M
Mike Dee
Hi - I recently took my site live and I'm getting quite a lot of
HttpRequestValidationException errors "A potentially dangerous Request.Form
value...".
I'm seeing quite a lot of these various various places so I'm quite sure
this is not something malcious but rather a problem with the way the
validation works.
Unfortunately it doesn't show me what the offending input was - is there any
way I can log this so I can see exactly what people are entering in so I can
try and reproduce it? At least its not showing in the unhandled exception
in event viewer output
I googled and it seems the only solution I've come across is to turn
Validation off, which I would rather not do. I certanly want the added
protection, but not at the expense of legitmate users not being able to
register!
My biggest question is this - If I turn off validation and then later pass
uses the inputted values as inputs for a paramaterized query, am I sill
prevented from injection attacks? In other words I'm not building my sql
using string concat. Rather I'm using parameterized queries. I think that
protects you even if the form itself is not validated, but wanted to make
sure.
Anyway I'd certainly appreciate hearing about how others have dealt with
this and if there is lots of known valid input that can cause false
positives here. My form is very basic.
--- Mike
HttpRequestValidationException errors "A potentially dangerous Request.Form
value...".
I'm seeing quite a lot of these various various places so I'm quite sure
this is not something malcious but rather a problem with the way the
validation works.
Unfortunately it doesn't show me what the offending input was - is there any
way I can log this so I can see exactly what people are entering in so I can
try and reproduce it? At least its not showing in the unhandled exception
in event viewer output
I googled and it seems the only solution I've come across is to turn
Validation off, which I would rather not do. I certanly want the added
protection, but not at the expense of legitmate users not being able to
register!
My biggest question is this - If I turn off validation and then later pass
uses the inputted values as inputs for a paramaterized query, am I sill
prevented from injection attacks? In other words I'm not building my sql
using string concat. Rather I'm using parameterized queries. I think that
protects you even if the form itself is not validated, but wanted to make
sure.
Anyway I'd certainly appreciate hearing about how others have dealt with
this and if there is lots of known valid input that can cause false
positives here. My form is very basic.
--- Mike