-1

The .net app I am working on encounters an error when a user enters opening angle brackets "<" as input. Specifically this occurs when they want some sort of html input such as <a href="www.google.com">Google</a>

I've tried the exact same input without the "<" and everything works exactly as it should. The input is being read from an asp:TextBox and added as a parameter to an SQL INSERT INTO statement. I am using a try catch block to catch SqlException's, but this particular problem is not even caught when I change catch statement to catch(Exception err). I know "<" is used as the less than operated in SQL however, it shouldn't be a problem because the input is a parameter right? Why would it only be the "<" and not ">" which also are in the input since both characters are valid SQL operators? Here is the actual code snippet. 

try
{
    SQL_Command.Connection = SQL_Connection;
    SQL_Command.CommandText = "INSERT INTO tabl1 ([ID], [fName], [lName], [bio]) VALUES (@ID, @First, @Last, @Bio)";
    SqlParameter ID, First, Last, Bio;
    ID = new SqlParameter("@ID", id_text.Text);
    First = new SqlParameter("@First", firstName_Text.Text);
    Last = new SqlParameter("@Last", lastName_Text.Text);
    Bio = new SqlParameter("@Bio", bio_Text.Text);
    SQL_Command.Parameters.Add(ID)
    SQL_Command.Parameters.Add(Last)
    SQL_Command.Parameters.Add(First)
    SQL_Command.Parameters.Add(Bio)
    SQL_Command.ExecuteNonQuery();
}
catch (Exception err)
{
    Response.Write(err);
}

The schema for this table is:

ID int NOT NULL
fName nVarChar(255)
lName nVarChar(255)
bio nVarChar(MAX)
HopAlongPolly
  • 1,347
  • 1
  • 20
  • 48
  • 5
    unless I'm missing something, a 404 is a website error, not a SQL error? so are you having issues with the data going into the database, or with what happens after the insert? The fact that it's not throwing an error suggests it's either never reaching the function at all, or it really is going into the DB. – Claies May 29 '14 at 19:06
  • so thinking about it a bit more, is your error actually happening because of the URL string on the post having an issue resolving to the server? something like mysite.com/blah?bio=< crashing and never reaching the server? – Claies May 29 '14 at 19:11
  • shouldn't be that @AndrewCounts -- I tried adding Google to a few pages and everything went through fine (actually one gave a Server Error -- A potentially dangerous Request). This may be helpful http://www.iis.net/learn/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis – bdimag May 29 '14 at 19:27
  • -1: be specific. Exactly what error do you get? Is it an exception? On which line is it thrown? – John Saunders May 29 '14 at 19:51
  • @John Saunders. Like I said the catch block doesn't catch any kind of exception. I could figure it out if I got an error but I don't have anything other than 404. – HopAlongPolly May 30 '14 at 14:49
  • How did you receive the 404? Again, 404 is a web server response, not an exception. – John Saunders May 30 '14 at 15:01
  • Sorry should have made it more clear. The user is filling out a web form and the values of that form are being inserted into a database when the submit button is clicked. When testing I click submit and the page crashes rather than displaying the success or error messages. – HopAlongPolly May 30 '14 at 15:35

1 Answers1

2

The error message your are getting is most likely the result of ASP Net protecting your site against a cross site scripting attack. The opening of the angle bracket looks suspicious, because you may be injecting malicious javascript or HTML onto the page. This question has been answered before at this link: A potentially dangerous Request.Form value was detected from the client

Hope that helps !

Community
  • 1
  • 1
Jesse Petronio
  • 693
  • 5
  • 11
  • Usually I would get a custom error stating a potentially dangerous Request.Form value was detected but I'm guessing the dev server I'm working on has a different configuration than the server I usually work on. – HopAlongPolly May 30 '14 at 14:53