Chapter 3. Safely Accepting User Input

One of the most basic functions a Web site offers is the capability to accept input from a user. Input can arrive in various guises — controls on a form, or HTML links that pass parameters in the URI. There are also less visible inputs into your application — cookies and request headers.

In this chapter, you will learn about the following:

  • How user input can be dangerous

  • How to safely accept user input

  • How to safely reflect user input on a Web page

  • How the ASP.NET validation controls work

  • How to write your own ASP.NET validation controls


Input is anything that comes into your program from the outside. This can be from various sources — including forms submitted by a user, data read from a database (or retrieved from a Web service), headers sent from the browser, or files read from the Web server itself. All of these types of data can be processed by your application, and will shape how your application acts and what it outputs.

In the highly recommended book, Writing Secure Code, Second Edition (Redmond, Washington: Microsoft Press, 2003), authors Michael Howard and David LeBlanc state the problem succinctly: "All input is evil — until proved otherwise."As a developer, it is your job to determine if input entering your Web application is safe, and to either make it safe or reject the "evil" input.

A common concept in deciding whether input is safe is a trust boundary, which can be thought of as a border or line drawn in your application. ...

Get Beginning ASP.NET Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.