Dangerous inputs in asp.net web forms

C

cesark

Hi !

I have important doubts about how to handle the security in asp.net
vb.net web forms. Somebody can help me?

1. If you have setting ‘validateRequest=true’ in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.

2. And in the case you don’ t allow enter dangerous characters like
‘<’ and ‘>’ through the server side validations, if you have
the .net framework1.1 with ‘validateRequest=true’ it will show the
error confusing page to the user before the server validations do the
work.

3. Then if you decide set the ‘validateRequest’ to false, is a very
dangerous practice because you can have a hole in somewhere in which
the malicious user can do something.

4. On the other hand, I don’ t understand the real utility of the
‘Server.HtmlEncode’ because since you have ‘validateRequest=true’
it’s impossible to enter ‘<’ and ‘>’ characters if somebody
need them, so What utility has?


So, what can I do? I’ m very confusing with these 4 aspects.

Thank you in advance,
Cesar
 
J

jack

Where do I put the: validateRequest=false ? I am having this problem with
a DataGrid.

Thanks in advance for all you help,

Jack
 
J

jack

Sorry...I got it.

Thanks!!!
jack said:
Where do I put the: validateRequest=false ? I am having this problem with
a DataGrid.

Thanks in advance for all you help,

Jack

Chris Jackson said:
You can use individual validator controls and validate each text box object
according to the rules it should abide by. For example, you could put a
regular expression validator on a control that is meant to hold a phone
number to ensure that only a valid phone number is entered here.


You could run your individual control validators on the client side, which
basically injects a bit of javascript that will pop up a dialog box alerting
the user that they have entered something invalid before it ever gets to the

Yes, but sometimes it is necessary, and you should supplant its
functionality with thorough validation of your controls.


&lt; and &gt; are not the only substitutions that HtmlEncode makes, and
Click to expand...
it
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

"potentially dangerous Request.QueryString" error in ASP.Net app (VB.Net 2003) 2
Dynamic inputs with ASP.NET 1
Hid\show group box in asp.net 2
ASP.NET Forms Authentication site calling web service 8
A potentially dangerous querystring ... [ValidateRequest] 5
Using Asp.net web form and controls .vs html form and inputs 2
Routing in web forms problem 0
Why is it dangerous? 184

Members online

Total: 34 (members: 3, guests: 31)
Robots: 461

Forum statistics

Threads
473,767
Messages
2,569,572
Members
45,046
Latest member
Gavizuho

Latest Threads

Top