Asp.Net Validaterequest假 [英] Asp.Net Validaterequest False
问题描述
我创建一个Asp.Net程序的UI,用户可以浏览和数据库中的变化信息。出于这个原因,他们需要能够使用所有形式的字符,但我仍然需要保持程序的HTML和SQL本身的安全。出于这个原因,我用它取代危险的字符,如自建法'<'等他们的HTML的codeS,而他们正在一个文本框(在页面加载发出这样他们在那里没有任何功能)。
I'm creating an Asp.Net program UI where users can browse and change information in a database. For this reason, they need to be able to use all forms of chars, but I still need to keep the program HTML and SQL itself secure. For that reason, I'm using a self-built method that replaces dangerous chars such as '<' etc with their html-codes while they're being handled outside of a textbox (issued on page-load so they have no functionality in there).
现在我的困境:为了能够做到这一点,我必须禁用Validaterequest参数按专题,该方案将发出投诉。什么是它设置为False可能产生的后果?
Now my dilemma: To be able to do this, I have to disable the Validaterequest parameter as per the topic, the program will issue a complaint. What are the possible consequences of setting it to False?
SQL查询已经parametirized,我筛选出下列标志只:
The SQL query is parametirized already, and I filter out the following marks only:
& # < > " ’ % @ =
问:我是离开程序打开的威胁,即使我处理上述字符?基本上这是一个Intranet应用程序,其中只有少数人将能够访问该程序。尽管如此,它访问的信息是相当重要所以即使意外事故应该是prevented。我真的不知道是什么东西Validaterequest甚至做。
Question: am I leaving the program open for threats even if I handle the chars above? Basically this is an intranet application where only a few people will be able to access the program. Nevertheless, the information it accesses is fairly important so even unintentional mishaps should be prevented. I literally have no idea what the Validaterequest thing even does.
编辑:好吧,THX的答案。我就这个然后去按原先计划。
Alright, thx for the answers. I'll just go with this then as initially planned.
推荐答案
主要的事情验证请求正在寻找有&LT;和大于字符,阻止你打开你的网站允许恶意用户发布脚本或HTML到您的网站。
The main things Validate Request is looking for are < and > characters, to stop you opening your site up to malicious users posting script and or HTML to your site.
如果你很高兴与code你有剥离出HTML标记,或者你不显示保存的数据回不经加工的网站,那么你应该没问题。
If you're happy with the code you've got stripping out HTML mark-up, or you are not displaying the saved data back to the website without processing, then you should be ok.
这篇关于Asp.Net Validaterequest假的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
