ASP无效的回发或回调参数 [英] ASP invalid postback or callback argument

问题描述

无效的回发或回调参数.

使用配置中的页面enableEventValidation=true或页面中的％@页面EnableEventValidation = true启用事件验证.为了安全起见，此功能验证回发或回调事件的参数源自最初呈现它们的服务器控件.如果数据有效且预期，请使用ClientScriptManager.RegisterForEventValidation方法以注册回发或回调数据以进行验证.

说明:
我有一个简单的程序，该程序显示一个空白网页，上面带有几个按钮，允许用户在网页上动态放置功能控件.允许用户在网页上添加，删除和移动控件.当用户删除控件时，是我收到错误消息的时候.我可以通过在我的& amp; lt;％@页面指令中包含enableEventValidation = false来摆脱错误消息

出于安全原因，我宁愿不这样做.由于我每次都会在每个帖子上重建页面，因此我一直在考虑将所有控件enableViewState设置为false.但是，由于我将在下一个版本中包括Ajax以减少回发，所以我可能不想将viewstate设置为false.

由于我知道已删除了哪些控件，因此有没有一种方法可以操纵viewstate或请求对象，以使IIS认为没有黑客潜伏在黑暗中?

在此感谢您的帮助.
特里


示例代码显示添加ASP文本框的路由.大多数控件都附在面板上.

Invalid postback or callback argument.

Event validation is enabled using pages enableEventValidation=true in configuration or %@ Page EnableEventValidation=true in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.

Description:
I have a simple program that displays a blank web page with a few buttons on it that allows a user to dynamically put functional controls on the web page. The user is allowed to add, delete and move the controls around on the web page. When the user deletes a control is when I get the error message. I can get rid of the error message by including enableEventValidation=false in my <%@ page directive

I would prefer not to do that for security reasons. Since I rebuild the page on every post back every time, i was thinking about setting all controls enableViewState to false. However, since I am going to include ajax in my next version to reduce the post backs I may not want to set viewstate to false.

Since I know which controls were deleted, is there a way I can manipulate viewstate or the request object so IIS doesn''t think there is a hacker lurking in the dark?

Would appreciate some help here.
Terry


sample code showing the routing to add an ASP textbox. Most controls are attached to a panel.

public static void bText(
            ref Panel panel, ref Table tb, ref TableRow tr, ref TableCell tc, ref ControlProperties tp)
{
    TextBox myTB = new TextBox();
    myTB.Text = tp.displayThisText;
    myTB.CssClass = tp.cssClassName;
    myTB.ID = tp.idName;
    myTB.Attributes.Add("dir", tp.direction);
    myTB.Attributes.Add("runat", "server");
    myTB.EnableViewState = true;
    processAttributes(tp, (System.Web.UI.WebControls.WebControl)myTB);
    if (tp.bgColor != null && !tp.bgColor.Equals("NoColor"))
    {myTB.BackColor = Color.FromName(tp.bgColor);}
    if (tp.fgColor != null && !tp.fgColor.Equals("NoColor"))
    { myTB.ForeColor = Color.FromName(tp.fgColor); }
    if (tp.units == WidthUnits.pixels)
    { int temp = (int)tp.width; myTB.Width = System.Web.UI.WebControls.Unit.Pixel(temp); }
    else if (tp.units == WidthUnits.percent)
    { myTB.Width = System.Web.UI.WebControls.Unit.Percentage(tp.width); }
    if (tp.textMode.Equals("s"))
    {   // single line mode
        myTB.TextMode = TextBoxMode.SingleLine;
        { int len; if (int.TryParse(tp.maxCharacters, out len)) { myTB.MaxLength = len; } }
    }
    else
    {   // multi line mode
        myTB.TextMode = TextBoxMode.MultiLine;<pre></pre>
        // number of rows to dispaly on screen
        { int len; if (int.TryParse(tp.rows, out len)) { myTB.Rows = len; } }
        // number of allowable characters
        // may have to use javascript control to
        // limit characters input
        if (tp.maxCharacters != null && tp.maxCharacters != "")
        {
        }
    }
    addControlToWebPage(ref panel, ref tb, ref tr, ref tc, myTB, tp.location);
}

推荐答案

目前尚无已知的实现方法. Asp.Net会保留所有控件ID的哈希值.其可能的值在名为"__EVENTVALIDATION"的隐藏字段中.
无法干预它，因为它还会使用您不知道的服务器密钥进行哈希处理.

因此，对您来说，一个不错的解决方法是维护纯HTML控件(在客户端动态生成/删除/操作值).
您可以使用Request.Form []集合访问它们.

There are no known ways of achieving it. Asp.Net keeps a hash of all the control id''s & its possible values in a hidden field named "__EVENTVALIDATION".
It cannot be meddled because it is also hashed using a server key which you will not know.

So a good workaround for you is to maintain plain html controls (which are dynamically generated / deleted / values manipulated on the client side).
You could access them using Request.Form[] collection.

这篇关于ASP无效的回发或回调参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！