code upgrade

skf/markdown/code_examples/asp/1-code_example--File_upload--.md

@@ -13,47 +13,26 @@ File upload
 	using System.Xml;
 
 	namespace MvcApplication1.Controllers
-	{
+	{ 
 		public class auditLogs
 		{
+
+			private bool continueFunction = true;
+			validation validate = new validation();
+
 			//We check for form submit
 			public void upload(HttpPostedFileBase file)
 			{
 				//We get the filename for doing different types of tests on it
 				string test = file.FileName;
 
 				/*
-				Here we define a blacklist of different path traversal patterns in order to prevent an 
-				attacker to upload files outside of the unintended
-				directory.
+				First we check if the value is alphanummeric only to prevent uploading out of intended directory, 
+				as wel as other injections
 				*/
-				string[] evil = new string[] { @"%2e%2e%2f", "../", "%2e", "%5c", "%252e", "%c0%af", "%c1%9c" };
-
-				bool continueFunction = true;
-
-				foreach (string item in evil)
+				if (validate.validateInput(test, "alphanummeric", "validation failed", "HIGH") == false)
 				{
-					Regex regex = new Regex(item);
-					Match match = regex.Match(test);
-
-					if (match.Success)
-					{
-						/*
-						this breach has to be repported into the log files
-						Log.SetLog(Session['userID'], "Untrusted userinput in HOME, date, FAIL, HIGH");
-						*/
-
-						/*
-						Set counter; if counter hits 3, the user's session must be terminated.
-						After 3 session terminations the user's acount must be blocked.
-						For detailed information see the "Audit logs" in code examples.
-						In this example the user was tampering the application's operation so immediate lockout will be followed
-						*/
-
-						//Setcounter.count(3);
-						continueFunction = false;
-						HttpContext.Current.Response.Write("Caught a path traversal");
-					}
+					continueFunction = false;
 				}
 
 				/*
@@ -65,15 +44,14 @@ File upload
 				*/
 				string[] StrSpli = test.Split('.');
 				int count = StrSpli.Count() - 1;
-			
+
 
 				if ((StrSpli[count] != "png") && (StrSpli[count] != "jpg"))
 				{
 					continueFunction = false;
 					HttpContext.Current.Response.Write("end of function");
 				}
 
-			
 				/*
 				 If the file came through all the different checks, it is time to upload the file to your system. 
 				 */
@@ -126,5 +104,3 @@ File upload
 			}
 		}
 	}
-
-

skf/markdown/code_examples/asp/10-code_example--Anti_clickjacking_headers--.md

@@ -3,17 +3,19 @@ Anti clickjacking headers
 
 **Example:**
 
-
+	/*
     One way to defend against clickjacking is to include a "frame-breaker" script in each 
 	page that should not be framed. The following methodology will prevent a webpage from 
 	being framed even in legacy browsers, that do not support the X-Frame-Options-Header.
 
 	In the document HEAD element, add the following:
 
 	First apply an ID to the style element itself:
+	*/
+
 	<style id="antiClickjack">body{display:none !important;}</style>
 
-    And then delete that style by its ID immediately after in the script:
+    //And then delete that style by its ID immediately after in the script:
 
     <script type="text/javascript">
 	   if (self === top) {

skf/markdown/code_examples/asp/13-code_example--Secure_session_cookies--.md

@@ -3,6 +3,7 @@ Secure session cookies
 
 **Example:**
 
+	/*
 	Whenever  a cookie is sent over a secured connection, the cookie should be set
 	with the secure flag, in order to guarantee the integrity of the data it contains.
 
@@ -14,7 +15,8 @@ Secure session cookies
 	override the setting in httpCookies, changing it's value back to false.
 
 	In that case, you need to add the requireSSL="true" attribute to the forms element as well.
-
+	*/
+
 	<system.web>
 		<authentication mode="Forms">
 			<forms requireSSL="true"> <-- secure flag
@@ -23,9 +25,10 @@ Secure session cookies
 		</authentication>
 	</system.web>
 
-	Or programmatically
+
+	//Or programmatically
 
-	C# Code:
+	//C# Code:
 
 	HttpCookie myCookie = new HttpCookie("AuthToken", guid);
 	HttpContext.Current.Response.Cookies.Add(myCookie);

skf/markdown/code_examples/asp/14-code_example--Session_cookies_HttpOnly--.md

@@ -3,7 +3,7 @@ Session cookies HttpOnly
 
 **Example:**
 
-
+	/*
 	Whenever a session is started, the "httpOnly" option should always be set
 	in order to prevent session data to be stolen by attackers.
 
@@ -15,12 +15,13 @@ Session cookies HttpOnly
 
     In .NET 2.0, HttpOnly can also be set via the HttpCookie object for all custom application 
     cookies via web.config in the system.web/httpCookies element
-
+	*/
+
 	<httpCookies httpOnlyCookies="true"> 
 
-    Or programmatically
+    //Or programmatically
 
-	C# Code:
+	//C# Code:
 
 	HttpCookie myCookie = new HttpCookie("AuthToken", guid);
 	HttpContext.Current.Response.Cookies.Add(myCookie);

skf/markdown/code_examples/asp/26-code_example--Random_password_token_generation--.md

@@ -27,9 +27,9 @@ Random password/token generation
 				rng.GetBytes(buffer);
 
 				//Then we base64 encode the string in order to prevent null bytes
-				string password = System.Convert.ToBase64String(buffer);
+				string randomString = System.Convert.ToBase64String(buffer);
 
-				return password;
+				return randomString;
 			}
 		}
 	}

skf/markdown/code_examples/asp/29-code_example--Sandboxing--.md

@@ -6,14 +6,15 @@ Sandboxing
 
 
     <iframe sandbox="value"> 
-
+
+	/*
 	sandbox=""  Applies all restrictions
 	allow-forms  Re-enables form submission
 	allow-pointer-lock  Re-enables APIs
 	allow-popups  Re-enables popups
 	allow-same-origin  Allows the iframe content to be treated as being from the same origin
 	allow-scripts  Re-enables scripts
 	allow-top-navigation  Allows the iframe content to navigate its top-level browsing context
-
+	*/
 
 

skf/markdown/code_examples/asp/35-code_example--Aggregate_user_controls--.md

@@ -59,7 +59,8 @@ Aggregate user controlls
 			
 
 			//Here we connect to the database by means of a connection string as configured in the web.config
-			SqlConnection conn = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
+			SqlConnection conn = new SqlConnection
+			(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
 
 			//The count integer is set every time the user connects to the databse to process data
 			public void aggregateControll(int count)
@@ -119,7 +120,8 @@ Aggregate user controlls
 					{
 
 						//this breach has to be repported into the log files
-						Log.SetLog(Session['userID'], "User account was locked out due to aggregate user control system", date, FAIL, HIGH");
+						Log.SetLog(Session['userID'], 
+						"User account was locked out due to aggregate user control system", date, FAIL, HIGH");
 
 						/*
 						Whenever te reasonable number of connections the user made was surpassed we destroy all the 

skf/markdown/code_examples/asp/49-code_example--re_authentication--.md

@@ -39,7 +39,8 @@ Re-authentication
 			public bool reAuthentication()
 			{
 				//Here we connect to the database by means of a connection string as configured in the web.config
-				SqlConnection conn = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
+				SqlConnection conn = new SqlConnection
+				(System.Configuration.ConfigurationManager.ConnectionStrings["users"].ConnectionString);
 
 				bool loggedin = false;
 				string passwordHash = "";