Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsReportsReportsdnn Reports updated to VSE 2008 + token supportdnn Reports updated to VSE 2008 + token support
Previous
 
Next
New Post
9/10/2009 8:46 AM
 
Adam Sida


85.70.227.82
Joined: 10/15/2007
Posts: 45

hi all,

just for those who might interest,....

I ve updated reports 05.01.00 vbproj to work with Visual Web Developer 2008 express and by changing 3 rows in source added support for tokens in reports

just for sure what is mentioned by 'token':

now U can make sql query like this:

select top 10 '[Tab:TabName]' as currentTab, tabID from tabs

where [Tab:TabName] is one of dnn system tokens ([User:DisplayName], [Portal:PortalName],.....

if anybody is interested I can send sources. Version is same as API remains same and no other changes in source, so anybody can replace dll only ;-)

+ I did report xsl template that can display WMS map with custom table data (structure x,y,someName), like this (jesus I cant upload image to forum uaaah!), ok if anybody interested I will post a link on some other server

 
 
New Post
9/10/2009 1:23 PM
 
Andrew Nurse

Joined: 4/12/2004
Posts: 433

Please note that the reason for the lack of token support in the Reports module is to avoid SQL Injection attacks by not using String.format or Regular Expressions on the SQL script (which the Token Replace API does).  You're absolutely welcome to make some changes to your own copies and even redistribute those (as long as you don't claim it's the official version), but do be aware of the possible SQL Injection attack vector.  There are plans to introduce a secure parameter system which offers the same features without the risk of SQL Injection attack.

Andrew Nurse
DotNetNuke Core Team Member and Reports Module Project Lead
Microsoft Certified Professional Developer
 
New Post
9/10/2009 3:37 PM
 
Adam Sida


85.70.227.82
Joined: 10/15/2007
Posts: 45

Andrew,

could U please explain what exactly do U mean by sql injection?

for me tokens in reports is mandatory function.I need to create specific content of report output based on page and user where is this module attached (I will have thousands of different pages with same Report control)

this control is enabled for edit only by superuser and normal website users can only see reports. It is a part of workflow mgmt and report module shows progress and status of workflow for particular user/page/portal, etc.

Nobody can create user on my site (like user with user name 'truncate tabs' ;-) because I must use private user registration

nobody is allowed to create new tab with suspicious name....

I guess that in this case there is no SQL injection risk ?

What do you think ?
 
New Post
9/10/2009 6:31 PM
 
Andrew Nurse

Joined: 4/12/2004
Posts: 433

I'd agree with you that in your specific situation, there is very little SQL injection risk.  However, the reason I chose not to use Token Replace in the Reports module was that the same cannot be said for all situations involving Token Replace (for example, using a token that uses a username or profile property which hasn't been properly scrubbed for SQL commands).  That's why the official build does not, at this time, use Token Replace.  The plan is to use SQL Parameters to provide all the same functionality, but that has not been implemented yet due to time constraints.

Open-source is all about modifying code to make it suit your needs, so I have no problem at all with your workaround and I have no problem with you distributing it to others who are encountering the same problems.  I just wanted to caution you and anyone else using this code to be aware of the risk.  You have clearly done some work to make sure your query is safe from SQL Injection, I just want to make sure everyone else who does this is also aware of the potential risks.

Thanks for using and extending the module!  I hope we can make your workaround unnecessary in the next version, but since the Reports module is a volunteer project and I am the only contributor (at the moment) it is taking longer than I had hoped.

Andrew Nurse
DotNetNuke Core Team Member and Reports Module Project Lead
Microsoft Certified Professional Developer
 
New Post
9/11/2009 7:10 AM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212

Andrew,

I am not quite sure, how you expect a sql injection based on TokenReplace. TR has been built for use by module developers to enhance their modules with flexibility. It doesn't query the database itself, it just returns the properties of currently loaded objects (current user, tab, module, site, host) with several security levels added (passwords are never retrieved. most user details are returned to the user himself or admin only etc.)

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
 Page 1 of 4
1234Next 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsReportsReportsdnn Reports updated to VSE 2008 + token supportdnn Reports updated to VSE 2008 + token support


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out