Devexpress MVC Gridview SQL注入问题
2022/7/7 2:21:33
本文主要是介绍Devexpress MVC Gridview SQL注入问题,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
近期因为global对服务器的调整, 使用citrix添加了对SQL Injection的防火墙。
目前的做法是将所有的数据传入后台的时候全部进行加密, 然后在C#后台进行解密, 之后再传入到数据库中.
在此分享在devexpress gridview遇到的几个问题
1. 在gridview中编辑了数据, 点了保存按钮后, 数据已成功的保存到数据中, 但是当使用GridView.Refresh()刷新数据时, 从broswer Network中发现refresh方法会将修改的数据传入到服务器中.
解决方法: 在refresh前先清除所有editor中的数据, 之后再调用gridview.refresh()方法
function onCustomSave(s, e) { $.ajax({ type: "POST", url: "@Url.Action("CustomSaveAction")", data: { }, success: function(response) { ClearEditorsValues(grid); grid.Refresh(); } }); }
function ClearEditorsValues(grid) { for (var i = 0; i < grid.GetColumnCount(); i++) { var column = grid.GetColumn(i); if (column.fieldName) { var editor = grid.GetEditor(column.fieldName); if (editor) editor.SetValue(null); } } }
2. 在Filter行中发现Dev girdview无法将筛选的参数值加密然后传入到服务端,
解决办法: 使用Gridview的Init事件以及配合ProcessColumnAutoFilter事件进行加密跟解密SQL Injection问题
C# 代码:
if (_Settings.Settings.ShowFilterRow == true) { _Settings.ClientSideEvents.Init = "GridViewInit"; _Settings.ProcessColumnAutoFilter = (send, e) => { if (e.Kind == GridViewAutoFilterEventKind.CreateCriteria) { MVCxGridViewColumn dataColumn = e.Column as MVCxGridViewColumn; if (dataColumn.ColumnType != MVCxGridViewColumnType.DateEdit) { e.Value = Utils.UrlDecode(e.Value); //这里每一个筛选菜单都需要用特殊的操作, 比如 StartWith, contains if (e.Criteria is DevExpress.Data.Filtering.FunctionOperator) { DevExpress.Data.Filtering.FunctionOperator op = e.Criteria as DevExpress.Data.Filtering.FunctionOperator; DevExpress.Data.Filtering.OperandValue currentValue = op.Operands[1] as DevExpress.Data.Filtering.OperandValue; op.Operands[1] = new DevExpress.Data.Filtering.OperandValue(e.Value); } else if (e.Criteria is DevExpress.Data.Filtering.BinaryOperator) { DevExpress.Data.Filtering.BinaryOperator op = e.Criteria as DevExpress.Data.Filtering.BinaryOperator; DevExpress.Data.Filtering.OperandValue currentValue = op.RightOperand as DevExpress.Data.Filtering.OperandValue; op.RightOperand = new DevExpress.Data.Filtering.OperandValue(e.Value); } else if (e.Criteria is DevExpress.Data.Filtering.UnaryOperator) { DevExpress.Data.Filtering.UnaryOperator op = e.Criteria as DevExpress.Data.Filtering.UnaryOperator; DevExpress.Data.Filtering.FunctionOperator opr = op.Operand as DevExpress.Data.Filtering.FunctionOperator; DevExpress.Data.Filtering.OperandValue currentValue = opr.Operands[1] as DevExpress.Data.Filtering.OperandValue; opr.Operands[1] = new DevExpress.Data.Filtering.OperandValue(e.Value); } } } }; }
Javascript
function GridViewInit(s, e) { var origin = s.AutoFilterByColumn.bind(s); s.AutoFilterByColumn = function (index, value) { var editor = s.GetAutoFilterEditor(column); if (!(editor instanceof ASPxClientDateEdit)) { value = UrlEncode(value); s.GetAutoFilterEditor(index).SetValue(value); } origin.call(s, index, value); }; } function ClearEditorsValues(grid, e) { for (var i = 0; i < grid.GetColumnCount(); i++) { var column = grid.GetColumn(i); if (column.fieldName) { var editor = grid.GetEditor(column.fieldName); if (editor) editor.SetValue(null); } var index = column.index; if (e.command === "APPLYCOLUMNFILTER" || e.command == "FILTERROWMENU") { if (typeof (grid.GetAutoFilterEditor(index)) != "undefined") grid.GetAutoFilterEditor(index).SetValue(null); } } }
这篇关于Devexpress MVC Gridview SQL注入问题的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-05-15PingCAP 黄东旭参与 CCF 秀湖会议,共探开源教育未来
- 2024-05-13PingCAP 戴涛:构建面向未来的金融核心系统
- 2024-05-09flutter3.x_macos桌面os实战
- 2024-05-09Rust中的并发性:Sync 和 Send Traits
- 2024-05-08使用Ollama和OpenWebUI在CPU上玩转Meta Llama3-8B
- 2024-05-08完工标准(DoD)与验收条件(AC)究竟有什么不同?
- 2024-05-084万 star 的 NocoDB 在 sealos 上一键起,轻松把数据库编程智能表格
- 2024-05-08Mac 版Stable Diffusion WebUI的安装
- 2024-05-08解锁CodeGeeX智能问答中3项独有的隐藏技能
- 2024-05-08RAG算法优化+新增代码仓库支持,CodeGeeX的@repo功能效果提升