Dangerous inputs in asp.net web forms

1. If you have setting 'validateRequest=true' in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.
You can use individual validator controls and validate each text box

object according to the rules it should abide by. For example, you could put a
regular expression validator on a control that is meant to hold a phone
number to ensure that only a valid phone number is entered here.

2. And in the case you don' t allow enter dangerous characters like
'<' and '>' through the server side validations, if you have
the .net framework1.1 with 'validateRequest=true' it will show the
error confusing page to the user before the server validations do the
work.
You could run your individual control validators on the client side, which
basically injects a bit of javascript that will pop up a dialog box

alerting the user that they have entered something invalid before it ever gets to the server.

3. Then if you decide set the 'validateRequest' to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.
Yes, but sometimes it is necessary, and you should supplant its
functionality with thorough validation of your controls.

4. On the other hand, I don' t understand the real utility of the
'Server.HtmlEncode' because since you have 'validateRequest=true'
it's impossible to enter '<' and '>' characters if somebody
need them, so What utility has?

&lt; and &gt; are not the only substitutions that HtmlEncode makes, and it

s purpose is not only for validation. For example, if you want to put a string as your query string, you would want to HtmlEncode it first. If you wanted
to output a bit of HTML code that you want shown but not executed, you would want to HtmlEncode it first. And so forth.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--

Where do I put the: validateRequest=false ? I am having this problem with a DataGrid.

Thanks in advance for all you help,

Jack

"Chris Jackson" <chrisjATmvpsDOTorgNOSPAM> wrote in message
news:Oh**************@TK2MSFTNGP09.phx.gbl...

1. If you have setting 'validateRequest=true' in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.
You can use individual validator controls and validate each text box

object

according to the rules it should abide by. For example, you could put a
regular expression validator on a control that is meant to hold a phone
number to ensure that only a valid phone number is entered here.

2. And in the case you don' t allow enter dangerous characters like
'<' and '>' through the server side validations, if you have
the .net framework1.1 with 'validateRequest=true' it will show the
error confusing page to the user before the server validations do the
work.

You could run your individual control validators on the client side, which basically injects a bit of javascript that will pop up a dialog box

alerting

the user that they have entered something invalid before it ever gets to

the

server.

3. Then if you decide set the 'validateRequest' to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.

Yes, but sometimes it is necessary, and you should supplant its
functionality with thorough validation of your controls.

4. On the other hand, I don' t understand the real utility of the
'Server.HtmlEncode' because since you have 'validateRequest=true'
it's impossible to enter '<' and '>' characters if somebody
need them, so What utility has?

&lt; and &gt; are not the only substitutions that HtmlEncode makes, and it s

purpose is not only for validation. For example, if you want to put a

string

as your query string, you would want to HtmlEncode it first. If you

wanted to output a bit of HTML code that you want shown but not executed, you

would

want to HtmlEncode it first. And so forth.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--

1. If you have setting 'validateRequest=true' in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.
You can use individual validator controls and validate each text box

object according to the rules it should abide by. For example, you could put a
regular expression validator on a control that is meant to hold a phone
number to ensure that only a valid phone number is entered here.

2. And in the case you don' t allow enter dangerous characters like
'<' and '>' through the server side validations, if you have
the .net framework1.1 with 'validateRequest=true' it will show the
error confusing page to the user before the server validations do the
work.
You could run your individual control validators on the client side, which
basically injects a bit of javascript that will pop up a dialog box

alerting the user that they have entered something invalid before it ever gets to the server.

3. Then if you decide set the 'validateRequest' to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.
Yes, but sometimes it is necessary, and you should supplant its
functionality with thorough validation of your controls.

4. On the other hand, I don' t understand the real utility of the
'Server.HtmlEncode' because since you have 'validateRequest=true'
it's impossible to enter '<' and '>' characters if somebody
need them, so What utility has?

&lt; and &gt; are not the only substitutions that HtmlEncode makes, and it

s purpose is not only for validation. For example, if you want to put a string as your query string, you would want to HtmlEncode it first. If you wanted
to output a bit of HTML code that you want shown but not executed, you would want to HtmlEncode it first. And so forth.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--

Where do I put the: validateRequest=false ? I am having this problem with a DataGrid.

Thanks in advance for all you help,

Jack

"Chris Jackson" <chrisjATmvpsDOTorgNOSPAM> wrote in message
news:Oh**************@TK2MSFTNGP09.phx.gbl...

1. If you have setting 'validateRequest=true' in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.
You can use individual validator controls and validate each text box

object

according to the rules it should abide by. For example, you could put a
regular expression validator on a control that is meant to hold a phone
number to ensure that only a valid phone number is entered here.

2. And in the case you don' t allow enter dangerous characters like
'<' and '>' through the server side validations, if you have
the .net framework1.1 with 'validateRequest=true' it will show the
error confusing page to the user before the server validations do the
work.

You could run your individual control validators on the client side, which basically injects a bit of javascript that will pop up a dialog box

alerting

the user that they have entered something invalid before it ever gets to

the

server.

3. Then if you decide set the 'validateRequest' to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.

Yes, but sometimes it is necessary, and you should supplant its
functionality with thorough validation of your controls.

4. On the other hand, I don' t understand the real utility of the
'Server.HtmlEncode' because since you have 'validateRequest=true'
it's impossible to enter '<' and '>' characters if somebody
need them, so What utility has?

&lt; and &gt; are not the only substitutions that HtmlEncode makes, and it s

purpose is not only for validation. For example, if you want to put a

string

as your query string, you would want to HtmlEncode it first. If you

wanted to output a bit of HTML code that you want shown but not executed, you

would

want to HtmlEncode it first. And so forth.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--