Hello guys i was wondering if its safe using hidden gridview in asp.net.
For example on the log in page use something like this for logging in?
The sql command that fills this grid located inside the asp.net sql control and is connected to this gridview.
For x = 0 To workerGrid.Rows.Count - 1
If workerGrid.Rows.Item(x).Cells(6).Text = userBox.Text And
workerGrid.Rows.Item(x).Cells(7).Text = passwordInput.Text And
workerGrid.Rows.Item(x).Cells(10).Text = companyIdBox.Text And
workerGrid.Rows.Item(x).Cells(8).Text = "Active" Then
y = True
Exit For
End If
Next
First of all, you have chosen a completely wrong solution for user authentication. I recommend you change GridView with SqlDataSource to SqlDataReader if you are not using any ORM framework in your application.
Regarding your question, even if you hide GridView via Visible=false it still saves data in VIEWSTATE on page. The VIEWSTATE is a security risk if it is not encrypted (anyone could see or modify the values from it and POST them to your page). You should secure VIEWSTATE to avoid fake login. Click here for details.
You should check whether the content is generated into the html. If so, then it is extremely unsafe, professional programmers will be able to steal everything. Also, why don't you simply use a database? Also, why don't you obfuscate your password?
Finally, you should separate your backend logic from UI. User login should never have anything to do with UI controls.
Related
I was recently discussing this with someone, and I wasn't sure if this is an issue or not.
We are creating an ASP.NET website and if the user performs an action on a page we might create a database query using the Text values on controls that we have previously populated.
Could a user do something malicious like modify the text of a label control in their browser, then hit the update button and when we pull that label's .Text we end up inserting that value into the database?
It's easily done via firebug, for example, yes. Make sure you sanitize/validate any input coming in to prevent SQL injection or any other malicious intent.
Have a read of this MSDN article for more help.
I got a simple Site with a textbox where the user can enter some stuff. That Text is analysed and fancy stuff is done with it (like counting the words, displaying the text in another textbox)
No Database-Connection exists. No data is saved permanently
Do I still have to worry about code injection?
Can something harmful be done?
I agree with #nmat and want to add here that If you want to do check against the security, the only thing you need to consider is cross site scripting due to weird inputs in textbox. You can use Anti-cross site scripting library for validation. Same site is also having details regarding what I just said.
Depending on how you implement the application behaviour, plenty of things could go wrong. You don't have to worry about SQL injection because you don't have a database, but you may have problems if you aren't careful with the submitted data.
Add ASP validators to the TextBox to ensure that the user only submits data that you expect to receive. Ex: add a maximum length, a regex or other custom validation. ASP validators work both on the client side and on the server side so this should be enough protection in this case.
Hai, I have an ASP.NET page with 150 controls and i want to transfer data of these controls to another ASP.NET page. what method would be best for this task? Number of controls may increase.
Thanks in advance
There are many ways:
Using a Query String (Might not work in your case, only good for transferring small amount of data)
Getting Post Information from the Source Page
Using Session State
Getting Public Property Values from the Source Page
Getting Control Information from the Source Page in the Same Application
Its always preferable to wrap the data you want to transfer in an object and pass it using pt. 3 or Pt. 4 , though in case you have arbitrary number of controls, Pt. 5 may work better for you.
This should cover it comprehensively:
MSDN: How to: Pass Values Between ASP.NET Web Pages
ASP.NET 2.0 : Accessing controls in Previous Page
You can use datatable , populate the contents in the row and send it using session
Another way is use generic class and transfer it using session.
You can also transfer it using below mentioned code
TextBox previouspagetextbox = (TextBox)PreviousPage.FindControl("currentpagetextbox");
the above mentioned code will be written in the another page where you will access the controls of previous page.
Multiviews is an another option. So you donot need to transfer the contents. It will facilitate you in same page.
As i could understand your need it will be possible through server side session or any other servers side storing mechanism like you can store the data in the database also and then fetch the control values on the next page by the Primary key or any other composite unique combination but at the cost of your page performance i will suggest you better to use ASP:Wizard control that is available from asp.net 2.0.
Most of the things will be taken care by the asp:wizard and it will be easy for the user of the page to fill up the information in the controls.
for details ion wizard control read on the following link
Hope it will be helpful.
Happy coding.
You can use Server.Transfer('NewPage.aspx', True) to redirect to a new page and that page will have access to all of the controls that were on the previous page.
MSDN Article about it
I'm auto-generating a form in my ASP.NET page. This is already tested and working. I want to know if:
If there are any security problems with storing the database ID as part of my controls ID? I can see think of 2 issues: the id will be visible in page source (not really important in this case), and the possibility someone could change the name of the control somehow? This second possibility is more serious. Is this a potential problem and how to void it?
If there would be a better preferred way to associate a unique data with any type of control? Is it possible to store a custom item in the viewstate for the control?
You can create your own custom controls, inheriting from TextBox, for example. Create properties that store data in the ViewState. That is the fastest and simplest way for me to achieve the result you're needing.
just save them in the viewstate
viewstate["DB_ID"] = datarow("ID")
You can use hiddenfield. Or best way is store your ID in Session. Sessions are really secure.
don't store anything database related in your page. you are giving people knowledge of your system that should be hidden from view.
if you must store a database id, store it in the session or put it into your web.config file.
There's nothing wrong with using a database ID in a page. Just look at the URL of this page or nearly any other MVC-style site. It is not a security risk in itself unless your system is vulnerable to SQL injection attacks - and if it is, then you have bigger problems to worry about.
I have a custom made ASP control which is based on a select (drop down menu). If I disable my control by adding the word "disabled" in its html, I start getting null pointer errors when processing the form data.
I figure, either the browser doesn't post back disabled form items or ASP.NET ignores them when processing the form data. I'm not sure which one it is. I'm trying to understand where I'm loosing data.
Thanks for your help.
PS. I realize that there are better way to create and disable controls than manually editing html but there's a context here that doesn't allow me to do otherwise.
Yes setting control's Enable = false is prevents control's value to be added posted data collection.
you can use readonly attribute instead.
here in MSDN it says :
The Text value of a TextBox control
with the ReadOnly property set to true
is sent to the server when a postback
occurs, but the server does no
processing for a read-only text box.
This prevents a malicious user from
changing a Text value that is
read-only. The value of the Text
property is preserved in the view
state between postbacks unless
modified by server-side code.
Also here is the Microsoft's reply to a bug report related to topic.
but if you use in classical way like that it will work :
txt2.Attributes.Add("readonly", "readonly");
It will prevent the control from posting back but remember this web paradigm is a client/server technology. A person could modify the client data (HTML and / or Javascript) and force a postback no matter what you send him.
Therefore don't rely on this for security sensitive operations such as money manipulation and so on.
Always do a check on the server-side too for sensitive operations.