuteReader()) { userView.DataSource = dr; userView.DataBind(); } } errorLabel.Text = ""; } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } }
public static string SetToken(HttpContext context) { string value = FooStringHelper.RandomString(24); string encryptedValue = FooCryptHelper.MachineEncrypt(value); string cookieName = ConfigurationManager.AppSettings["CSRF Cookie Name"]; var ck = new HttpCookie(cookieName, encryptedValue) { Path = FormsAuthentication.FormsCookiePath }; context.Response.Cookies.Add(ck); return(value); }
protected void Page_Load(object sender, EventArgs e) { if (HttpContext.Current.User.Identity.IsAuthenticated) { formPanel.Visible = false; errorPanel.Visible = true; errorLabel.Text = "Please log out first, or reset your password in the <a href=\"edit_profile.aspx\">profile editor</a>."; } if (Page.IsPostBack) { return; } RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); string resetId = Request.QueryString["id"]; string token = Request.QueryString["token"]; if (FooStringHelper.IsValidAlphanumeric(resetId, 16) && FooStringHelper.IsValidAlphanumeric(token, 24)) { string resetAccount = GetAccountForReset(resetId, token); if (!String.IsNullOrEmpty(resetAccount)) { formPanel.Visible = true; } else { errorPanel.Visible = true; errorLabel.Text = "Invalid request."; } } else { errorPanel.Visible = true; errorLabel.Text = "Invalid request."; } }
protected void Page_Load(object sender, EventArgs e) { if (IsPostBack) { return; } string merchId = Request.QueryString["id"]; if (FooStringHelper.IsValidAlphanumeric(merchId, 16)) { RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); Load_Forms(merchId); } else { errorLabel.Text = "Invalid item."; } }
public static bool IsValidRequest(HttpContext context, string formValue) { string cookieName = ConfigurationManager.AppSettings["CSRF Cookie Name"]; HttpCookie httpCookie = context.Request.Cookies[cookieName]; if (httpCookie != null) { string userToken = FooCryptHelper.MachineDecrypt(httpCookie.Value); if (!FooStringHelper.IsValidAlphanumeric(userToken, 24) || !FooStringHelper.IsValidAlphanumeric(formValue, 24)) { return(false); } return(userToken == formValue); } return(false); }
protected void MerchGrid_SelectedIndexChanged(object sender, EventArgs e) { try { string merchId = merchGrid.Rows[merchGrid.SelectedIndex].Cells[0].Text; if (!FooStringHelper.IsValidAlphanumeric(merchId, 16)) { errorLabel.Text = "Invalid request."; Reset_Page(string.Empty); return; } Load_Forms(merchId); } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } }
protected void submitButton_Click(object sender, EventArgs e) { string commentBody = commentText.Text; string userId = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current).UserId; string postId = Request.QueryString["id"]; if (!string.IsNullOrEmpty(commentBody)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO comments(commentid, commenttime, userid, postid, commentbody) VALUES (@COMMENTID, @COMMENTTIME, @USERID, @POSTID, @COMMENTBODY)", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@COMMENTID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RandomString(16) }; cmd.Parameters.Add(idParam); var timeParam = new NpgsqlParameter { ParameterName = "@COMMENTTIME", NpgsqlDbType = NpgsqlDbType.Timestamp, Size = 32, Direction = ParameterDirection.Input, Value = DateTime.Now }; cmd.Parameters.Add(timeParam); var userParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(userParam); var postParam = new NpgsqlParameter { ParameterName = "@POSTID", NpgsqlDbType = NpgsqlDbType.Integer, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(postId) }; cmd.Parameters.Add(postParam); var bodyParam = new NpgsqlParameter { ParameterName = "@COMMENTBODY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 1024, Direction = ParameterDirection.Input, Value = commentBody }; cmd.Parameters.Add(bodyParam); cmd.ExecuteNonQuery(); cmd.Dispose(); commentText.Text = ""; commentErrorLabel.Text = ""; } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); commentErrorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } Load_Forms(); } else { commentErrorLabel.Text = "Incomplete input."; } RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); }
protected void genButton_Click(object sender, EventArgs e) { outLabel.Text = FooStringHelper.RandomString(int.Parse(lenBox.Text)); }
protected void GridView_Update(object sender, GridViewUpdateEventArgs e) { string userId = userGrid.DataKeys[e.RowIndex].Values[0].ToString(); if (!FooStringHelper.IsValidAlphanumeric(userId, 16)) { errorLabel.Text = "Invalid request."; Reset_Page(); return; } var txtUserName = (TextBox)userGrid.Rows[e.RowIndex].FindControl("txtUserName"); var txtUserAlias = (TextBox)userGrid.Rows[e.RowIndex].FindControl("txtUserAlias"); var txtEmail = (TextBox)userGrid.Rows[e.RowIndex].FindControl("txtEmail"); var groupDropdown = (DropDownList)userGrid.Rows[e.RowIndex].FindControl("groupDropdown"); if (!string.IsNullOrEmpty(txtUserName.Text) && !string.IsNullOrEmpty(txtUserAlias.Text) && !string.IsNullOrEmpty(txtEmail.Text) && FooStringHelper.IsValidEmailAddress(txtEmail.Text)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "UPDATE users SET (username, useralias, groupid, email) = (@NAME, @USERALIAS, @GROUP, @EMAIL) WHERE userID= @USERID", CommandType = CommandType.Text, Connection = conn }; var param = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = userId }; cmd.Parameters.Add(param); var nameParam = new NpgsqlParameter { ParameterName = "@USERNAME", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserName.Text }; cmd.Parameters.Add(nameParam); var dispParam = new NpgsqlParameter { ParameterName = "@USERALIAS", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserAlias.Text }; cmd.Parameters.Add(dispParam); var emailParam = new NpgsqlParameter { ParameterName = "@EMAIL", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 64, Direction = ParameterDirection.Input, Value = txtEmail.Text }; cmd.Parameters.Add(emailParam); var groupParam = new NpgsqlParameter { ParameterName = "@GROUP", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = groupDropdown.SelectedValue }; cmd.Parameters.Add(groupParam); cmd.ExecuteNonQuery(); } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } else { errorLabel.Text = "Incomplete or invalid input."; } Reset_Page(); }
protected void submitButton_Click(object sender, EventArgs e) { string email = emailText.Text.Trim(); if (!String.IsNullOrEmpty(email) || !FooStringHelper.IsValidEmailAddress(email)) { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { if (FooEmailHelper.CheckIfEmailExists(email, null)) { UserObject user = GetUserObjByEmail(email); if (user != null) { string resetToken = FooStringHelper.RandomString(24); string resetId = MakeResetRequest(user.UserId, resetToken); string resetUrl = FooStringHelper.MakeResetUrl(resetId, resetToken); string emailBody = String.Format( "Hi {0},<br/><br/>Your FooBlog password for account '{1}' can be reset by visiting the following link:<br/><br/><a href=\"{2}\">{3}</a><br/><br/>The link is valid for 24 hours. If you did not request this reset, simply do not visit the link - your current password will remain unchanged.<br/><br/>Cheers,<br/>The FooBlog Team.", user.UserAlias, user.Username, resetUrl, resetUrl); const string emailSubject = "FooBlog Password Reset"; var mailObj = new EmailObject { Body = emailBody, Subject = emailSubject, ToAddress = email }; bool sendMail = FooEmailHelper.SendEmail(mailObj); if (sendMail) { errorPanel.Visible = false; formPanel.Visible = false; successPanel.Visible = true; successLabel.Text = "A reset link has been sent to your registered email account."; } } else { errorPanel.Visible = true; errorLabel.Text = "Invalid details."; } } else { errorPanel.Visible = true; errorLabel.Text = "Invalid request."; } } else { errorPanel.Visible = true; errorLabel.Text = "Invalid details."; } } else { errorPanel.Visible = true; errorLabel.Text = "Incomplete or invalid details."; } RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); }
protected void CategoryGrid_Command(object sender, GridViewCommandEventArgs e) { int postId = Convert.ToInt32(postView.SelectedValue); var txtCatNameFooter = (TextBox)categoryGrid.FooterRow.FindControl("txtCatNameFooter"); if (!string.IsNullOrEmpty(txtCatNameFooter.Text)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { if (e.CommandName.Equals("AddNew")) { // Define connection string. using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO categories(catid, catname) VALUES (@CATID, @NAME)", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@CATID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RandomString(16) }; cmd.Parameters.Add(idParam); var nameParam = new NpgsqlParameter { ParameterName = "@NAME", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtCatNameFooter.Text }; cmd.Parameters.Add(nameParam); cmd.ExecuteNonQuery(); cmd.Dispose(); } } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } else { errorLabel.Text = "Incomplete or invalid input."; } Reset_Page(postId); }
protected void CategoryGrid_Update(object sender, GridViewUpdateEventArgs e) { int postId = Convert.ToInt32(postView.SelectedValue); var txtCatName = (TextBox)categoryGrid.Rows[e.RowIndex].FindControl("txtCatName"); if (!string.IsNullOrEmpty(txtCatName.Text)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { // Define connection string. using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "UPDATE categories SET catname= @NAME WHERE catid= @CATID", CommandType = CommandType.Text, Connection = conn }; var nameParam = new NpgsqlParameter { ParameterName = "@NAME", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtCatName.Text }; cmd.Parameters.Add(nameParam); var idParam = new NpgsqlParameter { ParameterName = "@CATID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars( categoryGrid.DataKeys[e.RowIndex].Values[0].ToString()) }; cmd.Parameters.Add(idParam); cmd.ExecuteNonQuery(); } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } else { errorLabel.Text = "Incomplete or invalid input."; } Reset_Page(postId); }
protected void CategoryGrid_Delete(object sender, GridViewDeleteEventArgs e) { int postId = Convert.ToInt32(postView.SelectedValue); try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "DELETE FROM posts WHERE catid= @CATID", CommandType = CommandType.Text, Connection = conn }; var param = new NpgsqlParameter { ParameterName = "@CATID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars( categoryGrid.DataKeys[e.RowIndex].Values[0].ToString()) }; cmd.Parameters.Add(param); cmd.ExecuteNonQuery(); } // Define connection string. using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "DELETE FROM categories WHERE catid= @CATID", CommandType = CommandType.Text, Connection = conn }; var param = new NpgsqlParameter { ParameterName = "@CATID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars( categoryGrid.DataKeys[e.RowIndex].Values[0].ToString()) }; cmd.Parameters.Add(param); cmd.ExecuteNonQuery(); } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } Reset_Page(postId); }
protected void Load_Forms(string merchId) { if (merchId != string.Empty && !FooStringHelper.IsValidAlphanumeric(merchId, 16)) { errorLabel.Text = "Invalid request."; return; } try { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand(); if (String.IsNullOrEmpty(merchId)) { cmd.CommandText = "SELECT merchid, merchname, merchbrief, merchbody, merchprice, merchimg, merchenabled FROM merchandise ORDER BY merchid DESC LIMIT 1"; cmd.Connection = conn; } else { cmd.CommandText = "SELECT merchid, merchname, merchbrief, merchbody, merchprice, merchimg, merchenabled FROM merchandise WHERE merchid= @MERCHID"; cmd.Connection = conn; var idParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = merchId }; cmd.Parameters.Add(idParam); } var da = new NpgsqlDataAdapter(cmd); var ds = new DataSet(); da.Fill(ds); merchView.DataSource = ds; merchView.DataBind(); } using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "SELECT merchid, merchname FROM merchandise", conn); var da = new NpgsqlDataAdapter(cmd); var ds = new DataSet(); da.Fill(ds); merchGrid.DataSource = ds; merchGrid.DataBind(); } using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "SELECT T1.reviewid, T1.reviewtime, T1.userid, T1.merchid, T1.reviewbody, T2.userid, T2.useralias, T3.merchid, T3.merchname FROM reviews AS T1 LEFT OUTER JOIN users AS T2 ON T1.userid = T2.userid LEFT OUTER JOIN merchandise AS T3 ON T1.merchid = T3.merchid", conn); var da = new NpgsqlDataAdapter(cmd); var ds = new DataSet(); da.Fill(ds); reviewGrid.DataSource = ds; reviewGrid.DataBind(); } errorLabel.Text = ""; } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } }
protected void submitButton_Click(object sender, EventArgs e) { string reviewBody = reviewText.Text; string userId = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current).UserId; string merchId = Request.QueryString["id"]; if (string.IsNullOrEmpty(reviewBody)) { RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); reviewErrorLabel.Text = "Incomplete input."; return; } if (!FooStringHelper.IsValidAlphanumeric(merchId, 16)) { RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); reviewErrorLabel.Text = "Invalid input."; return; } try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO reviews(reviewid, reviewtime, userid, merchid, reviewbody) VALUES (@REVIEWID, @REVIEWTIME, @USERID, @MERCHID, @REVIEWBODY)", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@REVIEWID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RandomString(16) }; cmd.Parameters.Add(idParam); var timeParam = new NpgsqlParameter { ParameterName = "@REVIEWTIME", NpgsqlDbType = NpgsqlDbType.Timestamp, Size = 32, Direction = ParameterDirection.Input, Value = DateTime.Now }; cmd.Parameters.Add(timeParam); var userParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(userParam); var merchParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = merchId }; cmd.Parameters.Add(merchParam); var bodyParam = new NpgsqlParameter { ParameterName = "@REVIEWBODY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 1024, Direction = ParameterDirection.Input, Value = reviewBody }; cmd.Parameters.Add(bodyParam); cmd.ExecuteNonQuery(); cmd.Dispose(); reviewErrorLabel.Text = ""; reviewText.Text = ""; } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); reviewErrorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } RequestToken.Value = FooSessionHelper.SetToken(HttpContext.Current); Load_Forms(merchId); }
protected void Insert_NewImage(string fileName, string userId) { try { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "SELECT profileimg FROM users WHERE userid= @USERID", conn); var idParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = userId }; cmd.Parameters.Add(idParam); NpgsqlDataReader dr = cmd.ExecuteReader(); string imageFile = string.Empty; while (dr.Read()) { imageFile = dr["profileimg"].ToString(); } dr.Close(); if (imageFile != string.Empty && imageFile != "profile_default.jpg") { string path = HttpContext.Current.Server.MapPath("~/uploads"); string currentFile = Path.Combine(path, imageFile); File.Delete(currentFile); } } using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "UPDATE users SET (profileimg) = (@PROFILEIMG) WHERE userid= @USERID", conn); var idParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(idParam); var imgParam = new NpgsqlParameter { ParameterName = "@PROFILEIMG", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 64, Direction = ParameterDirection.Input, Value = fileName }; cmd.Parameters.Add(imgParam); cmd.ExecuteNonQuery(); } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } }
protected void Insert_NewImage(string merchId, HttpPostedFile file) { string fileName = "profile_default.jpg"; string path = HttpContext.Current.Server.MapPath("~/uploads"); if (!Directory.Exists(path)) { Directory.CreateDirectory(path); } if (file != null) { var uploadCompleted = false; byte[] fileBytes = FooFileHelper.GetFileBytesFromHttpStream(file); if (FooFileHelper.IsImage(fileBytes) && fileBytes.Length < 2097152) { if (HttpContext.Current.Request.Browser.Browser.ToUpper() == "IE") { string[] files = file.FileName.Split(new[] { '\\' }); fileName = files[files.Length - 1]; } else { fileName = file.FileName; } fileName = FooStringHelper.RandomFileName(fileName); string filePath = Path.Combine(path, fileName); try { File.WriteAllBytes(filePath, fileBytes); uploadCompleted = true; } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Upload failed."; } } else { errorLabel.Text = "Invalid file."; } if (uploadCompleted) { try { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "SELECT merchimg FROM merchandise WHERE merchid= @MERCHID", conn); var idParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = merchId }; cmd.Parameters.Add(idParam); NpgsqlDataReader dr = cmd.ExecuteReader(); string imageFile = string.Empty; while (dr.Read()) { imageFile = dr["merchimg"].ToString(); } dr.Close(); if (imageFile != string.Empty && imageFile != "merch_default.jpg") { string currentFile = Path.Combine(path, imageFile); if (File.Exists(currentFile)) { File.Delete(currentFile); } } } using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "UPDATE merchandise SET (merchimg) = (@MERCHIMG) WHERE merchid= @MERCHID", conn); var idParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = merchId }; cmd.Parameters.Add(idParam); var imgParam = new NpgsqlParameter { ParameterName = "@MERCHIMG", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 64, Direction = ParameterDirection.Input, Value = fileName }; cmd.Parameters.Add(imgParam); cmd.ExecuteNonQuery(); } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } } }
protected void MerchView_Databound(object sender, EventArgs e) { if (merchView.CurrentMode == DetailsViewMode.ReadOnly && merchView.Rows.Count > 1) { var merchEnabledLabel = (Label)merchView.FindControl("merchEnabledLabel"); using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "SELECT merchenabled FROM merchandise WHERE merchid= @MERCHID", conn); var idParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(merchView.SelectedValue.ToString()) }; cmd.Parameters.Add(idParam); bool postEnabled = Convert.ToBoolean(cmd.ExecuteScalar()); merchEnabledLabel.Text = postEnabled ? "Yes" : "No"; } } else { var merchEnabledCheckbox = (CheckBox)merchView.FindControl("merchEnabledCheckbox"); try { if (merchView.CurrentMode == DetailsViewMode.Edit) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand( "SELECT merchenabled FROM merchandise WHERE merchid= @MERCHID", conn); var idParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(merchView.SelectedValue.ToString()) }; cmd.Parameters.Add(idParam); NpgsqlDataReader dr = cmd.ExecuteReader(); while (dr.Read()) { merchEnabledCheckbox.Checked = Convert.ToBoolean(dr["merchenabled"]); } dr.Close(); } } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); string merchId = merchView.SelectedValue.ToString(); if (!FooStringHelper.IsValidAlphanumeric(merchId, 16)) { errorLabel.Text = "Invalid request."; Reset_Page(string.Empty); return; } Reset_Page(merchId); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } }
protected void MerchView_ItemInserting(object sender, DetailsViewInsertEventArgs e) { string merchId = FooStringHelper.RandomString(16); var txtMerchName = (TextBox)merchView.FindControl("txtMerchName"); var txtMerchPrice = (TextBox)merchView.FindControl("txtMerchPrice"); var txtMerchBrief = (TextBox)merchView.FindControl("txtMerchBrief"); var txtMerchBody = (TextBox)merchView.FindControl("txtMerchBody"); var imageUploadForm = (FileUpload)merchView.FindControl("imageUploadForm"); var merchEnabledCheckbox = (CheckBox)merchView.FindControl("merchEnabledCheckbox"); if (!string.IsNullOrEmpty(txtMerchName.Text) && !string.IsNullOrEmpty(txtMerchPrice.Text) && FooStringHelper.IsValidPrice(txtMerchPrice.Text) && !string.IsNullOrEmpty(txtMerchBrief.Text) && !string.IsNullOrEmpty(txtMerchBody.Text)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { // Define connection string. using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO merchandise (merchid, merchname, merchprice, merchbrief, merchbody, merchenabled) VALUES (@MERCHID, @MERCHNAME, @MERCHPRICE, @MERCHBRIEF, @MERCHBODY, @MERCHENABLED)", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@MERCHID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = merchId }; cmd.Parameters.Add(idParam); var nameParam = new NpgsqlParameter { ParameterName = "@MERCHNAME", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 64, Direction = ParameterDirection.Input, Value = txtMerchName.Text }; cmd.Parameters.Add(nameParam); var priceParam = new NpgsqlParameter { ParameterName = "@MERCHPRICE", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 8, Direction = ParameterDirection.Input, Value = txtMerchPrice.Text }; cmd.Parameters.Add(priceParam); var briefParam = new NpgsqlParameter { ParameterName = "@MERCHBRIEF", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 1024, Direction = ParameterDirection.Input, Value = txtMerchBrief.Text }; cmd.Parameters.Add(briefParam); var bodyParam = new NpgsqlParameter { ParameterName = "@MERCHBODY", NpgsqlDbType = NpgsqlDbType.Varchar, Direction = ParameterDirection.Input, Value = txtMerchBody.Text }; cmd.Parameters.Add(bodyParam); var enabledParam = new NpgsqlParameter { ParameterName = "@MERCHENABLED", NpgsqlDbType = NpgsqlDbType.Boolean, Direction = ParameterDirection.Input, Value = merchEnabledCheckbox.Checked }; cmd.Parameters.Add(enabledParam); cmd.ExecuteNonQuery(); cmd.Dispose(); } if (imageUploadForm.HasFile) { HttpPostedFile file = HttpContext.Current.Request.Files[0]; Insert_NewImage(merchId, file); } else { Insert_NewImage(merchId, null); } } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } else { errorLabel.Text = "Incomplete or invalid input."; } Reset_Page(string.Empty); }
protected void GridView_Command(object sender, GridViewCommandEventArgs e) { string userId = FooStringHelper.RandomString(16); var txtUserNameFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserNameFooter"); var txtUserAliasFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserAliasFooter"); var txtEmailFooter = (TextBox)userGrid.FooterRow.FindControl("txtEmailFooter"); var txtUserPasswordFooter = (TextBox)userGrid.FooterRow.FindControl("txtUserPasswordFooter"); var groupDropdownFooter = (DropDownList)userGrid.FooterRow.FindControl("groupDropdownFooter"); if (!string.IsNullOrEmpty(txtUserNameFooter.Text) && !string.IsNullOrEmpty(txtUserAliasFooter.Text) && !string.IsNullOrEmpty(txtEmailFooter.Text) && FooStringHelper.IsValidEmailAddress(txtEmailFooter.Text) && !string.IsNullOrEmpty(txtUserPasswordFooter.Text)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { if (e.CommandName.Equals("AddNew")) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "INSERT INTO users(userid,username,useralias,groupid,email,passwordhash,profileimg) VALUES (@USERID,@NAME,@DISP,@GROUP,@EMAIL,@HASH,'profile_default.jpg')", CommandType = CommandType.Text, Connection = conn }; var userIdParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = userId }; cmd.Parameters.Add(userIdParam); var nameParam = new NpgsqlParameter { ParameterName = "@NAME", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserNameFooter.Text }; cmd.Parameters.Add(nameParam); var dispParam = new NpgsqlParameter { ParameterName = "@DISP", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserAliasFooter.Text }; cmd.Parameters.Add(dispParam); var groupParam = new NpgsqlParameter { ParameterName = "@GROUP", NpgsqlDbType = NpgsqlDbType.Varchar, Direction = ParameterDirection.Input, Value = groupDropdownFooter.SelectedValue }; cmd.Parameters.Add(groupParam); var emailParam = new NpgsqlParameter { ParameterName = "@EMAIL", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 64, Direction = ParameterDirection.Input, Value = txtEmailFooter.Text }; cmd.Parameters.Add(emailParam); var hashParam = new NpgsqlParameter { ParameterName = "@HASH", NpgsqlDbType = NpgsqlDbType.Varchar, Direction = ParameterDirection.Input, Value = FooCryptHelper.CreateShaHash(txtUserPasswordFooter.Text) }; cmd.Parameters.Add(hashParam); cmd.ExecuteNonQuery(); cmd.Dispose(); } } } else { errorLabel.Text = "Invalid request."; } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } else { errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } Reset_Page(); }
protected void UserView_ItemUpdating(object sender, DetailsViewUpdateEventArgs e) { UserObject userObj = FooSessionHelper.GetUserObjectFromCookie(HttpContext.Current); string userId = userObj.UserId; string userName = userObj.Username; if (!FooStringHelper.IsValidAlphanumeric(userId, 16)) { errorLabel.Text = "Invalid request."; Reset_Page(); return; } var txtUserAlias = (TextBox)userView.FindControl("txtUserAlias"); var txtUserEmail = (TextBox)userView.FindControl("txtUserEmail"); var txtUserAddress = (TextBox)userView.FindControl("txtUserAddress"); var txtUserCity = (TextBox)userView.FindControl("txtUserCity"); var txtUserCountry = (TextBox)userView.FindControl("txtUserCountry"); var txtUserBody = (TextBox)userView.FindControl("txtUserBody"); var imageUploadForm = (FileUpload)userView.FindControl("imageUploadForm"); if (!string.IsNullOrEmpty(txtUserAlias.Text) && !string.IsNullOrEmpty(txtUserEmail.Text) && !string.IsNullOrEmpty(txtUserAddress.Text) && !string.IsNullOrEmpty(txtUserCity.Text) && !string.IsNullOrEmpty(txtUserCountry.Text) && !string.IsNullOrEmpty(txtUserBody.Text) && !string.IsNullOrEmpty(txtUserEmail.Text) && FooStringHelper.IsValidEmailAddress(txtUserEmail.Text) && !FooEmailHelper.CheckIfEmailExists(txtUserEmail.Text, userName)) { try { if (FooSessionHelper.IsValidRequest(HttpContext.Current, RequestToken.Value)) { using (var conn = new NpgsqlConnection()) { conn.ConnectionString = ConfigurationManager.ConnectionStrings["fooPostgreSQL"].ConnectionString; conn.Open(); var cmd = new NpgsqlCommand { CommandText = "UPDATE users SET (useralias, email, address, city, country, profilebody) = (@USERALIAS, @EMAIL, @ADDRESS, @CITY, @COUNTRY, @PROFILEBODY) WHERE userid= @USERID", CommandType = CommandType.Text, Connection = conn }; var idParam = new NpgsqlParameter { ParameterName = "@USERID", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 16, Direction = ParameterDirection.Input, Value = FooStringHelper.RemoveInvalidChars(userId) }; cmd.Parameters.Add(idParam); var aliasParam = new NpgsqlParameter { ParameterName = "@USERALIAS", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserAlias.Text }; cmd.Parameters.Add(aliasParam); var emailParam = new NpgsqlParameter { ParameterName = "@EMAIL", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 64, Direction = ParameterDirection.Input, Value = txtUserEmail.Text }; cmd.Parameters.Add(emailParam); var addressParam = new NpgsqlParameter { ParameterName = "@ADDRESS", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 128, Direction = ParameterDirection.Input, Value = txtUserAddress.Text }; cmd.Parameters.Add(addressParam); var cityParam = new NpgsqlParameter { ParameterName = "@CITY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserCity.Text }; cmd.Parameters.Add(cityParam); var countryParam = new NpgsqlParameter { ParameterName = "@COUNTRY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 32, Direction = ParameterDirection.Input, Value = txtUserCountry.Text }; cmd.Parameters.Add(countryParam); var bodyParam = new NpgsqlParameter { ParameterName = "@PROFILEBODY", NpgsqlDbType = NpgsqlDbType.Varchar, Size = 1024, Direction = ParameterDirection.Input, Value = txtUserBody.Text }; cmd.Parameters.Add(bodyParam); cmd.ExecuteNonQuery(); cmd.Dispose(); } if (imageUploadForm.HasFile) { string path = HttpContext.Current.Server.MapPath("~/uploads"); if (!Directory.Exists(path)) { Directory.CreateDirectory(path); } HttpPostedFile file = HttpContext.Current.Request.Files[0]; if (file.ContentLength < 2097152) { string fileName; if (HttpContext.Current.Request.Browser.Browser.ToUpper() == "IE") { string[] files = file.FileName.Split(new[] { '\\' }); fileName = files[files.Length - 1]; } else { fileName = file.FileName; } fileName = FooStringHelper.RandomFileName(fileName); string filePath = Path.Combine(path, fileName); try { file.SaveAs(filePath); Insert_NewImage(fileName, userId); Reset_Page(); } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Upload failed."; } } else { errorLabel.Text = "Invalid file."; } } } } catch (Exception ex) { FooLogging.WriteLog(ex.ToString()); errorLabel.Text = "Something has gone wrong. A log has been forwarded to the site administrator."; } } else { errorLabel.Text = "Incomplete or invalid input."; } Reset_Page(); }