Reputation: 645
Does ASP.NET implicitly validate control with known values
I have a checkboxlist with some items that have a value parameter set to a dataset filter. Are these values validated on postback to make sure that they are within the range of valid checkboxes or can a user inject an invalid checkbox into the list with a harmful (sql injection) value.
Upvotes: 0
Views: 82
Answers (1)
Reputation: 63964
The user can inject anything he wants on a page that's already rendered on his browser; however, the actual values associated to the checkboxes in the list will be encoded in the ViewState. The ViewState in turn is hashed (by default, at least) and therefore, the only way for someone to manipulate the value posted back to the server by one of the checkboxes is by manipulating the ViewState which will throw an exception immediately.
With that said, hashing is not infallible and you should take measures to ensure that the ViewState hasn't been tampered with. For example, you can also encrypt the ViewState to make it even more difficult but it will incur a performance penalty.
I would simply validate the value programmatically before allowing it to be used. Borrowing from Uwe's words above, never trust user input.
Upvotes: 2
Related Questions
- Do validations still fire in ASP.NET even if the controls are hidden?
- Asp.net Validations and controls
- Asp .net Validation controls
- How do ASP.net validation controls work?
- Internal works of ASP.NET Validation controls in client and server side
- Asp.net validation controls and server side validation
- ASP validation Controls Vs validation through Linq
- validation control
- Does using SQL parameter binding mean text can be directly entered from input?
- ASP.NET validation controls