Overloading security check on dropdown, is it possible??

Discussion in 'ASP .Net Security' started by Søren M. Olesen, Jul 6, 2006.

  1. Hi

    I'm trying to populate a dropdown list on a page, with the result from an
    AJAX request, however, because my dropdown is runat="server" I get a
    security error when posting back my page.
    I guess that makes sence since a hacker could attemt to compromise the
    webserver this way, however in my situation it's a bit of a problem.....

    Is there a way to make the security check my self, so that I can determine
    whether the data is OK or not??

    TIA

    Søren
    Søren M. Olesen, Jul 6, 2006
    #1
    1. Advertising

  2. Hi,

    i guess you are getting an ArgumentException?

    you can disable that check by setting EnableEventValidation=false on the
    page - but then - you have to thoroughly verify every single postback.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi
    >
    > I'm trying to populate a dropdown list on a page, with the result from
    > an
    > AJAX request, however, because my dropdown is runat="server" I get a
    > security error when posting back my page.
    > I guess that makes sence since a hacker could attemt to compromise the
    > webserver this way, however in my situation it's a bit of a
    > problem.....
    > Is there a way to make the security check my self, so that I can
    > determine whether the data is OK or not??
    >
    > TIA
    >
    > Søren
    >
    Dominick Baier [DevelopMentor], Jul 6, 2006
    #2
    1. Advertising

  3. Yeah, I know I can disable the EnableEventValidation, but the I'd have to
    check everything myself, I'd prefer to only check the stuff I know could be
    changed from JScript....

    Regards,

    Søren



    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hi,
    > i guess you are getting an ArgumentException?
    >
    > you can disable that check by setting EnableEventValidation=false on the
    > page - but then - you have to thoroughly verify every single postback.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi
    >>
    >> I'm trying to populate a dropdown list on a page, with the result from
    >> an
    >> AJAX request, however, because my dropdown is runat="server" I get a
    >> security error when posting back my page.
    >> I guess that makes sence since a hacker could attemt to compromise the
    >> webserver this way, however in my situation it's a bit of a
    >> problem.....
    >> Is there a way to make the security check my self, so that I can
    >> determine whether the data is OK or not??
    >>
    >> TIA
    >>
    >> Søren
    >>

    >
    >
    Søren M. Olesen, Jul 7, 2006
    #3
  4. I don't think that's gonna work - i haven't tried that though...

    but EventValidation is also in code -

    check the calls to

    ClientScriptManager.RegisterForEventValidate and ValidateEvent.



    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Create a Custom Control that inherits DropDownList and leave off the
    > [SupportsEventValidation]
    > attribute from the class.
    > Use that control rather than DropDownList and you will effectively
    > disable event validation for a single control on your page. Everything
    > else will function as normal.
    >
    > "Søren M. Olesen" wrote:
    >
    >> Yeah, I know I can disable the EnableEventValidation, but the I'd
    >> have to check everything myself, I'd prefer to only check the stuff I
    >> know could be changed from JScript....
    >>
    >> Regards,
    >>
    >> Søren
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hi,
    >>> i guess you are getting an ArgumentException?
    >>> you can disable that check by setting EnableEventValidation=false on
    >>> the page - but then - you have to thoroughly verify every single
    >>> postback.
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hi
    >>>>
    >>>> I'm trying to populate a dropdown list on a page, with the result
    >>>> from
    >>>> an
    >>>> AJAX request, however, because my dropdown is runat="server" I get
    >>>> a
    >>>> security error when posting back my page.
    >>>> I guess that makes sence since a hacker could attemt to compromise
    >>>> the
    >>>> webserver this way, however in my situation it's a bit of a
    >>>> problem.....
    >>>> Is there a way to make the security check my self, so that I can
    >>>> determine whether the data is OK or not??
    >>>> TIA
    >>>>
    >>>> Søren
    >>>>
    Dominick Baier [DevelopMentor], Jul 7, 2006
    #4
  5. Create a Custom Control that inherits DropDownList and leave off the
    [SupportsEventValidation]
    attribute from the class.

    Use that control rather than DropDownList and you will effectively disable
    event validation for a single control on your page. Everything else will
    function as normal.
    --
    Regards
    Stephen Davies


    "Søren M. Olesen" wrote:

    >
    > Yeah, I know I can disable the EnableEventValidation, but the I'd have to
    > check everything myself, I'd prefer to only check the stuff I know could be
    > changed from JScript....
    >
    > Regards,
    >
    > Søren
    >
    >
    >
    > "Dominick Baier [DevelopMentor]" <>
    > wrote in message news:...
    > > Hi,
    > > i guess you are getting an ArgumentException?
    > >
    > > you can disable that check by setting EnableEventValidation=false on the
    > > page - but then - you have to thoroughly verify every single postback.
    > >
    > > ---------------------------------------
    > > Dominick Baier - DevelopMentor
    > > http://www.leastprivilege.com
    > >
    > >> Hi
    > >>
    > >> I'm trying to populate a dropdown list on a page, with the result from
    > >> an
    > >> AJAX request, however, because my dropdown is runat="server" I get a
    > >> security error when posting back my page.
    > >> I guess that makes sence since a hacker could attemt to compromise the
    > >> webserver this way, however in my situation it's a bit of a
    > >> problem.....
    > >> Is there a way to make the security check my self, so that I can
    > >> determine whether the data is OK or not??
    > >>
    > >> TIA
    > >>
    > >> Søren
    > >>

    > >
    > >

    >
    >
    >
    Stephen Davies, Jul 7, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Iyer, Prasad C

    Overloading __init__ & Function overloading

    Iyer, Prasad C, Sep 30, 2005, in forum: Python
    Replies:
    3
    Views:
    6,407
    Fredrik Lundh
    Sep 30, 2005
  2. Fredrik Lundh
    Replies:
    0
    Views:
    449
    Fredrik Lundh
    Sep 30, 2005
  3. Steve Holden
    Replies:
    0
    Views:
    429
    Steve Holden
    Sep 30, 2005
  4. Iyer, Prasad C
    Replies:
    4
    Views:
    576
    John J. Lee
    Sep 30, 2005
  5. Jason Stacy
    Replies:
    2
    Views:
    4,683
    Roedy Green
    Apr 27, 2008
Loading...

Share This Page