Hi !
I have important doubts about how to handle the security in asp.net
vb.net web forms. Somebody can help me?
1. If you have setting ‘validateReques t=true’ in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.
2. And in the case you don’ t allow enter dangerous characters like
‘<’ and ‘>’ through the server side validations, if you have
the .net framework1.1 with ‘validateReques t=true’ it will show the
error confusing page to the user before the server validations do the
work.
3. Then if you decide set the ‘validateReques t’ to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.
4. On the other hand, I don’ t understand the real utility of the
‘Server.HtmlEnc ode’ because since you have ‘validateReques t=true’
it’s impossible to enter ‘<’ and ‘>’ characters if somebody
need them, so What utility has?
So, what can I do? I’ m very confusing with these 4 aspects.
Thank you in advance,
Cesar
Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
---------------------------------------------------------- http://www.usenet.com 4 1301
Where do I put the: validateRequest =false ? I am having this problem with
a DataGrid.
Thanks in advance for all you help,
Jack
"Chris Jackson" <chrisjATmvpsDO TorgNOSPAM> wrote in message
news:Oh******** ******@TK2MSFTN GP09.phx.gbl... 1. If you have setting 'validateReques t=true' in .net framework1.1, What can do you do to improve the security? Because although you have validations on server side you can enter dangerous characters in a text field, with the exception of telephone numbers or similar. You can use individual validator controls and validate each text box
object according to the rules it should abide by. For example, you could put a regular expression validator on a control that is meant to hold a phone number to ensure that only a valid phone number is entered here.
2. And in the case you don' t allow enter dangerous characters like '<' and '>' through the server side validations, if you have the .net framework1.1 with 'validateReques t=true' it will show the error confusing page to the user before the server validations do the work. You could run your individual control validators on the client side, which basically injects a bit of javascript that will pop up a dialog box
alerting the user that they have entered something invalid before it ever gets to
the server.
3. Then if you decide set the 'validateReques t' to false, is a very dangerous practice because you can have a hole in somewhere in which the malicious user can do something. Yes, but sometimes it is necessary, and you should supplant its functionality with thorough validation of your controls.
4. On the other hand, I don' t understand the real utility of the 'Server.HtmlEnc ode' because since you have 'validateReques t=true' it's impossible to enter '<' and '>' characters if somebody need them, so What utility has?
< and > are not the only substitutions that HtmlEncode makes, and it
s purpose is not only for validation. For example, if you want to put a
string as your query string, you would want to HtmlEncode it first. If you wanted to output a bit of HTML code that you want shown but not executed, you
would want to HtmlEncode it first. And so forth.
-- Chris Jackson Software Engineer Microsoft MVP - Windows Client Windows XP Associate Expert -- More people read the newsgroups than read my email. Reply to the newsgroup for a faster response. (Control-G using Outlook Express) --
Sorry...I got it.
Thanks!!!
"jack" <ja**@mrolinux. com> wrote in message
news:%2******** *******@tk2msft ngp13.phx.gbl.. . Where do I put the: validateRequest =false ? I am having this problem
with a DataGrid.
Thanks in advance for all you help,
Jack
"Chris Jackson" <chrisjATmvpsDO TorgNOSPAM> wrote in message news:Oh******** ******@TK2MSFTN GP09.phx.gbl... 1. If you have setting 'validateReques t=true' in .net framework1.1, What can do you do to improve the security? Because although you have validations on server side you can enter dangerous characters in a text field, with the exception of telephone numbers or similar. You can use individual validator controls and validate each text box object according to the rules it should abide by. For example, you could put a regular expression validator on a control that is meant to hold a phone number to ensure that only a valid phone number is entered here.
2. And in the case you don' t allow enter dangerous characters like '<' and '>' through the server side validations, if you have the .net framework1.1 with 'validateReques t=true' it will show the error confusing page to the user before the server validations do the work.
You could run your individual control validators on the client side,
which basically injects a bit of javascript that will pop up a dialog box alerting the user that they have entered something invalid before it ever gets to the server.
3. Then if you decide set the 'validateReques t' to false, is a very dangerous practice because you can have a hole in somewhere in which the malicious user can do something.
Yes, but sometimes it is necessary, and you should supplant its functionality with thorough validation of your controls.
4. On the other hand, I don' t understand the real utility of the 'Server.HtmlEnc ode' because since you have 'validateReques t=true' it's impossible to enter '<' and '>' characters if somebody need them, so What utility has?
< and > are not the only substitutions that HtmlEncode makes, and
it s purpose is not only for validation. For example, if you want to put a string as your query string, you would want to HtmlEncode it first. If you
wanted to output a bit of HTML code that you want shown but not executed, you
would want to HtmlEncode it first. And so forth.
-- Chris Jackson Software Engineer Microsoft MVP - Windows Client Windows XP Associate Expert -- More people read the newsgroups than read my email. Reply to the newsgroup for a faster response. (Control-G using Outlook Express) --
Where do I put the: validateRequest =false ? I am having this problem with
a DataGrid.
Thanks in advance for all you help,
Jack
"Chris Jackson" <chrisjATmvpsDO TorgNOSPAM> wrote in message
news:Oh******** ******@TK2MSFTN GP09.phx.gbl... 1. If you have setting 'validateReques t=true' in .net framework1.1, What can do you do to improve the security? Because although you have validations on server side you can enter dangerous characters in a text field, with the exception of telephone numbers or similar. You can use individual validator controls and validate each text box
object according to the rules it should abide by. For example, you could put a regular expression validator on a control that is meant to hold a phone number to ensure that only a valid phone number is entered here.
2. And in the case you don' t allow enter dangerous characters like '<' and '>' through the server side validations, if you have the .net framework1.1 with 'validateReques t=true' it will show the error confusing page to the user before the server validations do the work. You could run your individual control validators on the client side, which basically injects a bit of javascript that will pop up a dialog box
alerting the user that they have entered something invalid before it ever gets to
the server.
3. Then if you decide set the 'validateReques t' to false, is a very dangerous practice because you can have a hole in somewhere in which the malicious user can do something. Yes, but sometimes it is necessary, and you should supplant its functionality with thorough validation of your controls.
4. On the other hand, I don' t understand the real utility of the 'Server.HtmlEnc ode' because since you have 'validateReques t=true' it's impossible to enter '<' and '>' characters if somebody need them, so What utility has?
< and > are not the only substitutions that HtmlEncode makes, and it
s purpose is not only for validation. For example, if you want to put a
string as your query string, you would want to HtmlEncode it first. If you wanted to output a bit of HTML code that you want shown but not executed, you
would want to HtmlEncode it first. And so forth.
-- Chris Jackson Software Engineer Microsoft MVP - Windows Client Windows XP Associate Expert -- More people read the newsgroups than read my email. Reply to the newsgroup for a faster response. (Control-G using Outlook Express) --
Sorry...I got it.
Thanks!!!
"jack" <ja**@mrolinux. com> wrote in message
news:%2******** *******@tk2msft ngp13.phx.gbl.. . Where do I put the: validateRequest =false ? I am having this problem
with a DataGrid.
Thanks in advance for all you help,
Jack
"Chris Jackson" <chrisjATmvpsDO TorgNOSPAM> wrote in message news:Oh******** ******@TK2MSFTN GP09.phx.gbl... 1. If you have setting 'validateReques t=true' in .net framework1.1, What can do you do to improve the security? Because although you have validations on server side you can enter dangerous characters in a text field, with the exception of telephone numbers or similar. You can use individual validator controls and validate each text box object according to the rules it should abide by. For example, you could put a regular expression validator on a control that is meant to hold a phone number to ensure that only a valid phone number is entered here.
2. And in the case you don' t allow enter dangerous characters like '<' and '>' through the server side validations, if you have the .net framework1.1 with 'validateReques t=true' it will show the error confusing page to the user before the server validations do the work.
You could run your individual control validators on the client side,
which basically injects a bit of javascript that will pop up a dialog box alerting the user that they have entered something invalid before it ever gets to the server.
3. Then if you decide set the 'validateReques t' to false, is a very dangerous practice because you can have a hole in somewhere in which the malicious user can do something.
Yes, but sometimes it is necessary, and you should supplant its functionality with thorough validation of your controls.
4. On the other hand, I don' t understand the real utility of the 'Server.HtmlEnc ode' because since you have 'validateReques t=true' it's impossible to enter '<' and '>' characters if somebody need them, so What utility has?
< and > are not the only substitutions that HtmlEncode makes, and
it s purpose is not only for validation. For example, if you want to put a string as your query string, you would want to HtmlEncode it first. If you
wanted to output a bit of HTML code that you want shown but not executed, you
would want to HtmlEncode it first. And so forth.
-- Chris Jackson Software Engineer Microsoft MVP - Windows Client Windows XP Associate Expert -- More people read the newsgroups than read my email. Reply to the newsgroup for a faster response. (Control-G using Outlook Express) --
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Sven Neuberg |
last post by:
Hi,
I have been handed the task of updating and maintaining a web
application, written in ASP and Javascript, that takes complex
user inputs in HTML form and submits them to server-side ASP
pages for processing. The problem is, the user inputs can
become very complex, and the way this application was developed,
the inputs are all concatenated into monstrously long strings
of text that are then submited as <hidden> inputs in HTML forms...
|
by: STech |
last post by:
If data you post back contains the following string
on<<any sequence of characters>>=
example: on2q3asdf=
The page will throw the following exception:
A potentially dangerous Request.Form value was detected from the client
|
by: Lee |
last post by:
Hi
Whenever I use the gets() function, the gnu c compiler gives a
warning that it is dangerous to use gets(). Is this due to the
possibility of array overflow? Is it correct that the program flow can
be altered by giving some specific calculated inputs to gets()? How
could anyone do so once the executable binary have been generated? I
have heard many of the security problems and other bugs are due to
array overflows.
|
by: Julian |
last post by:
'evening.
I'm not new to C and have been programming in it since I was 8 but
here's a strange problem I've never seen before.
When I compile a program from our C course with a windows compiler
there is no problem but when I try to compile it with a linux compiler
it complains that
a_03.c:(.text+0x4d): warning: the `gets' function is dangerous
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |