By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,306 Members | 1,657 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,306 IT Pros & Developers. It's quick & easy.

Dangerous inputs in asp.net web forms

P: n/a
Hi !

I have important doubts about how to handle the security in asp.net
vb.net web forms. Somebody can help me?

1. If you have setting ‘validateRequest=true’ in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.

2. And in the case you don’ t allow enter dangerous characters like
‘<’ and ‘>’ through the server side validations, if you have
the .net framework1.1 with ‘validateRequest=true’ it will show the
error confusing page to the user before the server validations do the
work.

3. Then if you decide set the ‘validateRequest’ to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.

4. On the other hand, I don’ t understand the real utility of the
‘Server.HtmlEncode’ because since you have ‘validateRequest=true’
it’s impossible to enter ‘<’ and ‘>’ characters if somebody
need them, so What utility has?
So, what can I do? I’ m very confusing with these 4 aspects.

Thank you in advance,
Cesar
Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com
Nov 18 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Where do I put the: validateRequest=false ? I am having this problem with
a DataGrid.

Thanks in advance for all you help,

Jack

"Chris Jackson" <chrisjATmvpsDOTorgNOSPAM> wrote in message
news:Oh**************@TK2MSFTNGP09.phx.gbl...
1. If you have setting 'validateRequest=true' in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.
You can use individual validator controls and validate each text box

object according to the rules it should abide by. For example, you could put a
regular expression validator on a control that is meant to hold a phone
number to ensure that only a valid phone number is entered here.
2. And in the case you don' t allow enter dangerous characters like
'<' and '>' through the server side validations, if you have
the .net framework1.1 with 'validateRequest=true' it will show the
error confusing page to the user before the server validations do the
work.
You could run your individual control validators on the client side, which
basically injects a bit of javascript that will pop up a dialog box

alerting the user that they have entered something invalid before it ever gets to the server.
3. Then if you decide set the 'validateRequest' to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.
Yes, but sometimes it is necessary, and you should supplant its
functionality with thorough validation of your controls.
4. On the other hand, I don' t understand the real utility of the
'Server.HtmlEncode' because since you have 'validateRequest=true'
it's impossible to enter '<' and '>' characters if somebody
need them, so What utility has?


&lt; and &gt; are not the only substitutions that HtmlEncode makes, and it

s purpose is not only for validation. For example, if you want to put a string as your query string, you would want to HtmlEncode it first. If you wanted
to output a bit of HTML code that you want shown but not executed, you would want to HtmlEncode it first. And so forth.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--

Nov 18 '05 #2

P: n/a
Sorry...I got it.

Thanks!!!
"jack" <ja**@mrolinux.com> wrote in message
news:%2***************@tk2msftngp13.phx.gbl...
Where do I put the: validateRequest=false ? I am having this problem with a DataGrid.

Thanks in advance for all you help,

Jack

"Chris Jackson" <chrisjATmvpsDOTorgNOSPAM> wrote in message
news:Oh**************@TK2MSFTNGP09.phx.gbl...
1. If you have setting 'validateRequest=true' in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.
You can use individual validator controls and validate each text box

object
according to the rules it should abide by. For example, you could put a
regular expression validator on a control that is meant to hold a phone
number to ensure that only a valid phone number is entered here.
2. And in the case you don' t allow enter dangerous characters like
'<' and '>' through the server side validations, if you have
the .net framework1.1 with 'validateRequest=true' it will show the
error confusing page to the user before the server validations do the
work.


You could run your individual control validators on the client side, which basically injects a bit of javascript that will pop up a dialog box

alerting
the user that they have entered something invalid before it ever gets to

the
server.
3. Then if you decide set the 'validateRequest' to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.


Yes, but sometimes it is necessary, and you should supplant its
functionality with thorough validation of your controls.
4. On the other hand, I don' t understand the real utility of the
'Server.HtmlEncode' because since you have 'validateRequest=true'
it's impossible to enter '<' and '>' characters if somebody
need them, so What utility has?


&lt; and &gt; are not the only substitutions that HtmlEncode makes, and it s
purpose is not only for validation. For example, if you want to put a

string
as your query string, you would want to HtmlEncode it first. If you

wanted to output a bit of HTML code that you want shown but not executed, you

would
want to HtmlEncode it first. And so forth.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--


Nov 18 '05 #3

P: n/a
Where do I put the: validateRequest=false ? I am having this problem with
a DataGrid.

Thanks in advance for all you help,

Jack

"Chris Jackson" <chrisjATmvpsDOTorgNOSPAM> wrote in message
news:Oh**************@TK2MSFTNGP09.phx.gbl...
1. If you have setting 'validateRequest=true' in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.
You can use individual validator controls and validate each text box

object according to the rules it should abide by. For example, you could put a
regular expression validator on a control that is meant to hold a phone
number to ensure that only a valid phone number is entered here.
2. And in the case you don' t allow enter dangerous characters like
'<' and '>' through the server side validations, if you have
the .net framework1.1 with 'validateRequest=true' it will show the
error confusing page to the user before the server validations do the
work.
You could run your individual control validators on the client side, which
basically injects a bit of javascript that will pop up a dialog box

alerting the user that they have entered something invalid before it ever gets to the server.
3. Then if you decide set the 'validateRequest' to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.
Yes, but sometimes it is necessary, and you should supplant its
functionality with thorough validation of your controls.
4. On the other hand, I don' t understand the real utility of the
'Server.HtmlEncode' because since you have 'validateRequest=true'
it's impossible to enter '<' and '>' characters if somebody
need them, so What utility has?


&lt; and &gt; are not the only substitutions that HtmlEncode makes, and it

s purpose is not only for validation. For example, if you want to put a string as your query string, you would want to HtmlEncode it first. If you wanted
to output a bit of HTML code that you want shown but not executed, you would want to HtmlEncode it first. And so forth.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--

Nov 18 '05 #4

P: n/a
Sorry...I got it.

Thanks!!!
"jack" <ja**@mrolinux.com> wrote in message
news:%2***************@tk2msftngp13.phx.gbl...
Where do I put the: validateRequest=false ? I am having this problem with a DataGrid.

Thanks in advance for all you help,

Jack

"Chris Jackson" <chrisjATmvpsDOTorgNOSPAM> wrote in message
news:Oh**************@TK2MSFTNGP09.phx.gbl...
1. If you have setting 'validateRequest=true' in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.
You can use individual validator controls and validate each text box

object
according to the rules it should abide by. For example, you could put a
regular expression validator on a control that is meant to hold a phone
number to ensure that only a valid phone number is entered here.
2. And in the case you don' t allow enter dangerous characters like
'<' and '>' through the server side validations, if you have
the .net framework1.1 with 'validateRequest=true' it will show the
error confusing page to the user before the server validations do the
work.


You could run your individual control validators on the client side, which basically injects a bit of javascript that will pop up a dialog box

alerting
the user that they have entered something invalid before it ever gets to

the
server.
3. Then if you decide set the 'validateRequest' to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.


Yes, but sometimes it is necessary, and you should supplant its
functionality with thorough validation of your controls.
4. On the other hand, I don' t understand the real utility of the
'Server.HtmlEncode' because since you have 'validateRequest=true'
it's impossible to enter '<' and '>' characters if somebody
need them, so What utility has?


&lt; and &gt; are not the only substitutions that HtmlEncode makes, and it s
purpose is not only for validation. For example, if you want to put a

string
as your query string, you would want to HtmlEncode it first. If you

wanted to output a bit of HTML code that you want shown but not executed, you

would
want to HtmlEncode it first. And so forth.
--
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
--
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
--


Nov 18 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.