O'Reilly logo

Beginning ASP.NET Security by Barry Dorrans

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 3. Safely Accepting User Input

One of the most basic functions a Web site offers is the capability to accept input from a user. Input can arrive in various guises — controls on a form, or HTML links that pass parameters in the URI. There are also less visible inputs into your application — cookies and request headers.

In this chapter, you will learn about the following:

  • How user input can be dangerous

  • How to safely accept user input

  • How to safely reflect user input on a Web page

  • How the ASP.NET validation controls work

  • How to write your own ASP.NET validation controls

DEFINING INPUT

Input is anything that comes into your program from the outside. This can be from various sources — including forms submitted by a user, data read from a database (or retrieved from a Web service), headers sent from the browser, or files read from the Web server itself. All of these types of data can be processed by your application, and will shape how your application acts and what it outputs.

In the highly recommended book, Writing Secure Code, Second Edition (Redmond, Washington: Microsoft Press, 2003), authors Michael Howard and David LeBlanc state the problem succinctly: "All input is evil — until proved otherwise."As a developer, it is your job to determine if input entering your Web application is safe, and to either make it safe or reject the "evil" input.

A common concept in deciding whether input is safe is a trust boundary, which can be thought of as a border or line drawn in your application. ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required