Lessons learnt whilst migrating a VB.net application from a Windows 2003 server to a Load balanced Windows 2012 server stack. Unfortunately it wasn’t as easy as deploying the old code on a new version of IIS.
One of the first issue that I had to solve was that the Oracle System.Data.OracleClient is now deprecated, therefore I needed to use oracle managed data access client Oracle.DataAccess.Client in order to connect to an Oracle DB using IIS 8.5
My web.config now looks something like this:
<?xml version="1.0" encoding="utf-8"?> <configuration> <configSections> <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=184.108.40.206, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false"/> <section name="oracle.manageddataaccess.client" type="OracleInternal.Common.ODPMSectionHandler, Oracle.ManagedDataAccess, Version=220.127.116.11, Culture=neutral, PublicKeyToken=89b483f429c47342"/> </configSections> <connectionStrings> <add name="*****" connectionString="Data Source=DataSource;User Id=******;PASSWORD=*******;"/> </connectionStrings> <appSettings/> <system.web> <sessionState mode="InProc" cookieless="false" timeout="30"/> <compilation strict="false" explicit="true" debug="true" targetFramework="4.0"> <assemblies> <add assembly="System.Web.Extensions.Design, Version=18.104.22.168, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> <add assembly="System.Design, Version=22.214.171.124, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/> <add assembly="System.Windows.Forms, Version=126.96.36.199, Culture=neutral, PublicKeyToken=B77A5C561934E089"/> </assemblies> </compilation> <customErrors mode="Off"/> <!-- <customErrors mode="On" defaultRedirect="~/Error.aspx"/> --> <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID"/> <!--<httpRuntime requestValidationMode="2.0" />--> </system.web> <oracle.manageddataaccess.client> <version number="*"> <dataSources> <dataSource alias="DataSource" descriptor="(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = database.google.com)(PORT = 3426))) (CONNECT_DATA = (SERVICE_NAME = DBTEST)))"/> </dataSources> </version> </oracle.manageddataaccess.client> <system.webServer> <defaultDocument> <files> <add value="login.aspx"/> </files> </defaultDocument> </system.webServer> <system.data> <DbProviderFactories> <remove invariant="Oracle.ManagedDataAccess.Client"/> <add name="ODP.NET, Managed Driver" invariant="Oracle.ManagedDataAccess.Client" description="Oracle Data Provider for .NET, Managed Driver" type="Oracle.ManagedDataAccess.Client.OracleClientFactory, Oracle.ManagedDataAccess, Version=188.8.131.52, Culture=neutral, PublicKeyToken=89b483f429c47342"/> </DbProviderFactories> </system.data> <runtime> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> <dependentAssembly> <publisherPolicy apply="no"/> <assemblyIdentity name="Oracle.ManagedDataAccess" publicKeyToken="89b483f429c47342" culture="neutral"/> </dependentAssembly> </assemblyBinding> </runtime> </configuration>
The next task was to figure out where the oracle database would randomly drop its connection, I did this by debugging the code to VS2017, I then had to open oracle datareader at several points, although the connection remained open at that same point when using the old oracle client.
A potentially dangerous Request.QueryString value was detected from the client. The application in question was creating one parameter in a report URL which was being formed using the ID from radio buttons selected. The HTML which was formed for the page changed between deploying and running the code on 2003 to how it appeared when it was being ran on a 2012 server. On the new server I was seeing that the parameter was passing in the wrong part of the HTML. Therefore it put in **** as a URL parameter. If at any point IIS or your browser sees this type of behavior it throws the above error.
How to fix this?
Two ways the easy way and the hard.
The easy way, which is not recommended
insert ValidationRequest=false into the page header for each ASP page as well as like this in your web.config, this shuts off the security feature and will leave your site open to scripting attacks:
<system.web> <compilation debug="true" targetFramework="4.0" /> <httpRuntime requestValidationMode="2.0" /> </system.web>
The hard way, figure out why the code is inserting a piece of HTML in as a parameter within a URL. It was doing this in my code due to the way that the HTML removed spaces, my code needed to determine where it was to grab the id of the radio button so was trying to locate a set point by reading in the ID of the radio button, because that was after value=2 > and it was looking for ‘value=’ + ID + ” “. Which it couldn’t find. as that was now written as value=2>.
But this won’t mean anything to you, as your code won’t be throwing an error because of the same reasons as above! Or at least for your sake I hope not!!