Disable ASP.NET Form Button

When providing buttons on a web page, we may wish to show a particular button as ‘greyed out’, signifying that it is more generally available for use, but not for the task we are undertaking.

An example of this would be an edit button.

If the content we are adding (perhaps the details for a user) is new then it would be inappropriate to be able to click on a button to edit the details.

In this example the editor used is Visual Studio as a part of a DotNetNuke module. The file edited is the presentation view, perhaps a file called default.ascx.

To grey the text on a button simply add the word disabled to the button definition.

<input id=”edit” “disabled” type=”submit” value=”Edit” name=”edit”>

It looks strange but I’ve found that the word disabled should be within speech marks.

Formatting Datagrid Data Text Two Ways

Data grid output can be formatted differently for the public/normal view and the edit view.

In this example both methods are used.

Using inline table row editing with a DataGrid I wished to change the formatting according to its state.

To illustrate this I have included below an example template column.

<HEADERSTYLE HorizontalAlign="Center"></HEADERSTYLE>
<ITEMTEMPLATE>
<asp:Label Text=‘<%# DataBinder.Eval(Container, "DataItem.price", "{0:c}") %>’ runat="server">
</asp:Label>
</ITEMTEMPLATE>
<EDITITEMTEMPLATE>
<asp:TextBox id="price" Text=‘<%# DataBinder.Eval(Container, "DataItem.price", "{0:N2}") %>’ runat="server" Columns="6">
</asp:TextBox>
</EDITITEMTEMPLATE>

We are able to format the content of the DataGrid cell by one of two methods, dependent upon whether the column is a bound column or whether it is a template column.

As can be seen two different formatting styles are used.

When the DataGrid is normally viewed the currency format is displayed and when the row is being edited we switch to a 2 decimal place view. To provide the number in a suitable format, without the presentation of the currency symbol. After all a currency symbol within the textbox will give us an extra unnecessary item to handle.

Bound column

For the bound column I’ve added DataFormatString=”{0:N2}%” to the definition of the column.

Looking at the table below, we can see that in our example, we shall format the column to have two digits after the decimal point, followed by a percentage sign.

Template column

For the template column I’ve added the formatting into the reference to the data:

text=‘<%# DataBinder.Eval(Container, “DataItem.Total”, “{0:N2}%”) %>’

Formatting

The table below summarises the formatting expressions with their results.

ExpressionDescription
{0:C}Currency item based on the locale, For example £29.99
{0:D4}A number of the set number plus 1. For example 00124
{0:N2}%A number with two decimal places, followed by a percentage sign
{0:0.0}A number rounded to one decimal place.
{0:D}The date represented as a long string. For example Monday, 20 July 2004
{0:dd-MM-yy}The number as defined by the day, month and year code. for example 20-07-04

Differences Between Form Methods Post and Get

HTML forms may post or get their submission.

The method attribute, either post or get, prescribes to the browser how the form data is to be sent back to the server.

For reference here’s a typical form declaration, on an HTML page

<form action=”contact.php” method=”get”>

As shown there is the form tag together with the action and the destination handler. And our point of interest the method. As shown here its set to get.

So what’s the difference between the two methods of form submission?

Does it matter which I choose?

Post

The completed form field entries are sent within the body of the http request.

This allows the collected form entry data to be whatever size. Ideal if there’s a lot of data collection involving free form content areas.

However, because there is no change to the URL from the field entries, there isn’t the page variations to bookmark.

Refreshing the browser page after a submission will cause an alert asking whether the user wishes the data to be re-submitted. Server form handling protection against duplicate form submission should be considered.

Allows the submission of binary data, for example the uploading of images.

With this approach the completed field entries are retained on the page, making it secure.

If you are changing content, for example your user profile, password or address, then the post method is the one to use.

Get

This is the default form method. Without specifying the form method in the form tag it will be assumed to be of method type get.

With the get method the form data is more visible.

The fields and their values are passed in the URL as name+value querystring parameters. For example

www.example.com/index.php?typ=fruit&cat=6

With the form data in the URL the page can be bookmarked. Similarly as the parameters have been sent within the URL they are also a part of the browser history.

Beware there’s a restriction on the length of the address URL. The available length is only 3000 characters, including your domain name and the page structure to the page on which is your form. Too long and the parameters may be lost as the URL is truncated.

Consider whether shortening the form labels will suffice, or structuring your answers too will keep within the restriction. Have you simply too many fields on your form? Then it ought to be the post method.

Because the get approach puts the form values in the address it is deemed to be insecure. Definitely not the method to be used for username and password submission.

Refreshing the browser the request will be executed once again, but the entries won’t be re-submitted to the server where the browser has cached them.

If the form is used to view data, perhaps an online catelogue of products, then the get method is appropriate. The pages can be bookmarked and saved for later. Search engine indexing will be for the individual products and categories.

References

W3 Schools – att form method

W3 Schools – http methods

Mozilla – sending and receiving data

Wikipedia – POST HTTP

Changing Login Text Username or Email Address

Having disabled email addresses for WordPress login I wanted to change the text, which was shown.

On the login dialogue it was showing

Username or Email Address

above the first textbox.

The mention of Email Address was now wrong and misleading.

To do this I added the following to the functions.php file

add_filter( 'gettext', 'vntweb_user_login' );
add_filter( 'ngettext', 'vntweb_user_login' );
function vntweb_user_login( $translated ) {
  $translated = str_ireplace( 'Username or Email Address', 'Username', $translated );
  return $translated;
}

Add Browser Redirection to ASP.NET File

Perhaps a page was created with a spelling error, or a reorganisation of the website means that a particular page has been renamed.

We wish to redirect our visitors to the page to a different address.

In the example below its assumed that the website page has moved to www.example.com/fruit-and-veg/.

We wish to tell the browser to redirect to the new page name by adding a short snippet of code to the page.

<script runat="server">
private void Page_Load(object sender, System.EventArgs e)
{
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location","http://www.example.com/fruit-and-veg/");
}
</script>

The code example above can be added to the page. This is for a dynamic asp.net page. It won’t work for a static HTML page.

In the above I’ve included the notification that the change is permanent.

Browsers will cache the redirect, after all you’ve told the browser that you no longer wish the old page to be visited. You may find forcing browsers to adopt a change back difficult to achieve, with the browser reluctant to discover the change. A further permanent redirect back again may be used.

I’ve illustrated the example using a permanent redirect. But, as noted, it’s possible that the browsers will equally permanently cache your rule. If it’s wrong then amending it may well be ignored. Experiment first with a temporary redirect, just to be safe.

If its your intention to redirect more than the single page, perhaps a whole menu section, by adding the redirect into a common header file then you may wish to reconsider your approach. Making use of the file web.config.

Comparison of Font Sizes

I wanted a comparison between the different pixel and point sizes.

I’ve listed the increasing numerical size for each series side-by-side, illustrating how points get progressively larger.

In the table below I’ve set the style in the pixel and point columns such that it’ll over-ride the CSS configured elsewhere.

 Pixel (px)Point (pt)
7Distaghil SarPakistan
8HimalchuliNepal
9Gasherbrum IVPakistan
10Annapurna IINepal
11Gasherbrum IIIPakistan – China
12Gyachung KangNepal – China
13ShishapangmaChina
14Gasherbrum IIPakistan – China
15Broad PeakPakistan – China
16Gasherbrum IPakistan – China
17Annapurna INepal
18Nanga ParbatPakistan
19ManasluNepal
20Dhaulagiri INepal
21Cho OyuNepal – China
22MakaluNepal – China
23LhotseNepal – China
24KangchenjungaNepal – India
25K2Pakistan – China
26Mount EverestNepal – China

The simple table looked boring and uninviting with just the two initial columns: one for pixel and one for point sizes. So I’ve replaced these by columns with the highest mountains and their countries, as derived Wikipedia.

Warning: preg_match(): Compilation failed: two named subpatterns have the same name at offset 75

I was using the ARVE video embedder plugin on WordPress.

Observing a page referencing either Vimeo or YouTube I saw the error:

Warning: preg_match(): Compilation failed: two named subpatterns have the same name at offset 75 in /wp-content/plugins/advanced-responsive-video-embedder/public/functions-shortcode-filters.php on line 255 

Disabling plugins didn’t cure the issue

And reverting to the default TwentySeventeen theme didn’t resolve the issue

I configured another website with the plugin with the aim of comparing the two websites. There was no error!

ARVE has a handy Debug Info tab on its settings page. I used this to compare the two websites.

Here’s the part of interest:

ARVE Version:      8.9.10
ARVE-Pro Version:  NOT INSTALLED
WordPress Version: 4.9.8
PHP Version:       5.6.38

The working website was running version 7 of PHP.

I switched the version on the erroring site to 7.0. The error message disappeared.

htaccess Difference Between Files and FilesMatch

Whilst writing the two recent articles about blocking xml-rpc access and the matching of files in htaccess.

.htaccess uses Files and FilesMatch to control access to files.

For example for the single file wp-config.php

<Files "wp-config.php">
Order Allow, Deny
allow from all
deny from 192.0.2.52
</Files>

There’s also

<FilesMatch "\.(gif|jpe?g|png)$">
Order Allow, Deny
allow from all
deny from 192.0.2.52
</FilesMatch>

So what’s the difference and when should each be used?

Well none really. Its all about presentation and making the reading of the file easier to view.

When reading down better to see the single Files entry and expect a corresponding single file, in this case wp-config.php. And to have a multiple match of files, as given a number of image extensions. Again the FilesMatch leads the reader to expect that the match will be multiple files.

In the above two examples the files section is used to define the matching criteria and to set the actions associated.

I’ve shown two different example of file selection, but both are configured to allow access to their respective matching files to all visitors, except the single IP address.

Both of the above to examples are code added to the file .htaccess in the root of the website with the purpose of governing the access to files of the website.

An example of this code in use is in the blocking of xml-rpc.

DotNetNuke Admin Pages

DotNetNuke divides the admin pages for a website into two sections:  common settings and advanced settings.

To view the admin options hover over the

Section Common Settings covers:

Section Advanced Settings covers …

Blocking xml-rpc Access

I’ve heard that I should disable xml-rpc on a WordPress website.

Why should I disable it and how?

XML-RPC What is it? And how to Disable.

What is xml-rpc?

This is the connection for the WordPress API interface.

It allows apps such as the WordPress app on an iPhone or Android device to connect to the WordPress website. With the app I can readily edit and crate blogs posts.

No need to navigate to the website with a browser to login and perform these actions.

Trackbacks and Pingbacks whereby the website checks to see who is referencing its post content.

The popular JetPack plugin, developed by Automattic, relies heavily on the use of xml-rpc.

Why would you want to restrict it?

It poses a security risk.

There’s potentially less chance of detection attempting to gain access this way.

Has the potential to be the target for a denial of service attack.

How to restrict it?

xml-rpc is implemented using the file xmlrpc.php.

Access to the file can be restricted completely or limited to configured IP addresses.

To do this we’ll use the file .htaccess, located in the root of the website, restricting file access by IP Address.

Here’s the block of lines which we’ll add to the file.

# block xml-rpc
<Files "xmlrpc.php">
Order Deny,Allow
deny from all
allow from 192.0.2.52
</Files>

We’ll chose to set the order as deny first then allow

Order Deny, Allow

This allows us to block all sites with the simple

deny from all

A one line global block on access.

If we are implementing a full restriction on access that’s all we would need.

But to allow access from a single IP address we add the following

allow from 192.0.2.52

Further instances of this can be added with single IP addresses or ranges.

Further thoughts

Its going to be a compromise. is there a plugin or app which you can’t do without? If the answer is yes then completely shutting down xml-rpc is probably not going to be an option.

Maybe restrict the access to a limited range or IP addresses. Dependant upon what you wish to connect to it this may be an option. Do you only blog with the WordPress app from a fixed location? Then not a problem.

If none of these is an option for you then leaving access to xml-rpc open will be your option.

Anything more?

Yes, you can use one of the WordPress security plugins to monitor and take action against attempts to gain access via xml-rpc.

And there’s the development of the WordPress Rest API – check to see whether there’s an equivalent of your must have app or program which uses this.

References

WordPress Codex: XML RPC Support

Wikipedia: XML RPC