Re: BIG WARNING - validation controls appear to be ignored.
From: IPGrunt (me_at_privacy.net)
Date: 02/24/05
- Next message: Phil C.: "??Difference Between utf8encoder.GetBytes and Encoding.ASCII.GetBytes"
- Previous message: Andy Fish: "BIG WARNING - validation controls appear to be ignored."
- In reply to: Andy Fish: "BIG WARNING - validation controls appear to be ignored."
- Next in thread: PL: "Re: BIG WARNING - validation controls appear to be ignored."
- Reply: PL: "Re: BIG WARNING - validation controls appear to be ignored."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Feb 2005 17:03:41 GMT
On 24 Feb 2005, "Andy Fish" <ajfish@blueyonder.co.uk> postulated in
news:OyahI6oGFHA.3472@TK2MSFTNGP09.phx.gbl:
> Hi,
>
> Although I have got to the bottom of this problem, it gave me quite
a shock
> to discover how easy it is to write a very unsafe application with
.Net
> validators.
>
> The scenario was this: we wrote and tested an application using
validators,
> but when we deployed the app onto a different server, it accepted
and
> processed invalid input from the user.
>
> Turns out that in testing the validators were running client-side.
When a
> client-side validator blocks the input there is no postback and
hence
> nothing happens on the server. However, if client-side validation
is
> disabled for any reason, all control events fire on the server even
if the
> page is invalid. If, like me, you were expecting the page
processing to
> finish in the event of a validation faliure and not fire button
clicks etc,
> you are sadly mistaken. If you use validators, you must check
manually
> Page.IsValid in every "click" event.
>
> I realise this is probably in the documentation (section 34.4b(ii)
> subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus will
think
> this is obvious, but I'm sure that there must be hundreds of apps
out there
> that are unwittingly relying on client-side validation.
>
> The moral is this: ALWAYS TEST THE APPLICATION WITH CLIENT SIDE
VALIDATION
> DISABLED. the default configuration could lull you into a false
sense of
> security and could lead to shipping an unsafe application.
>
> Andy
>
>
Good point, Andy.
No, this is not in the documentation, however, there are plenty of
informative articles available on preventing SQL injection attacks.
Testing is important, but a deliberate practice of defense in depth
is advised to all who use the web as a data aggregator.
I would suggest that if you don't already use parameterized queries,
that you learn what they are and how they can help you prevent data
content attacks against your server.
-- ipgrunt
- Next message: Phil C.: "??Difference Between utf8encoder.GetBytes and Encoding.ASCII.GetBytes"
- Previous message: Andy Fish: "BIG WARNING - validation controls appear to be ignored."
- In reply to: Andy Fish: "BIG WARNING - validation controls appear to be ignored."
- Next in thread: PL: "Re: BIG WARNING - validation controls appear to be ignored."
- Reply: PL: "Re: BIG WARNING - validation controls appear to be ignored."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
