在.NET中,我怎么prevent,或处理,与前提交残疾人领域的形式篡改数据? [英] In .NET, how do I prevent, or handle, tampering with form data of disabled fields before submission?
问题描述
如果已禁用下拉列表动态呈现的页面,它仍然是可能使用萤火虫,或其他工具,以提交的值篡改,并除去禁用HTML属性。
这code:
If a disabled drop-down list is dynamically rendered to the page, it is still possible to use Firebug, or another tool, to tamper with the submitted value, and to remove the "disabled" HTML attribute. This code:
protected override void OnLoad(EventArgs e) {
var ddlTest = new DropDownList() {ID="ddlTest", Enabled = false};
ddlTest.Items.AddRange(new [] { new ListItem("Please select", ""), new ListItem("test 1", "1"), new ListItem("test 2", "2") });
Controls.Add(ddlTest);
}
在此HTML效果被渲染:
results in this HTML being rendered:
<select disabled="disabled" id="Properties_ddlTest" name="Properties$ddlTest">
<option value="" selected="selected">Please select</option>
<option value="1">test 1</option>
<option value="2">test 2</option>
</select>
当我使用Firebug删除已禁用属性,并更改所选选项将出现问题。
上提交表单,并且该字段的再创造,新生成的控制具有由的OnLoad的端部正确的值,但由于preRender,它已经假定提交的控制的身份,并已被赋予了提交的表单值。
.NET似乎没有任何的检测领域是处于禁用状态,并且提交的值是假的最初创建这个事实的方式。这是可以理解的,因为有可能是合法的,客户端的功能,将允许被删除disabled属性。
The problem occurs when I use Firebug to remove the "disabled" attribute, and to change the selected option.
On submission of the form, and re-creation of the field, the newly generated control has the correct value by the end of OnLoad, but by OnPreRender, it has assumed the identity of the submitted control and has been given the submitted form value.
.NET seems to have no way of detecting the fact that the field was originally created in a disabled state and that the submitted value was faked. This is understandable, as there could be legitimate, client-side functionality that would allow the disabled attribute to be removed.
有没有一些方法,比蛮力方法,检测这个字段的值不应该被改变?
Is there some way, other than a brute force approach, of detecting that this field's value should not have been changed?
我看到了暴力方法为是垃圾的东西,就像在某个地方的OnLoad保存正确的值,同时仍,并在在preRender还原值。由于某些领域对他人的依赖,这将是不能接受我。
I see the brute force approach as being something crap, like saving the correct value somewhere while still in OnLoad, and restoring the value in the OnPreRender. As some fields have dependencies on others, that would be unacceptable to me.
推荐答案
使用ViewState中。它是加密不足以阻止一般的黑客。
Use ViewState. It is encrypted enough to stop the average hacker.
这篇关于在.NET中,我怎么prevent,或处理,与前提交残疾人领域的形式篡改数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
