[.net] asp.net submitted values
Author
Where can I find a discussion of the security of asp.net web forms?
Can i use the values from controls outright into db calls and such?
Ie. A radio button list, with an incrementing number value for each item in the group
When I reference RadioList1.Text, can i be sure it will be only an option that was available for the user? (Available discludes hidden controls as well)
So if the only options they had held values 1 - 3, and they craft back a 4, it will spit in their face? or will asp.net blindly grab (doubting).
I would like to know more about this handling.
thx
First off, I'm not a security expert and don't have any professional experience with ASP.NET security, so help would be appreciated :)
MSDN has a section titled ASP.NET Web Application Security, although they discuss stuff like authentication and the security architecture of ASP.NET. I have the feeling you're more interested in security on the code level. CodeProject also has an ASP.NET security section.
Regarding using user-input in database calls, you basically can't trust it due to the possibility of SQL injection. The way I've protected myself in the past is by using parameterized queries:
The SQL injection article lists some other ways to protect against it. Oh and regarding your radio button question, I do not know. Of course, it doesn't hurt to perform your own validation as well.
MSDN has a section titled ASP.NET Web Application Security, although they discuss stuff like authentication and the security architecture of ASP.NET. I have the feeling you're more interested in security on the code level. CodeProject also has an ASP.NET security section.
Regarding using user-input in database calls, you basically can't trust it due to the possibility of SQL injection. The way I've protected myself in the past is by using parameterized queries:
SqlConnection connection;string userProvidedData;SqlCommand command = new SqlCommand("select * from Hotels where Name like @hotelname", connection);command.Parameters.Add("@hotelname", userProvidedData);The SQL injection article lists some other ways to protect against it. Oh and regarding your radio button question, I do not know. Of course, it doesn't hurt to perform your own validation as well.
No, you should never trust input from the user.
ALWAYS validate.
The Validation controls can help a lot. By binding these to input controls you can force a check on types, ranges, patterns (regex) and custom validation.
A common mistake is to forget to check the validity of a page server side. These validation controls have client side and server side check and youshould always do the server side check because the client's browser might have javascript disabled (no checking there). The way to do this is easy: in the Page.Load eventhandler check whether the request is a postback and then validate the page like this:
To prevent SQL injection always use stored procedures or Command objects.
To prevent script insertion always Html encode user entered strings that are displayed on HTML pages.
Read these
Cheers
ALWAYS validate.
The Validation controls can help a lot. By binding these to input controls you can force a check on types, ranges, patterns (regex) and custom validation.
A common mistake is to forget to check the validity of a page server side. These validation controls have client side and server side check and youshould always do the server side check because the client's browser might have javascript disabled (no checking there). The way to do this is easy: in the Page.Load eventhandler check whether the request is a postback and then validate the page like this:
if(this.IsPostback){ if(this.IsValid) { ... } else { errormessages }}To prevent SQL injection always use stored procedures or Command objects.
To prevent script insertion always Html encode user entered strings that are displayed on HTML pages.
Read these
Cheers
Author
I appreciate your comments, however this is not quite the answer I am looking for.
I am aware of the sql injection as well as the validation controls, asp.net has means of combating these both - but i am interested in the simple case of... lets use my radio button example again.
I have a RadioButtonList I'll call rbl, and I'll fill "testing"=>1, "this"=>2, "option"=>3 for the text/value pairs.
I'll also add a button for action.
Button_onClick(~,~) {
Response write rbl.Text
}
Is there ever a time that rbl.Text could be 4 or 0 or "hhahFgT!" by a handcrafted send, outside of my presented options and values?
It just seems bizzare to me that you would throw in a validator which would only fire for someone f'in with a server. Default checks for these cases seem like something that should be built in.
I understand that for things like a textbox, or currency.. validate.
I want an email address, validate.
But for values which have been defined only allowing a user to select one, seems that default checks should be inplace by asp - so are they(?) is my question.
Appreciate the feedback thus far. ^sf.
I am aware of the sql injection as well as the validation controls, asp.net has means of combating these both - but i am interested in the simple case of... lets use my radio button example again.
I have a RadioButtonList I'll call rbl, and I'll fill "testing"=>1, "this"=>2, "option"=>3 for the text/value pairs.
I'll also add a button for action.
Button_onClick(~,~) {
Response write rbl.Text
}
Is there ever a time that rbl.Text could be 4 or 0 or "hhahFgT!" by a handcrafted send, outside of my presented options and values?
It just seems bizzare to me that you would throw in a validator which would only fire for someone f'in with a server. Default checks for these cases seem like something that should be built in.
I understand that for things like a textbox, or currency.. validate.
I want an email address, validate.
But for values which have been defined only allowing a user to select one, seems that default checks should be inplace by asp - so are they(?) is my question.
Appreciate the feedback thus far. ^sf.
Well it just depends on where that textvalue came from.
If these values are retrieved on the serverside you have full control.
However if there is a submit from the page, a client could send anything. A realy good cracker might even change the viewstate...
If you are worried about that, validate on the server and HTML encode all.
Cheers
If these values are retrieved on the serverside you have full control.
However if there is a submit from the page, a client could send anything. A realy good cracker might even change the viewstate...
If you are worried about that, validate on the server and HTML encode all.
Cheers
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
