locked
AES encryption in asp.net RRS feed

  • Question

  • User-1078128378 posted

    Hi All,

    I am encryption data using AES.

    iam using following code

    public string Encrypt(string clearText)
        {
            string EncryptionKey = "123";
            byte[] clearBytes = Encoding.Unicode.GetBytes(clearText);
            using (Aes encryptor = Aes.Create())
            {
               
                Rfc2898DeriveBytes pdb = new
                    Rfc2898DeriveBytes(EncryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
                encryptor.Key = pdb.GetBytes(32);
                encryptor.IV = pdb.GetBytes(16);
                using (MemoryStream ms = new MemoryStream())
                {
                    using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write))
                    {
                        cs.Write(clearBytes, 0, clearBytes.Length);
                        cs.Close();
                    }
                    clearText = Convert.ToBase64String(ms.ToArray());
                }
            }
            return clearText;
        }

    when i call like this

    string cipertext=Encrypt("User5223");

    I am getting the following cipertext.

    8tngR2QfbvLAr+WC9wQx3fSplkBR107WS7gj5jTIwOA=

    In the above cipertext it contains + and = operator.

    now i don't want to contains the following characters in my extracted string 

    +

    =

    /

    I don't want to use string functions to remove those characters.

    is it possible to restrict those characters at the time of encrypting data.

    Thanks,

    Murali.

    Monday, January 12, 2015 1:19 AM

Answers

  • User-760709272 posted

    You will have more than one entry in Master_SendCards that has the ViewId you are passing in.  If that is allowed then maybe you want something like

    set @flag=(select top 1 m.CardId from Master_SendCards ....

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 12, 2015 4:56 AM
  • User-760709272 posted

    When you create the url with the parameter on the querystring you need to use UrlEncode

    string x = "8tngR2QfbvLAr+WC9wQx3QmOkzMObZ7cmX6ejXTwf6I=";
    string url = "/User/View.aspx?v=" + Server.UrlEncode(x);

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 12, 2015 5:29 AM

All replies

  • User-760709272 posted

    If you explain why you don't want those characters someone might be able to offer a solution.  If it is because you are passing them on a querystring then use Server.UrlEncode.

    Monday, January 12, 2015 4:19 AM
  • User-1078128378 posted

    Hi Aidy,

    Thanks for the reply

    I am accessing this value from querystring

    and I am passing to sql server like

    http://localhost:61660/User/View.aspx?v=KwFPCkLCkMFTut4MjH1rmEDbmkdDiiYPDcPrLqpq8sI=

    select * from userviewdata where viewid='KwFPCkLCkMFTut4MjH1rmEDbmkdDiiYPDcPrLqpq8sI='

    but i am getting this error

    Server Error in '/' Application.


    Subquery returned more than 1 value. This is not permitted when the subquery follows =, !=, <, <= , >, >= or when the subquery is used as an expression.

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

    Exception Details: System.Data.SqlClient.SqlException: Subquery returned more than 1 value. This is not permitted when the subquery follows =, !=, <, <= , >, >= or when the subquery is used as an expression.

    Source Error: 

    Line 102:                cmd.CommandType = CommandType.StoredProcedure;
    Line 103:                cmd.Parameters.Add("@ViewId", ViewId);                
    Line 104:                using(SqlDataReader dr=cmd.ExecuteReader())
    Line 105:                {
    Line 106:                    dr.Read();

    as i observed that,if ciperthat doesn't contains any characters like(= or +) symbol the query is executing fine,

    other wise it returns the above error.

    Monday, January 12, 2015 4:34 AM
  • User-760709272 posted

    I can't see those characters having that affect, however it depends what "userviewdata" is.  Is it some kind of view?  Could you post the sql for it?

    Monday, January 12, 2015 4:44 AM
  • User-1078128378 posted

    Hi Aidy,

    It is not view table

    i posted it for just example

    I am using the following sp.

    USE [Wishes]
    GO
    /****** Object:  StoredProcedure [dbo].[usp_getEcardByViewId]    Script Date: 01/12/15 3:18:08 PM ******/
    SET ANSI_NULLS ON
    GO
    SET QUOTED_IDENTIFIER ON
    GO
    -- =============================================
    -- Author:		<Murali>
    -- Create date: <Jan/10/2014>
    -- Description:	<to get the view data>
    -- =============================================
    ALTER PROCEDURE [dbo].[usp_getEcardByViewId]
    @ViewId varchar(Max)
    AS
    BEGIN
    declare @flag bigint
    set @flag=(select m.CardId from Master_SendCards m,Child_SendEcards c where m.SendId=c.SendId and c.ViewId=@ViewId)
    if(@flag > 0)
    begin
    select ImagePath,ImageName from MasterCards where Card_Id=@flag
    end
    else
    begin
    select -101 --means invalid viewid
    end
    END
    
    

    and i get the query string like this

    http://localhost:61660/User/View.aspx?v=KwFPCkLCkMFTut4MjH1rmEDbmkdDiiYPDcPrLqpq8sI=

    and i am using below code in View.aspx.cs page

     protected void Page_Load(object sender, EventArgs e)
        {
            if(Request.QueryString["v"]!=null)
            {
                LoadCard(Request.QueryString["v"].ToString());
            }
        }
     private void LoadCard(string Id)
        {
            //Id = Server.UrlDecode(Id);
            //Response.Write(Id);
            EcardSendBAL ob=new EcardSendBAL();
            string Img = ob.getEvent(Id);
            if(Img!="-101")
            {
                imgView.ImageUrl = Img;           
            }
            else
            {
               
                lblError.Text = "Invalid Request";
            }
        }
    
    public class EcardSendBAL
    {
        public string getEvent(string Enviewid)
        {
            return new EcardSendDAL().getEvent(Enviewid);
        }
    }
    public class EcardSendDAL
    {
         private string _ConStr = ConfigurationManager.ConnectionStrings["Db"].ConnectionString;
        public string getEvent(string ViewId)
        {
            using (SqlConnection con = new SqlConnection(_ConStr))
            {
                con.Open();
                using (SqlCommand cmd = new SqlCommand())
                {
                    cmd.Connection = con;
                    cmd.CommandText = "usp_getEcardByViewId";
                    cmd.CommandType = CommandType.StoredProcedure;
                    cmd.Parameters.Add("@ViewId", ViewId);                
                    using(SqlDataReader dr=cmd.ExecuteReader())
                    {
                        dr.Read();
                        return dr[0].ToString();
                    }
    
                }
            }
        }
    }
    
    
    

    Monday, January 12, 2015 4:52 AM
  • User-760709272 posted

    You will have more than one entry in Master_SendCards that has the ViewId you are passing in.  If that is allowed then maybe you want something like

    set @flag=(select top 1 m.CardId from Master_SendCards ....

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 12, 2015 4:56 AM
  • User-1078128378 posted

    Hi Aidy,

    i changed the query what you suggested.

    the problem was solved.

    but now i find another problem

    i.e

    I got this view id

    http://localhost:61660/User/View.aspx?v=8tngR2QfbvLAr+WC9wQx3QmOkzMObZ7cmX6ejXTwf6I=

    in page load i wrote like this

     protected void Page_Load(object sender, EventArgs e)
        {
            if(Request.QueryString["v"]!=null)
            {
                LoadCard(Request.QueryString["v"].ToString());
            }
        }
     private void LoadCard(string Id)
        {
            //Id = Server.UrlDecode(Id);
            //Response.Write(Id);
            EcardSendBAL ob=new EcardSendBAL();
            string Img = ob.getEvent(Id);
            if(Img!="-101")
            {
                imgView.ImageUrl = Img;           
            }
            else
            {
               
                lblError.Text = "Invalid Request";
            }
        }

    when i cheked in debug mode 

    i find the value of the string Id in LoadCard Method

    Id=8tngR2QfbvLAr WC9wQx3QmOkzMObZ7cmX6ejXTwf6I=

    but in sql table original value is

    8tngR2QfbvLAr+WC9wQx3QmOkzMObZ7cmX6ejXTwf6I=

    +symbol is discarded there so I am not getting any value

    how can i slove this issue?

    Monday, January 12, 2015 5:25 AM
  • User-1078128378 posted

    It seems to be I am not catching query string value exatly

    Monday, January 12, 2015 5:25 AM
  • User-760709272 posted

    When you create the url with the parameter on the querystring you need to use UrlEncode

    string x = "8tngR2QfbvLAr+WC9wQx3QmOkzMObZ7cmX6ejXTwf6I=";
    string url = "/User/View.aspx?v=" + Server.UrlEncode(x);

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 12, 2015 5:29 AM
  • User-1078128378 posted

    Thanks Aidy,

    problem solved.

    I have small doubt in future if query string contains any characters like

    / slash

    = equals

    then may i get any problem with sql query?

    Monday, January 12, 2015 5:42 AM