• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

.NET2 Web site form - can it be Broken?

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    .NET2 Web site form - can it be Broken?

    I need to provide a simple "GuestBook" for a client BUT they are very concerned over abuse of the public facing web form (SQL injection etc)

    I have scripted a demo guestbook http://www.stormtrack.co.uk/Pages/guestbook.aspx

    I am using ASP validation controls, SQL2005 stored procedures as well as a final "post comment live" Maintenance page for the client (you don’t have access to this)

    Have I got all bases covered - or is there anything else I need to consider??
    www.stormtrack.co.uk - My Stormchasing website.

    #2
    If using SP's entirely and you dont have any dynamic SQL hiding anywhere then you should be good. Make sure you dont leave the customErrors mode="On" when finished developing it to give anyone a clue about any exceptions.

    Also use the length= attribute for your textboxes to prevent people pasting huge amounts of text in to force DB errors.

    Comment


      #3
      Also ensure the DB user the application is connecting as does not have any permissions beyond what it needs, its easy to just grant the user dbo knowing your app will work fine whereas it seldom needs that level of access.

      Comment


        #4
        Hi Durbs,

        Thanks for the heads up, I have now lmited the size of the text boxes to the max size of the SQL fields - in most cases varchar(100)

        Not sure what to do about the web.config custom error mode as I have a custom 404 page??

        <customErrors mode="On">
        <error statusCode="404" redirect="404ErrorPage.aspx" />
        </customErrors>
        Last edited by wxman; 11 December 2008, 00:59. Reason: typo
        www.stormtrack.co.uk - My Stormchasing website.

        Comment


          #5
          Sorry, typo in my original post! "On" is ok and what you'd use in your case as you are explicitely defining an action for 404.

          "On" Always display custom (friendly) messages.
          "Off" Always display detailed ASP.NET error information.
          "RemoteOnly" Display custom (friendly) messages to remote users, detailed to local

          So dont use "Off"

          Comment


            #6
            Originally posted by Durbs View Post
            Make sure you dont leave the customErrors mode="On" when finished developing it to give anyone a clue about any exceptions.
            Originally posted by wxman View Post
            Not sure what to do about the web.config custom error mode as I have a custom 404 page??

            <customErrors mode="On">
            <error statusCode="404" redirect="404ErrorPage.aspx" />
            </customErrors>
            "On" is the correct production setting - "Off" is the mode that will generate detailed exception messages.

            EDIT: durbs beat me to it.
            Where are we going? And what’s with this hand basket?

            Comment


              #7
              You should also check out Cross-site scripting (XSS) and Cross-site request forgery (XSRF) to be on the safe side, although there's a reasonable chance ASP.NET offers some level of protection against them.

              Comment


                #8
                You can also catch unhandled exception i.e not 404 by using:

                <customErrors defaultRedirect="error.htm" mode="On" />

                Then create an all encompassing error.htm page that doesnt give any dodgy geezers a clue as to what caused your app to fall over (and also presents a nicer screen to the users than the browser error screen)

                Comment


                  #9
                  FWIW, I think ASP.NET's idea of redirecting errors to a different URL is a fundamentally broken concept

                  Comment


                    #10
                    I can fully understand what you mean for 5xxx errors but the ability to do this for errors is great as you get to keep the user on your site by displaying them actual content rather than any sort of error. I'd assume an error of any nature would have the bulk of users simply clicking back to Google. At least it gives you a last ditch attempt to say 'sorry, we couldnt do that, but do you want to buy one of THESE instead'.

                    Comment

                    Working...
                    X