• [email protected] (Michael Earls) (unregistered)

    What's the website URL? That's some fancy security.

    "They'll never view the source"

  • df (unregistered)

    I've spent literally minutes looking for a way to get rid of that horrible flash.

    I'm with Michael, we need to have the URL in order to truly appreciate this masterful solution.

  • [email protected] (Haacked) (unregistered)

    Judging by this person's history, we can be pretty sure that the connection string connects as sa with no password. ;)

  • Phil Scott (unregistered)

    Rot in hell RDS.DataControl. Though I do appreciate giving us bitches the spec: "don't let it blink."

    I'm also liking the the "SELECT Null as ID, '' as Fullname as union ..." code. Can someone justify that code for poor little me?

  • Justin Pitts (unregistered)

    Thats to give the user a blank line to insert a new row into....

  • Tony (unregistered)

    Kinda gives me a warm fuzzy feeling to know that only a hacker with the complex knowledge to click the "View Source" right click menu item in I.E. can break my Database security.

  • Alex Papadimoulis (unregistered)

    Out of respect for my employer (who, by the way, are wonderfully nice people), I cannot reveal any URLs or even the company's name for that matter :-)

  • Phil Scott (unregistered)

    Thanks for the explanation, Justin. I had a scary thought that they were doing that to get the column names the way they wanted, or even worse accidently navigating past the first row via code.

    Now that I think about it, I remember where I saw this code last. It was in some view someone had written. It kinda threw me off until I saw the ASP.NET page that was using the view:

    if dr.Read() then DataGrid1.DataBind

  • [email protected] (Hassan Voyeau) (unregistered)

    Unless we have 2 Alex's in the world, coudl this be?

    [editor: Link Deleted ... if you really want to know, Google yourself. Last thing I want to do is get in trouble for having referers to their site!]

    click on the staff link.

  • Google Power (unregistered)

    Google rules!

  • Frans Bouma (unregistered)

    "I'm also liking the the "SELECT Null as ID, '' as Fullname as union ..." code. Can someone justify that code for poor little me?"
    If the second query doesn't have any records, you still have a record with the proper fields. So you don't have to add code to deal with an empty recordset, there is always a record. (that's what I think the reason is, but looking at the page, it might well be because it rained or the lakers lost their game)

  • Joe (unregistered)

    There is another way, though it has it's own issues.

    .NET Smart client (deploy rich client via IE).

    Flash applicaiton.

    No blinking and totally interactive.

  • Tim Cartwright (unregistered)

    Congratulations! You have just proved the theory that there is no limit to human stupidity.

  • Michael Savoy (unregistered)

    ::I think I would be performing a terrible misservice if I didn't share with you some of my favorite products perversions.::

    Whey're did youse lern Inglish? Theirs no such woid az MISSERVICE. Youse probablee meenz DISSERVICE but youse shood nose better then dat.

  • John S. (unregistered)

    Where did you learn to be an arsehole? Seriously who cares about a typo...honestly some people.

    Apologies for going off topic.

  • Andrew (unregistered)

    There's a course you can do.

  • Pete Bassett (unregistered)

    Either I've found the wrong web site or they've been tipped off. The Staff link just has some text saying its under construction blah blah...

    If I've found the right site anyway.

    Pete

  • Pete Bassett (unregistered)

    If you get there, apparently "layouts are hard"...

    ;-)

  • Simon (unregistered)

    Thats so bad, I did love the data control, (once you sorted out the ADCLaunch setting), but when I used it it was to connect to custom objects on the server, read-only I must add, and the sql fields were changed in the resultant sets.

    But I wouldnt use it now, even in an extranet. Never used it on the web, that would be insane.

  • Richard@Home (unregistered)

    If anyone is interested in avoiding the dreaded refresh, I've been trying some experiments:

    http://richardathome.no-ip.com/index.php?article_id=317

  • cablito (unregistered)

    as usual, "there is a perfectly reasonable reason for doing this"

  • Peter (unregistered)

    >Now who sees something wrong with this?
    Oh, let's see.
    1) change the sql to something like...
    "select * from sysobjects"
    2) change the sql to something like...
    "drop table tblWebGroupMembers"
    3) I always wanted to be a pharmacist, I think something like...
    "insert me into tblWebGroupMembers"
    4) who wants some happy pills?
    This one is so WTF, I need to go wash my mind out with beer to get rid of the smell.

  • Ron (unregistered)

    This is kind of a step towards thick client ui's like gmail.

    Give me blinking any day.

  • Matthew W. Jackson (unregistered)

    Richard: That's very nice.

    Props for having it work in Firefox. I would have simply suggested using IE's page-transition feature.

  • Scott (unregistered)

    Now, now, don't just assume that any would-be hacker could see the source. Maybe they used some JavaScript to disable right-clicking and menus! Now they have flawless sercurity.

  • Matthew W. Jackson (unregistered)

    Hah! Right-click disabled! Just shows you how few programmers actually know what that weird key between Window and Control is.

  • DCD (unregistered)

    I must have a weird keyboard because I don't have any keys between CNTRL & Window. But I can do Shift F10 to simulate right-clicks.

  • Logio (unregistered)

    I always liked that HTML comment in one webpage I saw eons ago...

    <!-- Don't make me open a can of whoop-ass on you -->

  • Marvin Smit (unregistered)

    Telnet
    open {ip/dns} 80
    GET / HTTP/1.0{\r\n\r\n}

    Look mom, no IE ! ;)

  • Sean (unregistered)

    Dear God, please tell me I'm not seeing what I think I'm seeing

  • Bert (unregistered)

    Uhhuh,

    Even I can discourage hackers to hack by 'programming' this way...

  • Bushism (unregistered)

    >But I can do Shift F10 to simulate right-clicks

    Not on my PC you can't, you must be thinking of Alt F4

  • (unregistered)

    I think one of the reaons you don't see it more often on other pages is simply because of the security. I usually don't want to show the user the SQL queries being performed on the database.

  • (cs) in reply to Logio

    I don't care how much anti-right-click javascript you write.  I can disable all javascript at will, and view whatever source I like! :)

  • cbhacking (unregistered)

    To everybody commenting on the plaintext connection string, bear in mind that if implemented correctly, it needn't be a major security hole. Create a user with almost no access (read-only, preferably only through a specific View or SProc). Assuming the default accounts are well-locked and the web server has no major security vulnerabilities that can be exploited just by knowing its address, you're probably OK.

    Perhaps a more important question is what platforms are expected to access this page? It'll work in IE on Windows, so long as scripting of ActiveX controls is enabled. It might work in Firefox on Windows - not sure about that though. Non-Windows (including IE for Mac) seems a little unlikely...

Leave a comment on “Avoiding the dreaded Refresh”

Log In or post as a guest

Replying to comment #:

« Return to Article