Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsReportsReportsdnn Reports updated to VSE 2008 + token supportdnn Reports updated to VSE 2008 + token support
Previous
 
Next
New Post
9/10/2009 8:46 AM
 

hi all,

just for those who might interest,....

I ve updated reports 05.01.00 vbproj to work with Visual Web Developer 2008 express and by changing 3 rows in source added support for tokens in reports

just for sure what is mentioned by 'token':

now U can make sql query like this:

select top 10 '[Tab:TabName]' as currentTab, tabID from tabs

where [Tab:TabName] is one of dnn system tokens ([User:DisplayName], [Portal:PortalName],.....

if anybody is interested I can send sources. Version is same as API remains same and no other changes in source, so anybody can replace dll only ;-)

+ I did report xsl template that can display WMS map with custom table data (structure x,y,someName), like this (jesus I cant upload image to forum uaaah!), ok if anybody interested I will post a link on some other server

 

 
New Post
9/10/2009 1:23 PM
 

Please note that the reason for the lack of token support in the Reports module is to avoid SQL Injection attacks by not using String.format or Regular Expressions on the SQL script (which the Token Replace API does).  You're absolutely welcome to make some changes to your own copies and even redistribute those (as long as you don't claim it's the official version), but do be aware of the possible SQL Injection attack vector.  There are plans to introduce a secure parameter system which offers the same features without the risk of SQL Injection attack.


Andrew Nurse
DotNetNuke Core Team Member and Reports Module Project Lead
Microsoft Certified Professional Developer

 
New Post
9/10/2009 3:37 PM
 

Andrew,

could U please explain what exactly do U mean by sql injection?

for me tokens in reports is mandatory function.I need to create specific content of report output based on page and user where is this module attached (I will have thousands of different pages with same Report control)

this control is enabled for edit only by superuser and normal website users can only see reports. It is a part of workflow mgmt and report module shows progress and status of workflow for particular user/page/portal, etc.

Nobody can create user on my site (like user with user name 'truncate tabs' ;-) because I must use private user registration

nobody is allowed to create new tab with suspicious name....

I guess that in this case there is no SQL injection risk ?

What do you think ?

 
New Post
9/10/2009 6:31 PM
 

I'd agree with you that in your specific situation, there is very little SQL injection risk.  However, the reason I chose not to use Token Replace in the Reports module was that the same cannot be said for all situations involving Token Replace (for example, using a token that uses a username or profile property which hasn't been properly scrubbed for SQL commands).  That's why the official build does not, at this time, use Token Replace.  The plan is to use SQL Parameters to provide all the same functionality, but that has not been implemented yet due to time constraints.

Open-source is all about modifying code to make it suit your needs, so I have no problem at all with your workaround and I have no problem with you distributing it to others who are encountering the same problems.  I just wanted to caution you and anyone else using this code to be aware of the risk.  You have clearly done some work to make sure your query is safe from SQL Injection, I just want to make sure everyone else who does this is also aware of the potential risks.

Thanks for using and extending the module!  I hope we can make your workaround unnecessary in the next version, but since the Reports module is a volunteer project and I am the only contributor (at the moment) it is taking longer than I had hoped.


Andrew Nurse
DotNetNuke Core Team Member and Reports Module Project Lead
Microsoft Certified Professional Developer

 
New Post
9/11/2009 7:10 AM
 

Andrew,

I am not quite sure, how you expect a sql injection based on TokenReplace. TR has been built for use by module developers to enhance their modules with flexibility. It doesn't query the database itself, it just returns the properties of currently loaded objects (current user, tab, module, site, host) with several security levels added (passwords are never retrieved. most user details are returned to the user himself or admin only etc.)


Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsReportsReportsdnn Reports updated to VSE 2008 + token supportdnn Reports updated to VSE 2008 + token support


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out