Saturday, September 25, 2010

Security vulnerability in .NET/SharePoint

Hi All,

I am not sure, how many of you might have heard about the latest security vulnerability in ASP.NET applications. This vulnerability exists in all ASP.NET Applications(ANY version of .NET code running in the web is vulnerable including all versions 1.1, 2.0, 3.0, 3.5 and 4.0.) . This also includes SharePoint.

This has been pointed in the Scott Guthrie’s blog in extensive manner. Please check this blog and correct the vulnerability.

Hope this helps all Projects running .NET code.

For MOSS 2007/SharePoint 2010, Please follow the below link

Monday, July 26, 2010

Securing Web Methods with username and password in c#


When a Web Service is being published to the internet, make sure that the Web Methods have proper authentication set, so that only valid users access the web methods.

To provide username and password to a web method, follow the below procedure:

In the .cs code:


using System;
using System.Web;
using System.Collections;
using System.Web.Services;
using System.Web.Services.Protocols;
/// Summary description for WebService

[WebService(Namespace = ““)]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]

public class MyService : System.Web.Services.WebService
public AuthSoapHd spAuthenticationHeader;

public MyService ()
//Uncomment the following line if using designed components
public class AuthSoapHd : SoapHeader
// Here get the username and password from web.config.
public string strUserName = “user1″;
public string strPassword = “password”;
public struct SecurityInfo
public string Fname;
public string Lname;

public SecurityInfo EmpDetails()
// Fail the call if the caller is not authorized
if (spAuthenticationHeader.strUserName != “user1″ && spAuthenticationHeader.strPassword != “password”)
throw new SoapException(”Unauthorized”, SoapException.ClientFaultCode);
SecurityInfo SecurityDetails = new SecurityInfo();
SecurityDetails.Fname = “First Name”;
SecurityDetails.Lname = “Last Name”;
return SecurityDetails;


Hope this helps

Store and Retrieve Word/Image/Excel files from SQL Server 2000


To store and retrieve word/Image and Excel files from SQL Server 2000 using C# 2.0.

Please make sure that data is stored as “Image” datatype in the database.

I am going to use File Upload option, that is available in c#. I have converted the document as a byte array and then storing it to the database.

Aspx code is as below:



Code Behind is as follows:


protected void btnUpload_Click(object sender, EventArgs e)


string strSql = “”;
String ConnectionString = strConnectionString;

System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection(ConnectionString);


strSql = “insert into tbl_DocUpload (ID,Name,Resume_Data) values(@ID,@Name, @Resume_Data) ;”;SqlCommand InsertCommand = new SqlCommand();

if (FileUpload1.PostedFile != null || (!String.IsNullOrEmpty(FileUpload1.PostedFile.FileName)) || FileUpload1.PostedFile.InputStream != null)


Stream fs = FileUpload1.PostedFile.InputStream; string ResumeFileName = Path.GetFileName(FileUpload1.PostedFile.FileName.ToString());

string ResumeContenttype = FileUpload1.PostedFile.ContentType;

int ResumeLength = FileUpload1.PostedFile.ContentLength;

BinaryReader br = new BinaryReader(fs);Byte[] bytes = br.ReadBytes((Int32)fs.Length);

InsertCommand.Parameters.Add(new SqlParameter(“@ID”, SqlDbType.Int));

InsertCommand.Parameters[“@ID”].Value = 1;

InsertCommand.Parameters.Add(new SqlParameter(“@Resume_Data”, SqlDbType.Image));

InsertCommand.Parameters[“@Resume_Data”].Value = (object) bytes;

InsertCommand.Parameters.Add(new SqlParameter(“@Name”, SqlDbType.VarChar, 50));

InsertCommand.Parameters[“@Name”].Value = ResumeFileName;

InsertCommand.CommandText = strSql;

InsertCommand.CommandType = CommandType.Text;

InsertCommand.Connection = conn;

InsertCommand.ExecuteNonQuery(); conn.Close();



protected void BtnDownload_Click(object sender, EventArgs e)


String ConnectionString = strConnectionString;

System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection(ConnectionString);


SqlCommand cmdSelect = new SqlCommand(“select Name,Resume_Data from tbl_DocUpload where ID=@ID”, conn);

cmdSelect.Parameters.Add( “@ID”, SqlDbType.Int, 4);

cmdSelect.Parameters[“@ID”].Value = 1;

SqlDataReader reader = cmdSelect.ExecuteReader(CommandBehavior.SingleRow);
while (reader.Read())


byte[] barrImg = (byte[])reader[“Resume_Data”];

string StrFileName = reader[“Name”].ToString();


Response.Charset = “utf-8″;

Response.AddHeader( “Accept-Header”, barrImg.Length.ToString());

Response.ContentEncoding = System.Text.Encoding.UTF8;

Response.AddHeader(“Accept-Ranges”, “bytes”);

Response.Buffer = true;

Response.AddHeader(“Content-Length”, barrImg.Length.ToString());

Response.AddHeader(“Expires”, “0″);

Response.AddHeader(“Cache-Control”, “must-revalidate, post-check=0, pre-check=0″);

Response.AddHeader(“Pragma”, “public”);

Response.AddHeader(“content-Transfer-Encoding”, “binary”);

Response.AddHeader(“Content-Disposition”, “attachment;filename=” + StrFileName);


Response.Flush(); Response.End();



Hope this helps.