Dangerous inputs in asp.net web forms

  • Thread starter Thread starter cesark
  • Start date Start date
C

cesark

Hi !

I have important doubts about how to handle the security in asp.net
vb.net web forms. Somebody can help me?

1. If you have setting ‘validateRequest=true’ in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.

2. And in the case you don’ t allow enter dangerous characters like
‘<’ and ‘>’ through the server side validations, if you have
the .net framework1.1 with ‘validateRequest=true’ it will show the
error confusing page to the user before the server validations do the
work.

3. Then if you decide set the ‘validateRequest’ to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.

4. On the other hand, I don’ t understand the real utility of the
‘Server.HtmlEncode’ because since you have ‘validateRequest=true’
it’s impossible to enter ‘<’ and ‘>’ characters if somebody
need them, so What utility has?


So, what can I do? I’ m very confusing with these 4 aspects.

Thank you in advance,
Cesar
 
1. If you have setting ‘validateRequest=true’ in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.
Click to expand...

You can use individual validator controls and validate each text box object
according to the rules it should abide by. For example, you could put a
regular expression validator on a control that is meant to hold a phone
number to ensure that only a valid phone number is entered here.
2. And in the case you don’ t allow enter dangerous characters like
‘<’ and ‘>’ through the server side validations, if you have
the .net framework1.1 with ‘validateRequest=true’ it will show the
error confusing page to the user before the server validations do the
work.
Click to expand...

You could run your individual control validators on the client side, which
basically injects a bit of javascript that will pop up a dialog box alerting
the user that they have entered something invalid before it ever gets to the
server.
3. Then if you decide set the ‘validateRequest’ to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.
Click to expand...

Yes, but sometimes it is necessary, and you should supplant its
functionality with thorough validation of your controls.
4. On the other hand, I don’ t understand the real utility of the
‘Server.HtmlEncode’ because since you have ‘validateRequest=true’
it’s impossible to enter ‘<’ and ‘>’ characters if somebody
need them, so What utility has?
Click to expand...

&lt; and &gt; are not the only substitutions that HtmlEncode makes, and its
purpose is not only for validation. For example, if you want to put a string
as your query string, you would want to HtmlEncode it first. If you wanted
to output a bit of HTML code that you want shown but not executed, you would
want to HtmlEncode it first. And so forth.
 
Where do I put the: validateRequest=false ? I am having this problem with
a DataGrid.

Thanks in advance for all you help,

Jack
 
Sorry...I got it.

Thanks!!!
jack said:
Where do I put the: validateRequest=false ? I am having this problem with
a DataGrid.

Thanks in advance for all you help,

Jack

Chris Jackson said:
You can use individual validator controls and validate each text box object
according to the rules it should abide by. For example, you could put a
regular expression validator on a control that is meant to hold a phone
number to ensure that only a valid phone number is entered here.


You could run your individual control validators on the client side, which
basically injects a bit of javascript that will pop up a dialog box alerting
the user that they have entered something invalid before it ever gets to the

Yes, but sometimes it is necessary, and you should supplant its
functionality with thorough validation of your controls.


&lt; and &gt; are not the only substitutions that HtmlEncode makes, and
Click to expand...
it
Click to expand...
 
Back
Top