Wednesday, December 21, 2011

DataView RowFilter Examples

DataView RowFilter Syntax [C#]

This example describes syntax of DataView.RowFil­ter expression. It shows how to correctly build expression string (without „SQL injection“) using methods to escape values.

Column names

If a column name contains any of these special characters ~ ( ) # \ / = > < + - * % & | ^ ' " [ ], you must enclose the column name within square brackets [ ]. If a column name contains right bracket ] or backslash \, escape it with backslash (\] or \\).
dataView.RowFilter = "id = 10";      // no special character in column name "id"
dataView.RowFilter = "$id = 10";     // no special character in column name "$id"
dataView.RowFilter = "[#id] = 10";   // special character "#" in column name "#id"
dataView.RowFilter = "[[id\]] = 10"; // special characters in column name "[id]"


String values are enclosed within single quotes ' '. If the string contains single quote ', the quote must be doubled.
dataView.RowFilter = "Name = 'John'"        // string value
dataView.RowFilter = "Name = 'John ''A'''"  // string with single quotes "John 'A'"

dataView.RowFilter = String.Format("Name = '{0}'", "John 'A'".Replace("'", "''"));

Number values are not enclosed within any characters. The values should be the same as is the result of int.ToString() or float.ToString() method for invariant or English culture.
dataView.RowFilter = "Year = 2008"          // integer value
dataView.RowFilter = "Price = 1199.9"       // float value

dataView.RowFilter = String.Format(CultureInfo.InvariantCulture.NumberFormat,
                     "Price = {0}", 1199.9f);

Date values are enclosed within sharp characters # #. The date format is the same as is the result of DateTime.ToString() method for invariant or English culture.
dataView.RowFilter = "Date = #12/31/2008#"          // date value (time is 00:00:00)
dataView.RowFilter = "Date = #2008-12-31#"          // also this format is supported
dataView.RowFilter = "Date = #12/31/2008 16:44:58#" // date and time value

dataView.RowFilter = String.Format(CultureInfo.InvariantCulture.DateTimeFormat,
                     "Date = #{0}#", new DateTime(2008, 12, 31, 16, 44, 58));

Alternatively you can enclose all values within single quotes ' '. It means you can use string values for numbers or date time values. In this case the current culture is used to convert the string to the specific value.
dataView.RowFilter = "Date = '12/31/2008 16:44:58'" // if current culture is English
dataView.RowFilter = "Date = '31.12.2008 16:44:58'" // if current culture is German

dataView.RowFilter = "Price = '1199.90'"            // if current culture is English
dataView.RowFilter = "Price = '1199,90'"            // if current culture is German

Comparison operators

Equal, not equal, less, greater operators are used to include only values that suit to a comparison expression. You can use these operators = <> < <= > >=.
Note: String comparison is culture-sensitive, it uses CultureInfo from DataTable.Localeproperty of related table (dataView.Table.Locale). If the property is not explicitly set, its default value is DataSet.Locale (and its default value is current system culture Thread.Curren­tThread.Curren­tCulture).
dataView.RowFilter = "Num = 10"             // number is equal to 10
dataView.RowFilter = "Date < #1/1/2008#"    // date is less than 1/1/2008
dataView.RowFilter = "Name <> 'John'"       // string is not equal to 'John'
dataView.RowFilter = "Name >= 'Jo'"         // string comparison

Operator IN is used to include only values from the list. You can use the operator for all data types, such as numbers or strings.
dataView.RowFilter = "Id IN (1, 2, 3)"                    // integer values
dataView.RowFilter = "Price IN (1.0, 9.9, 11.5)"          // float values
dataView.RowFilter = "Name IN ('John', 'Jim', 'Tom')"     // string values
dataView.RowFilter = "Date IN (#12/31/2008#, #1/1/2009#)" // date time values

dataView.RowFilter = "Id NOT IN (1, 2, 3)"  // values not from the list

Operator LIKE is used to include only values that match a pattern with wildcards. Wildcardcharacter is * or %, it can be at the beginning of a pattern '*value', at the end 'value*', or at both '*value*'. Wildcard in the middle of a patern 'va*lue' is not allowed.
dataView.RowFilter = "Name LIKE 'j*'"       // values that start with 'j'
dataView.RowFilter = "Name LIKE '%jo%'"     // values that contain 'jo'

dataView.RowFilter = "Name NOT LIKE 'j*'"   // values that don't start with 'j'

If a pattern in a LIKE clause contains any of these special characters * % [ ], those characters must be escaped in brackets [ ] like this [*][%][[] or []].
dataView.RowFilter = "Name LIKE '[*]*'"     // values that starts with '*'
dataView.RowFilter = "Name LIKE '[[]*'"     // values that starts with '['

The following method escapes a text value for usage in a LIKE clause.
public static string EscapeLikeValue(string valueWithoutWildcards)
  StringBuilder sb = new StringBuilder();
  for (int i = 0; i < valueWithoutWildcards.Length; i++)
    char c = valueWithoutWildcards[i];
    if (c == '*' || c == '%' || c == '[' || c == ']')
    else if (c == '\'')
  return sb.ToString();

// select all that starts with the value string (in this case with "*")
string value = "*";
// the dataView.RowFilter will be: "Name LIKE '[*]*'"
dataView.RowFilter = String.Format("Name LIKE '{0}*'", EscapeLikeValue(value));

Boolean operators

Boolean operators ANDOR and NOT are used to concatenate expressions. Operator NOT has precedence over AND operator and it has precedence over OR operator.
// operator AND has precedence over OR operator, parenthesis are needed
dataView.RowFilter = "City = 'Tokyo' AND (Age < 20 OR Age > 60)";

// following examples do the same
dataView.RowFilter = "City <> 'Tokyo' AND City <> 'Paris'";
dataView.RowFilter = "NOT City = 'Tokyo' AND NOT City = 'Paris'";
dataView.RowFilter = "NOT (City = 'Tokyo' OR City = 'Paris')";
dataView.RowFilter = "City NOT IN ('Tokyo', 'Paris')";

Arithmetic and string operators

Arithmetic operators are addition +, subtraction -, multiplication *, division / and modulus %.
dataView.RowFilter = "MotherAge - Age < 20";   // people with young mother
dataView.RowFilter = "Age % 10 = 0";           // people with decennial birthday

There is also one string operator concatenation +.

Parent-Child Relation Referencing

parent table can be referenced in an expression using parent column name with Parent.prefix. A column in a child table can be referenced using child column name with Child. prefix.
The reference to the child column must be in an aggregate function because child relationships may return multiple rows. For example expression SUM(Child.Price) returns sum of all prices in child table related to the row in parent table.
If a table has more than one child relation, the prefix must contain relation name. For example expression Child(OrdersToItemsRelation).Price references to column Price in child table using relation named OrdersToItemsRe­lation.

Aggregate Functions

There are supported following aggregate functions SUMCOUNTMINMAXAVG (average), STDEV(statistical standard deviation) and VAR (statistical variance).
This example shows aggregate function performed on a single table.
// select people with above-average salary
dataView.RowFilter = "Salary > AVG(Salary)";

Following example shows aggregate functions performed on two tables which have parent-child relation. Suppose there are tables Orders and Items with the parent-child relation.
// select orders which have more than 5 items
dataView.RowFilter = "COUNT(Child.IdOrder) > 5";

// select orders which total price (sum of items prices) is greater or equal $500
dataView.RowFilter = "SUM(Child.Price) >= 500";


There are also supported following functions. Detailed description can be found hereDataColumn.Ex­pression.
  • CONVERT – converts particular expression to a specified .NET Framework type
  • LEN – gets the length of a string
  • ISNULL – checks an expression and either returns the checked expression or a replacement value
  • IIF – gets one of two values depending on the result of a logical expression
  • TRIM – removes all leading and trailing blank characters like \r, \n, \t, ‚ ‘
  • SUBSTRING – gets a sub-string of a specified length, starting at a specified point in the string

Wednesday, December 14, 2011

PageMethods undefined,MasterPage PageMethods

ScriptManager and MasterPage PageMethods !

I know that this subject has been asked many times therefore i would like to summarize it and give a small tutorial about how to do it.
I had some PageMethods on a default page which calls some web methods on code behind of the page. Before 1 week we decided to change the old structure of the project UI to use MasterPage. MaterPage triggered many problems with it, one of these problems that MasterPage does not support JS PageMethods! because MasterPage does not inherit from Web.UI.Page therefore you can not call PageMethods (its not a page!) – you can not call pagemethods on usercontrols too – so handle this problem and call your methods you can try this tutorial;
  • Create a MasterPage and add a ScriptManager on page.
  • On ScriptManager add the folowings
       1:  <asp:ScriptManager ID="ScriptManager" runat="server"
       2:          LoadScriptsBeforeUI="true" 
       3:         <Scripts>
       4:              <asp:ScriptReference 
                          Path="~/Javascript/MasterPageWSJS.js" />
       5:          </Scripts>
       6:          <Services>
       7:              <asp:ServiceReference 
                           Path="~/WebServices/MasterPageWS.asmx" />
       8:          </Services>
       9:      </asp:ScriptManager>
        Here we have 2 important sections
                   - Scritps which includes our JS file location
                   - Sevices which includes our Webservices location
       Here to be mentioned that EnablePageMethods attribute means nothing on MasterPages!.
  • Add a javascript file to the project ( here its  MasterPageWSJS.js)
       1:  function CallService() {
       2:  //CallFromMasterJS() is the name of the service method
       3:            MasterPageWS.CallFromMasterJS();
       4:    }
  • Add a Webservice file to the project (here it is MasterPageWS.asmx)
       1:  <%@ WebService Language="C#" Class="MasterPageWS" %>
       3:  using System;
       4:  using System.Web;
       5:  using System.Web.Services;
       6:  using System.Web.Services.Protocols;
       7:  using System.Web.Script.Services;
       9:  [WebService(Namespace = "")]
      10:  [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
      11:  [ScriptService]
      12:  public class MasterPageWS : System.Web.Services.WebService
      13:  {
      15:      [WebMethod(EnableSession = true)]
      16:      public void CallFromMasterJS()
      17:      {
      18:   // todo: write the needed codes
      19:      }
      20:  }
Here some important notes about the service:
- decorate the service class with [ScriptService]
- Decorate your methods with [WebMethod] add if you want to use
session variables with it decorate it with
[WebMethod(EnableSession = true)] because webservices are
stateless by default
  • at the end add this code lines to your MasterPage codebehind:
       1:  if(!IsPostBack)
       2:  {
       3:  // masterBody is the ID of the masterpage body html tag       
            HtmlGenericControl body = 
       4:          body.Attributes.Add("onunload", "CallService();");
       5:  }
That is all !. when you start your page and refresh it the master page will unloaded and that will fire the event onunload on the page body which will call the JS and from there the web service will be called.

Source:  Click here

Wednesday, December 7, 2011

A potentially dangerous Request.Form value was detected from the client

A potentially dangerous Request.Form value was detected from the client (Login1$txtUserName="<html>").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (Login1$txtUserName="<html>").

                       Insert the following lines in your web.config 



 <pages validateRequest="false">


//If your using .NET 4.0 use the following attribute
  <httpRuntime requestValidationMode="2.0" />

Wednesday, November 16, 2011

How To Set Time Zone using Command Prompt in Windows

Changing the time zone through the clock is very easy in Windows 7. You need to simply click on the clock present on the taskbar notification area and click on “Change date and time settings…“. But do you know that Windows 7 also provides a command line utility to change your present time zone? Bet you don’t!
The command line utility that helps you change the time zone in Windows 7 is tzutil.exe and is known as Windows Time Zone Utility. This is a great for all the people who prefers working from the command prompt.
There are three tzutil parameters, each of which is described below:
To change the time zone, use the /s parameter. For example, tzutil /s "universal standard time".
To display the current time zone, use the /g parameter. For example, tzutil /g.
To get a list of all available time zones, use the /l parameter. For example, tzutil /l.

Find the following "bat"  file.
Download TimeZone Change file

Out put  :
1. Change your current time to zone some other time zone.
2. Run the above downloaded "TimezoneChange.bat" file.
3. Withing five min your time zone will be change to "Indian Standard Time".

Friday, November 11, 2011

How to hide/disable Day/Month/WorkWeek/Timeline views in devexpress Aspxscheduler

How to hide DayView/WorkWeekView/Month View/Timeline Views in deexpress ASPxScheduler.
How to disable DayView/WorkWeekView/Month View/Timeline Views in deexpress ASPxScheduler.

Here schTaskCalendar is ASPxScheduler ID which is used in our requirement

Use the following code lines in your Page_Load. it will hides/disables  DayView/WorkWeekView from your ASPxScheduler control.


protected void Page_Load(object sender, EventArgs e)
  DevExpress.Web.ASPxScheduler.SchedulerViewRepository baseviews = schTaskCalendar.Views;
            baseviews.DayView.Enabled = false;
            baseviews.WorkWeekView.Enabled = false;

Saturday, September 3, 2011

Validate uploaded image content in ASP.NET

A very few day ago i had to face the situation where hacker uploaded the malicious ASP script to the web server by changing its extension to .JPG through user interface which allow user to upload image file. Although developer team had put the validation on extension. But unfortunately extension of ASP script was .JPG and hence it is allowed extension. So hacker could upload that malicious script.

After this situation i thought just checking only extension for uploaded file is not the sufficient. We need to check content as well of the uploaded file.

So i decided to check header information in uploaded image file. If it found valid header information then only save uploaded file otherwise discard uploaded file. After Digging couple of hour on am fan of for more than 5 years), found following Header Information about different image file format.

Image File Header Information Table
File Format
0xFF, 0xD8, 0xFF, 0xE0
0x89, 0x50, 0x4E, 0x47
0x49, 0x49, 0x2A, 0x00
0x47, 0x49, 0x46, 0x38
0x42, 0x4D
0x00, 0x00, 0x01, 0x00

Instead of checking only header, we could also check whole file content against its file format. But checking only header could serve our purpose and it is also speedy process than checking whole file content so i am not checking whole file content.

Following code snippet validate header of known image types (JPG, PNG, TIFF, GIF, BMP, ICO) Please do let me know if i have missed any image types.

NOTE: In code snippet fuImage refer to ASP.NET file upload control

01protected void btnUpload_Click(object sender, EventArgs e)
04    Dictionary<stringbyte[]> imageHeader = new Dictionary<stringbyte[]>();
05    imageHeader.Add("JPG"new byte[] { 0xFF, 0xD8, 0xFF, 0xE0 });
06    imageHeader.Add("JPEG"new byte[] { 0xFF, 0xD8, 0xFF, 0xE0 });
07    imageHeader.Add("PNG"new byte[] { 0x89, 0x50, 0x4E, 0x47 });
08    imageHeader.Add("TIF"new byte[] { 0x49, 0x49, 0x2A, 0x00 });
09    imageHeader.Add("TIFF"new byte[] { 0x49, 0x49, 0x2A, 0x00 });
10    imageHeader.Add("GIF"new byte[] { 0x47, 0x49, 0x46, 0x38 });
11    imageHeader.Add("BMP"new byte[] { 0x42, 0x4D });
12    imageHeader.Add("ICO"new byte[] { 0x00, 0x00, 0x01, 0x00 });
14    byte[] header;
15    if (fuImage.HasFile)
16    {
18        string fileExt;
19        fileExt = fuImage.FileName.Substring(fuImage.FileName.LastIndexOf('.') + 1).ToUpper();
23        byte[] tmp = imageHeader[fileExt];
24        header = new byte[tmp.Length];
27        fuImage.FileContent.Read(header, 0, header.Length);
29        if (CompareArray(tmp, header))
30        {
31            lblMessage.Text = "Valid ." + fileExt + " file.";
33            // CODE TO PROCESS FILE
34        }
35        else
36        {
37            lblMessage.Text = "Invalid ." + fileExt + " file.";
39        }
40    }
41    else
42    {
43        lblMessage.Text = "Please select image file.";
44    }
47private bool CompareArray(byte[] a1, byte[] a2)
49    if (a1.Length != a2.Length)
50        return false;
52    for (int i = 0; i < a1.Length; i++)
53    {
54        if (a1[i] != a2[i])
55            return false;
56    }
58    return true;
Any input on above is greatly appreciated...

dotnet Expert Guide

@Blog.Author(Nandip Makwana)