Jump to content
  • Advertisement
Sign in to follow this  
skillfreak

[.net] asp.net submitted values

This topic is 4848 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Where can I find a discussion of the security of asp.net web forms? Can i use the values from controls outright into db calls and such? Ie. A radio button list, with an incrementing number value for each item in the group When I reference RadioList1.Text, can i be sure it will be only an option that was available for the user? (Available discludes hidden controls as well) So if the only options they had held values 1 - 3, and they craft back a 4, it will spit in their face? or will asp.net blindly grab (doubting). I would like to know more about this handling. thx

Share this post


Link to post
Share on other sites
Advertisement
First off, I'm not a security expert and don't have any professional experience with ASP.NET security, so help would be appreciated :)

MSDN has a section titled ASP.NET Web Application Security, although they discuss stuff like authentication and the security architecture of ASP.NET. I have the feeling you're more interested in security on the code level. CodeProject also has an ASP.NET security section.

Regarding using user-input in database calls, you basically can't trust it due to the possibility of SQL injection. The way I've protected myself in the past is by using parameterized queries:


SqlConnection connection;
string userProvidedData;

SqlCommand command = new SqlCommand("select * from Hotels where Name like @hotelname", connection);
command.Parameters.Add("@hotelname", userProvidedData);




The SQL injection article lists some other ways to protect against it. Oh and regarding your radio button question, I do not know. Of course, it doesn't hurt to perform your own validation as well.

Share this post


Link to post
Share on other sites
No, you should never trust input from the user.
ALWAYS validate.

The Validation controls can help a lot. By binding these to input controls you can force a check on types, ranges, patterns (regex) and custom validation.

A common mistake is to forget to check the validity of a page server side. These validation controls have client side and server side check and youshould always do the server side check because the client's browser might have javascript disabled (no checking there). The way to do this is easy: in the Page.Load eventhandler check whether the request is a postback and then validate the page like this:

if(this.IsPostback)
{
if(this.IsValid)
{
...
}
else
{
errormessages
}
}


To prevent SQL injection always use stored procedures or Command objects.
To prevent script insertion always Html encode user entered strings that are displayed on HTML pages.

Read these

Cheers

Share this post


Link to post
Share on other sites
I appreciate your comments, however this is not quite the answer I am looking for.

I am aware of the sql injection as well as the validation controls, asp.net has means of combating these both - but i am interested in the simple case of... lets use my radio button example again.

I have a RadioButtonList I'll call rbl, and I'll fill "testing"=>1, "this"=>2, "option"=>3 for the text/value pairs.
I'll also add a button for action.

Button_onClick(~,~) {
Response write rbl.Text
}

Is there ever a time that rbl.Text could be 4 or 0 or "hhahFgT!" by a handcrafted send, outside of my presented options and values?

It just seems bizzare to me that you would throw in a validator which would only fire for someone f'in with a server. Default checks for these cases seem like something that should be built in.

I understand that for things like a textbox, or currency.. validate.
I want an email address, validate.

But for values which have been defined only allowing a user to select one, seems that default checks should be inplace by asp - so are they(?) is my question.
Appreciate the feedback thus far. ^sf.

Share this post


Link to post
Share on other sites
Well it just depends on where that textvalue came from.
If these values are retrieved on the serverside you have full control.
However if there is a submit from the page, a client could send anything. A realy good cracker might even change the viewstate...

If you are worried about that, validate on the server and HTML encode all.

Cheers

Share this post


Link to post
Share on other sites
BTW: EnableViewStateMAC set to true hashes (and thus secures) the viewstate.

Cheers

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!