Unhandled Exception

stu9820 · December 8th, 2003, 02:27 PM

how do i catch these?

A potentially dangerous Request.QueryString value was detected from the client (h="<object>").

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

stu9820 · December 8th, 2003, 03:00 PM

I have a

Try
Catch ex As Exception
Label1.Text = ex.ToString
End Try

but apparently an unhandled exception is different from an exception

snowhu · December 9th, 2003, 06:36 AM

try
            {
            ..........
            }
            catch(Exception ex)
            {
            ex.Message
            }

stu9820 · December 9th, 2003, 09:50 AM

I changed it to:
Try
Catch ex As Exception
Label1.Text = ex.Message
End Try

And it still can't catch an unhandled exception when i try to put <html> in the querystring.

This is what i try to do http://localhost/cable/category.aspx?loc=1&h=<html>

but my catch statement is not catching it.

jacob · December 9th, 2003, 09:52 AM

What are you asking!? If there is a difference between Exceptions? An unhandled exception is just an Exception, which is not caught, as far as I know!

You only sended the structure of your try/catch, right?

You have included your staments like...

Code:

Request.QueryString("h")

inside your try block?

Jacob.

planoie · December 9th, 2003, 10:55 AM

I *think* you might be able to resolve this issue with the ValidateRequest attribute of the @ Page directive.

Set ValidateRequest="False" so that ASP.net doesn't check the querystring/form inputs for "dangerous" values (i.e. html, script).

Peter
------------------------------------------------------
Work smarter, not harder.

stu9820 · December 9th, 2003, 11:29 AM

This is odd:
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (h="<html>").

I tried to set up a custom exception handler:
Catch myex As HttpRequestValidationException
Label1.Text = myex.Message

and it still throws the exception.

stu9820 · December 9th, 2003, 11:32 AM

That worked. Thanks Peter. Will it still catch dangerous sql code? Like the dreaded sql injections?

Quote:

quote:Originally posted by planoie
I *think* you might be able to resolve this issue with the ValidateRequest attribute of the @ Page directive.

Set ValidateRequest="False" so that ASP.net doesn't check the querystring/form inputs for "dangerous" values (i.e. html, script).

Peter
------------------------------------------------------
Work smarter, not harder.

planoie · December 9th, 2003, 12:03 PM

ValidateRequest only validates what you are posting/getting from the browser. I don't know if that actually checks for SQL injections or not. If it does, then I would think you'll loose that protection as well.

Peter
------------------------------------------------------
Work smarter, not harder.

CraigJones · December 9th, 2003, 12:47 PM

I created a method a while back to hopefully deal with some SQL Injection attacks. I take the sql query string i have built using the uers input and run it thought the method which goes through and removed single quotes (') and replaces them with two single quotes (''). This help prevent people from breaking my query and adding dangerous sql statements... Not sure if think will help but try it out

Public Class stringBuilder

    Shared Function replaceQuote(ByVal text As String)
        'Method takes text input by user and replaces single quote with two single quotes
        ' to prevent SQL string from breaking if value is used in SQL string
        'Precondition: User must enter value through a freeform text field
        'Postcondition: Return modified string

        Dim modifiedString As String 'Declare string variable
        modifiedString = Replace(text, "'", "''") 'Replace single quote with two single quotes
        Return modifiedString 'return modified string
    End Function

End Class

there is no place like 127.0.0.1