A potentially dangerous Request.Form value was detected from the client

I am getting the message:

A potentially dangerous Request.Form value was detected from the client

when trying to save the read the value from a textarea which has the text ON=45 in it. It seems that the letters ON and = are causing a problem? If I put ON.=45 it is ok. Can someone explain to me how this is considered a potentially dangerous value? I'm trying to explain to my users why this would be bad, but I'm at a loss to explain.

Also, turning off the Validation for the page is not an option.

Re: A potentially dangerous Request.Form value was detected from the client

Hi,

Put validateRequest="false" in your page directive or web.config file.

http://msdn2.microsoft.com/en-us/library/ms972967.aspx

Thanks

Re: A potentially dangerous Request.Form value was detected from the client

As stated in my post, I cannot turn the Validation off. This is happening inside a user control, so I can't turn it off. And, I don't consider it an option to turn it off at the Web.config level. I would just like someone to explain to me what is wrong with ON= as opposed to AL= or other combos of letters.

Re: A potentially dangerous Request.Form value was detected from the client

try encoding the value. (html encode)

Re: A potentially dangerous Request.Form value was detected from the client

sc1977
what is wrong with ON=

The .NET framework is throwing up an error because it detected something in the entered text which looks like an HTML statement. The text doesn't need to contain valid HTML, just anything with opening and closing angled brackets ("<...>").

The reason behind the error is as a security precaution. Developers need to be aware that users might try to inject HTML (or even a script) into a text box which may affect how the form is rendered. For further details see www.asp.net/learn/whitepapers/request-validation/.

This checking was not performed in the .NET 1.0 framework and was introduced with the .NET 1.1 framework.

Referenced Link > Troubleshooting: A potentially dangerous Request.Form value was detected

hope it helps./.

Re: A potentially dangerous Request.Form value was detected from the client

If you are telling me: "The text doesn't need to contain valid HTML, just anything with opening and closing angled brackets ("<...>")."

I don't see how that will apply to the text entered of "ON="? I haven't entered any angled brackets.

Re: A potentially dangerous Request.Form value was detected from the client

naimulah

try encoding the value. (html encode)

I cannot encode the value because it doesn't even make it to the server btn click event (I ran it in debug mode) before it crashes out. The problem lies in the the trasport of the textvalue back to the server for processing.

Re: A potentially dangerous Request.Form value was detected from the client

It is trying to prevent SQL injection. INNER JOIN Table t ON t.Id = OtherTable1.Id

Hope this helps.

Tim

Re: A potentially dangerous Request.Form value was detected from the client

sc1977

naimulah

try encoding the value. (html encode)

I cannot encode the value because it doesn't even make it to the server btn click event (I ran it in debug mode) before it crashes out. The problem lies in the the trasport of the textvalue back to the server for processing.

FYI about encoding

http://forums.asp.net/t/1151879.aspx

Re: A potentially dangerous Request.Form value was detected from the client

stratboogie

It is trying to prevent SQL injection. INNER JOIN Table t ON t.Id = OtherTable1.Id

Hope this helps.

Tim

Thank you! At least I know why I can't have "ON ="!

Re: A potentially dangerous Request.Form value was detected from the client

sc1977

stratboogie

It is trying to prevent SQL injection. INNER JOIN Table t ON t.Id = OtherTable1.Id

Hope this helps.

Tim

Thank you! At least I know why I can't have "ON ="!

One more thing. Why would the text Ontario = 45 also fail? Wouldn't this be different enough for it to know it is not sql? Because the text Alberta = 45 works.

Can you tell I'm Canadian?

Re: A potentially dangerous Request.Form value was detected from the client

My guess would be it conains "ON" and "="

You could maybe have a JS function that searches the text before it is sumbitted to the server. And if your text contains certain keywords, do something special in that scenario. Kind of pain I know. :-)

Tim

Re: A potentially dangerous Request.Form value was detected from the client

its working in my scenerio

thanking you very much .

Re: A potentially dangerous Request.Form value was detected from the client

1) For ASP.NET MVC we have to add [ValidateInput(false)] on top of the action result so that it will not validate the field at run-time.

2 )Nothing else would work..Ex: adding ValidateInput = "false" to the Pagedirective (in the view)

3) adding ValidateInput = "false" it in the web.config.

Once again for MVC only the First Solution will work. 2nd and 3rd solution will not work.

Re: A potentially dangerous Request.Form value was detected from the client

You need to do couple of modification to you application to get this fixed.Have a look.

1. Add <httpRuntime requestValidationMode="2.0" /> in you application web.config

2. Add RequestValidation="false" on your page

A potentially dangerous Request.Form value was detected

Re: A potentially dangerous Request.Form value was detected from the client

Is there any other way beside setting the validaterequest to false ???

Re: A potentially dangerous Request.Form value was detected from the client

Hi had the same when someone tryin to use &# . A potentially dangerous Request.Form value was detected from the klient. Somebody knows why &# is dangerous? Is it html or sql code?

Thanks

Re: A potentially dangerous Request.Form value was detected from the client

This is because of # symbol.

It is used in store procedure to declare local temporary tables that's why it's carraying

A potentially dangerous Request.Form value was detected from the client.

It's also notable that it's not required that it should be valid keyword of sql to generate this error.

Re: A potentially dangerous Request.Form value was detected from the client

but if im useing for example 3# or any different option its fine, it happens only with &#

Re: A potentially dangerous Request.Form value was detected from the client

Paste the code where you are assigning value.

It's important to note which language you are working on because & symbol is also used in vb to concatnate two strings.