Do I need to validate against malicious POST backs using .net form components?

Ok, I'm moving from classic asp to .net 3.5 (I know big jump)

In classic ASP you always needed to verify POSTs weren't malicious, however I'm wondering how much checking I need to do with .net.

ie. I have a textbox called textbox1.  I've set textbox1.maxlength=20.  I then want to insert textbox1.text into a DB column varchar(20), I feel as if I do not need to verify the length as was needed in classic ASP, because I'm guessing textbox.text won't return a value longer then textbox1.maxlength would allow.

One step further, take dropdownlist1, bind it to a datasource.  When I insert dropdownlist1.selectedvalue into a DB, do I need to check that .selectedvalue exists in my datasource, or can I assume that when binded .selected value will only return items from the value field of the datasource?

Thanks for your help 

0
wardito
1/18/2008 8:39:24 PM
asp.net.web-forms 93655 articles. 5 followers. Follow

6 Replies
735 Views

Similar Articles

[PageSpeed] 40

Here is a good example of how .net protects against this for you.  Good luck with your upgrade and let me know if you get stuck on anything. 

 http://odetocode.com/Blogs/scott/archive/2006/03/20/3145.aspx

 


Remember to mark any post that is helpful as an answer and change posts status to Resolved to help others in the future.

cheers,

BC

http://voidimpossible.com
0
bcanonica
1/18/2008 9:32:34 PM

Just on a general note, it's a good idea to ALWAYS treat input as bad input.  Check out this sobering article from ScottGu:

http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx


Please click Mark as Answer for helpful posts!

"Give a man a fish, and he eats for a day. Give him a fishing pole, he will eat for life."

--I'm still a script kiddie at heart.
0
mjnorman
1/18/2008 9:33:25 PM

Hi

 Yes, you are right the textbox.maxlength will not allow anything longer than what's specified to go through -- except in the case of multi-line textboxes.  I think what you really mean by asking about malicious posts is a bit more.  Even if the textbox length is within limits (20 in this case), this can become a peep-hole into your table structure and perhaps the base for a successful SQL injection attack on your site.  I don't know whether you have Validation controls in classic asp -- and these are very cool when it comes to effectively blocking any damaging content by permitting only the characters that a user may input.  Then , there are new features which can be used to make 'session hijacking' virtually impossible, especially by enabling ViewStateUserKey.  Hence, only legitimate users of your site make page requests -- and the question of whether the submitted value exists in your datasource, disappears. 

As someone said, however, security is just a matter of making the bar higher.  Not impossible, but higher.  Hence, it will be prudent to keep your existing checks as they are -- just to be ready when some really nasty stuff comes along.


Somewhere, something incredible is waiting to be known -- Carl Sagan
0
mfouwaaz
1/18/2008 9:37:39 PM

The TextBox's MaxLength property does NOT prevent larger postbacks on a single line (<input type='text'>) textbox. It prevent typing in a value too large. A user (hacker) can set the value property of the <input> tag to anything they want and it will be sent back. The server side TextBox control never verifies the length to my knowledge, so you should act defensively.

Since the ASP days, hackers have become more educated on how to launch an "input attack" (SQL Injection, cross site scripting, etc). Microsoft has worked on the problem, especially with its validateRequest="true" property in the <@Page > tag. Yet, that can block good text. (Suppose you want the user to be able to type in actual HTML. It would be blocked by the validateRequest property.)

If you have to turn off validateRequest, you are responsible for the security issues. There are many as hackers attack through hidden fields, querystring parameters, and cookies, all of which are checked by validateRequest. I have implemented a commercial solution in my Peter's Data Entry Suite. Even if you don't want to buy software for this, download the trial version and use its "Input Security User's Guide" to educate you on the issues.


--- Peter Blum
Creator of Peter's Data Entry Suite (formerly Professional Validation And More and Peter's Date Package) and Peter's Polling Package
www.PeterBlum.com
0
PLBlum
1/19/2008 6:51:26 PM

Peter, I realize that the data being posted to the server could be invalid, and too long.  However, if i'm sending textbox1.text to my DB and not request.form("textbox") shouldn't there be no way for textbox1.text to be set to a string longer then textbox1.maxlength?  I would hope the textbox class prevents that. 

0
wardito
1/22/2008 2:33:25 PM

To my knowledge, the TextBox control does not trim the value from Request.Form when you retrieve it in the Text property.


--- Peter Blum
Creator of Peter's Data Entry Suite (formerly Professional Validation And More and Peter's Date Package) and Peter's Polling Package
www.PeterBlum.com
0
PLBlum
1/23/2008 5:55:38 PM
Reply:

Similar Artilces:

Implementing .Net Form into an APS.net web form, can this be done
I am new here, but have been searching for a while, and may not have the correct lingo to find what I am looking for.  I am tasked with implementing a .exe application that was writen vb6 then converted to .net into a new website my team is developing. The idea is to put each of the 3 different forms in this .exe application of 3 different .aspx pages. I have attempted multiple things to get this into the page and even started to just rewrite it as an ASP.net web form, but even then I can't reuse any of the code since the System.Web.UI.Page doesn't inherit the sa...

Need Windows Form to Retrieve Information From Web Form
I have a cash and carry web site that customers can order products, the next day come in to the company to pay and pickup. I would like to create a windows application for the company to do two things: 1. download all the orders from the day before 2. upload price changes, product changes, category changes I've search the internet and forums and the only thing I can find that I think would actually link these two together would be a web service. Can you please tell me if I am heading in the right direction or if there is another method to link the two applications, if there are any pitf...

windows forms in vb .net into web forms
we are creating a database driven website as part of our project. currently we have forms connecting to the database created in visual basic. these windows forms we need to convert into web forms which are asp .net compatible. can u give me an answer or show me a way. Hi, because of the difference in nature between web and win applications you'll need to reimplement at least the UI part. If you have a multitiered application in which the busines logic and data access are in different parts/assemblies you can reuse them. Grz, Kris.Read my blog. Handy Firefox plugins for web developers.Wor...

non .net form issue within a .net form tag
this may be a bad question... but I am adding a shopping cart to my asp.net website and it calls for the following code for the 'buy now' buttons: <form method="POST" action=http://www.cart.net/cart.aspx/CartName><input type="hidden" name="ID" value="IDName"><input type="hidden" name="Describe" value="IDName Description"><input type="hidden" name="Price" value="100.00"><input type="hidden" name="QtyMax" value="1"><input t...

Could PB .NET Web Form POST security Information to others web page??
This is a multi-part message in MIME format. ------=_NextPart_000_00F9_01C9C4D5.8FB45C90 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: quoted-printable Hi,=20 Have anyone came across the requesion to POST security informations from = PB .NET web form web page to other web site?? I have tried many datys, Could any kind man give me some suggessions?? thanks & Best regards Leon ------=_NextPart_000_00F9_01C9C4D5.8FB45C90 Content-Type: text/html; charset="big5" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML P...

C#.NET WEB APPLICATION
hei guys, i need help on my application, i'm using C#.NET as front-ed and SQL as back-end, aside from a datagrid, i want to display my data using textboxes and not a datagrid, i can do it using Visual Basic 6 but since i'm a newbee at C#.NET i don't know how to do it, specially the codes, can anyone help me with it? thank you in advance! If you are doing windows development, i would suggest using 'DataForm wizard' (Use Solution Explorer-->Rightclick project-->Add new Item-->New DataForm). It will guide you through steps. If you are doing web apps. Use quickstart to learn them. h...

can someone one give me difference between web form and mobile web form and which or where or when i'm using the forms?
thanks Marc Hi Marc, Based on my understanding, you want to know the differences between the ASP.NET web application and ASP.NET mobile web application. If I have misunderstood you, please feel free to let me know. The ASP.NET forms are used to develop the ASP.NET pages for desktop browsers and The ASP.NET mobile forms are used to develop the ASP.NET pages for mobile device browsers. When we create the ASP.NET mobile web forms pages, we can use nearly all the features of ASP.NET. But there are a couple of compatibility issues: Error Handling and Reporting. Tracing. Using Redi...

How To Add A .NET component To PB11 Web Form
Hi all, I have an application migrated to PB11 web target, I have a .net reporting component written for .NET web forms, how can I add this to my form ? Thanks in advance. You cannot in PowerBuilder 11. Only .NET interop to non-visual components is supported. I'm presuming your 'reporting component' is some type of visual object you'd like to drop on the form? Support for visual components is slated for PowerBuilder 12. On 17 Jul 2007 04:14:32 -0700, "Alan Rechdan" <alan_reshdan@ipsos-stat.com> wrote: >Hi all, > > ...

Post form with data to a external site (.net 1.1 vb.net)
Hi I have now been googling for hours and I can not find a answer. :-( I am programming a e-shop (.net 1.1) and what I want to achive is: Customer fillout form, clicks on the Pay button then should the following thing happen: 1. Form date is saved to the database ( normal vb.net code ) 2. The data that should be posted to the external form is create from the saved data   ( normal vb.net code ) 2. A post is done to an external site with created data as "post" data and then user is redirected to this site. Thanks   Christian   Use the System.Net.HttpWebRequest...

How To Convert c#2005.net web template to vb2005.net Forms Template
I need  Convert c#2005.net web template to vb2005.net Forms Template   There are some free c# to vb converters out there which will allow you to upload a project and convert it to vb.   The programming models for windows forms and web projects are very different there is no way to convert a web to windows forms project.   http://www.carlosag.net/Tools/CodeTranslator/Default.aspx      Silverlight-helpVb TipsSpace Coast .Net User Group Hey Ajax-y, This tool really helps all programmers. I thought I would share this wit...

using javascript to change .net web form properties
Hello everyone, I'm fairly new to ASP.NET and I'm trying to find the best solution to this problem I'm having.  I believe ultimately what I need to be able to do is change the ImageUrl value via javascript of an ImageButton.  A small example of what I'm working on can be found here in a javascript form:http://www.msu.edu/~sebenic3/This is a simple data input method for a survey. There are three distinct columns, when you select a number within a column it will change the .gif image to show it's selected and then populate the textbox with that value.  I...

Using excel/automation from a .net web form fails, why?
Hi all - From my codebehind I'm attempting to write the contents of a DataSet to Excel. However, it appears that I cannot start Excel from my codebehind to accomplish this. Doing so causes the following error: Cannot execute a program. The command being executed was "c:\winnt\microsoft.net\framework\v1.1.4322\csc.exe" /noconfig @"C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\webservice_icspos_consumer\bd8c4cb9\af1c8054\s33rwgwf.cmdline". I've referenced Microsoft Excel 10.0 Object Library which also brings in - Microsoft Office 10.0 Obje...

Web Forms with no DLL using VS .NET IDE
Basically, I've been trying to make ASPX web pages with VS .NET and have learned a little of how to not use the DLL that gets created when the project is compiled and use the .VB source files themselves at run-time. I've been experimenting with changing the keyword CodeBehindFile to SRC; removing the project name from Inherits to look directly at the VB class (i.e. MyProject.MyClass to just MyClass.) I've been changing the private routines with in the class to be public. I have had sucess with getting the pages to work with code files. However, I've been having certain problems in .NET I...

Post form with data to a external site (.net 1.1 vb.net) #2
Hi There I am programming a e-shop (.net 1.1) and what I want to achive is: Customer fill out form, clicks on the Pay button then should the following thing happen: Problem is that I need to do a "Clean post" like if the user would have pressed the submit buttom on a normal HTML page I don't need the result in the ASP application, the external site will take over from there. The syntax are ASP.net local application : form data is save in a local db ASP.net local application : A POST string is created ( I could create a FORM in real html but then the use has to press twice) The ...

Web resources about - Do I need to validate against malicious POST backs using .net form components? - asp.net.web-forms

Component - Wikipedia, the free encyclopedia
Text is available under the Creative Commons Attribution-ShareAlike License ;additional terms may apply. By using this site, you agree to the ...

AirAsia disaster: Indonesia cites faulty component, crew response in crash
Pilots appear to have reset the computer system's circuit breaker, leading to a series of failures that caused them to lose control of the plane ...

It’s a new year, and time for the claimed iPhone 7 component photos to begin
Taiwanese site Apple Club has posted what it claims are leaked photos of iPhone 7 components. The photos appear to show the backlight of a new ...

Japan follows US lead in banning certain Takata components
Filed under: Government/Legal , Safety , Japan Like the US, Japan will ban certain Takata's airbag inflators from vehicles in development, and ...

Lumentum, Fabrinet: Component Makers at Start of 5-Year Boom, Says Needham
Needham & Co .’s Alex Henderson today advises fiber optics enthusiasts to look to component makers , such as Lumentum ( LITE ), in 2016, more ...

Samsung reportedly lost key iPhone 7 component business
... for Samsung , which is ironic considering the two companies are fierce rivals in the mobile business. The Korean giant produces various components ...

Crew, faulty component caused AirAsia crash
Indonesian investigators said crew action and a faulty component caused the AirAsia jet crash in the Java Sea last year, killing 162 passengers. ...

John Ridley Extends ABC Studios Deal For Three More Years; Film Component Added
John Ridley and his production arm, International Famous Players Radio Picture Corporation, have extended their first-look deal with ABC Studios ...

Passive component maker Chilisin reports 20% increase in October revenues
Chilisin Electronics, which manufactures inductors and power chokes, has announced consolidated revenues for October 2015 increased 20.3% from ...

Teflon Component Tied to Kids' Weight Gain
PFOA, a main component of Teflon, has been linked to increased body fat and faster weight gain in children.

Resources last updated: 1/18/2016 4:09:39 PM