EnableEventValidation ="假" - 一个好主意? [英] EnableEventValidation="false" - A Good Idea?
问题描述
可能重复:结果
<一href=\"http://stackoverflow.com/questions/1503630/purpose-for-pages-enableeventvalidation-false\">purpose为&LT;页面enableEventValidation =&ldquo;假rdquo;的&GT;
我有没有答案,另一个相关的问题:<一href=\"http://stackoverflow.com/questions/9088146/asp-net-cascadingdropdown-and-enableeventvalidation-false\">my计算器问题
I have another related question without an answer as yet: my stackoverflow question
不过,我的问题消失,如果我设置 EnableEventValidation =FALSE。
However, my problem goes away if I set EnableEventValidation="false".
现在我的问题是它使一个真正的大问题,如果我设置一个母版?
Now my question is does it make a really big deal if I set this on a MasterPage?
在所有引用此设置为假,没有人带来了比其他MSDN的安全问题。
In all the references to setting this to false, no one brings up the security issue other than MSDN.
有什么建议?
推荐答案
删除事件验证减少了应用程序内安全检查点的数量。现在的问题是,有什么关系?
Removing event validation decreases the number of security checkpoints within the application. The question is, does it matter?
一个简单的例子,它的事项
一个用户提供2个选项,因为他们在一个网站银的成员。他们手艺,实际上提交选项#3,被授予金牌服务的特权,他们没有支付的请求。
A user is given 2 options because they are a "Silver" member on a site. They craft a request that actually submits option #3 and are granted a "Gold" privilege that they didn't pay for.
一个例子,它可能并不重要
一个用户可以工艺品断言他们生活在一个国家,这是不是在你的页面上的下拉列表中的请求。您正在运行的同一个外键约束捕获这个事务,关系数据库。用户收到一个错误,没有数据持久化或损坏。
A user can crafts a request that asserts they live in a country that wasn't in a dropdown list on your page. You are running a transactional, relational database which catches this with a foreign key constraint. The user receives an error and no data is persisted or corrupted.
我是不是暗示,让你的数据库进行验证?当然不是。但在这个例子中,没有造成任何伤害。
Am I suggesting to let your database perform validation? certainly not. But in this example, no harm is done.
当有疑问,认为它的确实的事项,并有人会找到一种方法,打破你的code。
When in doubt, assume that it does matter and that someone will find a way to break your code.
的理想方法
首先,确定为什么事件验证是打破。在我的经验,这通常是由于页/控制设计的滥用。在10年以上.NET开发的,我只有一次禁用事件验证,由于控制设计,最终我后悔过,不是为了安全,而是因为我bastardized页面生命周期,这引起了我的问题。
First, identify why event validation is breaking. In my experience it's usually due to a misuse of page/control design. In 10+ years of .NET development, I have only once disabled event validation due to control design, and ultimately I regretted it, not for security but because I had bastardized the page lifecycle and it caused me problems.
我通常禁用事件验证的性能和页面大小的目的,但我清理和手动验证我的投入,这使我对我的最后一点:
I usually disable event validation for performance and page size purposes but I clean and validate my inputs manually, which brings me to my last point:
确定和验证关键业务规则的服务器端,并独立于ASP.NET。不要依赖于一个框架,做你的工作;它太容易认为安全处理,并留在你的设计中的漏洞。
这篇关于EnableEventValidation =&QUOT;假&QUOT; - 一个好主意?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
