• Devexpress MVC Gridview SQL注入问题


    
    

     近期因为global对服务器的调整, 使用citrix添加了对SQL Injection的防火墙。

    目前的做法是将所有的数据传入后台的时候全部进行加密, 然后在C#后台进行解密, 之后再传入到数据库中.

    在此分享在devexpress gridview遇到的几个问题

    1. 在gridview中编辑了数据, 点了保存按钮后,  数据已成功的保存到数据中,  但是当使用GridView.Refresh()刷新数据时, 从broswer Network中发现refresh方法会将修改的数据传入到服务器中.

    解决方法:  在refresh前先清除所有editor中的数据, 之后再调用gridview.refresh()方法

    function onCustomSave(s, e) {
        $.ajax({
            type: "POST",
            url: "@Url.Action("CustomSaveAction")",
            data: {  },
            success: function(response) {
                ClearEditorsValues(grid);
                grid.Refresh();
            }
        });
    }
    

      


    function ClearEditorsValues(grid) { for (var i = 0; i < grid.GetColumnCount(); i++) { var column = grid.GetColumn(i); if (column.fieldName) { var editor = grid.GetEditor(column.fieldName); if (editor) editor.SetValue(null); } } }

      

     2.  在Filter行中发现Dev girdview无法将筛选的参数值加密然后传入到服务端, 

    解决办法:  使用Gridview的Init事件以及配合ProcessColumnAutoFilter事件进行加密跟解密SQL Injection问题

    C# 代码:

    if (_Settings.Settings.ShowFilterRow == true)
                {
                    _Settings.ClientSideEvents.Init = "GridViewInit";
    _Settings.ProcessColumnAutoFilter = (send, e) => { if (e.Kind == GridViewAutoFilterEventKind.CreateCriteria) { MVCxGridViewColumn dataColumn = e.Column as MVCxGridViewColumn; if (dataColumn.ColumnType != MVCxGridViewColumnType.DateEdit) { e.Value = Utils.UrlDecode(e.Value);                  //这里每一个筛选菜单都需要用特殊的操作, 比如 StartWith, contains if (e.Criteria is DevExpress.Data.Filtering.FunctionOperator) { DevExpress.Data.Filtering.FunctionOperator op = e.Criteria as DevExpress.Data.Filtering.FunctionOperator; DevExpress.Data.Filtering.OperandValue currentValue = op.Operands[1] as DevExpress.Data.Filtering.OperandValue; op.Operands[1] = new DevExpress.Data.Filtering.OperandValue(e.Value); } else if (e.Criteria is DevExpress.Data.Filtering.BinaryOperator) { DevExpress.Data.Filtering.BinaryOperator op = e.Criteria as DevExpress.Data.Filtering.BinaryOperator; DevExpress.Data.Filtering.OperandValue currentValue = op.RightOperand as DevExpress.Data.Filtering.OperandValue; op.RightOperand = new DevExpress.Data.Filtering.OperandValue(e.Value); } else if (e.Criteria is DevExpress.Data.Filtering.UnaryOperator) { DevExpress.Data.Filtering.UnaryOperator op = e.Criteria as DevExpress.Data.Filtering.UnaryOperator; DevExpress.Data.Filtering.FunctionOperator opr = op.Operand as DevExpress.Data.Filtering.FunctionOperator; DevExpress.Data.Filtering.OperandValue currentValue = opr.Operands[1] as DevExpress.Data.Filtering.OperandValue; opr.Operands[1] = new DevExpress.Data.Filtering.OperandValue(e.Value); } } } }; }

    Javascript

    function GridViewInit(s, e) {  
        var origin = s.AutoFilterByColumn.bind(s);
        s.AutoFilterByColumn = function (index, value) {
            var editor = s.GetAutoFilterEditor(column);
            if (!(editor instanceof ASPxClientDateEdit)) {
                value = UrlEncode(value);
                s.GetAutoFilterEditor(index).SetValue(value);
            }
            origin.call(s, index, value);
    
        };
    }
    
    
    function ClearEditorsValues(grid, e) {
        for (var i = 0; i < grid.GetColumnCount(); i++) {
            var column = grid.GetColumn(i);
            if (column.fieldName) {
                var editor = grid.GetEditor(column.fieldName);
                if (editor) editor.SetValue(null);
            }
    
            var index = column.index;
            if (e.command === "APPLYCOLUMNFILTER" || e.command == "FILTERROWMENU") {
                if (typeof (grid.GetAutoFilterEditor(index)) != "undefined")
                    grid.GetAutoFilterEditor(index).SetValue(null);
            }
        }
    }
    

      

     

  • 相关阅读:
    ◆ C++中通过溢出覆盖虚函数指针列表执行代码
    关于在OnTimer中连续弹出对话框的讨论
    SetTimer
    Windows内核对象
    日志收缩
    暴力求值
    低级问题
    函数限制
    字符串找字段和表
    android错误提示说明汇总
  • 原文地址:https://www.cnblogs.com/hesijian/p/16450128.html
Copyright © 2020-2023  润新知