Reputation: 1321
Malicious input in ASP.NET MVC
I have ASP.NET MVC 1.0 and Entity Framework v1 application.
By default, content submitted by user is validated for malicious input. (See here). HTML encoding user submitted data, prevents JavaScript injection attacks. Entity Framework internally uses parameterized SQL which will stop sql injection.
Is this sufficient ? What else can be done to detect, and stop, malicious (javascript/sql injection) input ?
Please advise.
Thank You.
Upvotes: 1
Views: 848
Answers (3)
Reputation: 5403
Use Bind(Include ... attribute to prevent Over-Posting Problems .
For more info check out this link: http://bradwilson.typepad.com/blog/2010/01/input-validation-vs-model-validation-in-aspnet-mvc.html
Hope this helps.
Upvotes: 4
Reputation: 22760
Further to what @ali62 posted;
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult MyAction( [Bind(Exclude="id")] User user )
{
return View();
}
and
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult MyAction( [Bind(Include="name, email")] User user )
{
return View();
}
Upvotes: 2
Reputation: 1979
You should use ViewModels to presenting and retrieving data from views and then validate them. This will be input validation.
Then pass data from ViewModels to your DomainModels (EF). Then you should validate your domain models to prevent broken domain rules.
Upvotes: 2
Related Questions
- hack attack or mvc bugs available on my controllers?
- MVC 4 SQL string injection Security
- User input sanitisation in asp.net
- Avoiding script injection in input fields
- Potentially dangerous input ASP.NET
- Preventing tampering of form fields in ASP.NET MVC EF
- sensitive entities
- asp mvc "A potentially dangerous Request.Form..."
- What to do for input sanitization?
- ASP.NET MVC UpdateModel vulnerable to hacking?