Chapter 4. Using Query Strings, Form Fields, Events, and Browser Information
Input arrives into your Web application from various sources. Chapter 3 discussed how you should treat input, how input should be considered untrustworthy by default, how you can validate it, and how you can output it safely. This chapter introduces some of ways input can arrive, the vulnerabilities each of these vectors are susceptible to, and how you can mitigate against them.
In this chapter, you will learn about the following:
How to pass input via query strings
How to use hidden form fields
How forms can be hijacked
How the ASP.NET event model works
How to avoid common mistakes with browser information
USING THE RIGHT INPUT TYPE
HTTP allows input into your application in the following four ways:
The query string
The base class for ASP.NET pages,
Page, contains a property,
Request of type
HttpRequest. When your
Page class is created by ASP.NET, you have access to the
Request property. It is initialized and contains the various inputs sent as part of the page request, as well as other information provided by the ASP.NET run-time (such as the identity of the user, whether the page has been requested over SSL, and so on). The
Page class also contains a
Response property that allows you to manipulate the response being sent when your page has finished processing.
A query string is the part of a URL that contains data to be passed to a Web application as part of a request. ...