开发者

Malicious input in ASP.NET MVC

问答 作者:

I have ASP.NET MVC 1.0 and Entity Framework v1 application.

By default, content submitted by user is validated for malicious input. (See here). HTML encoding user submitted data, prevents JavaScript injection attacks. Entity Framework internally uses parameterized SQL which will stop sql injection.

Is this sufficient ? What else ca开发者_Python百科n be done to detect, and stop, malicious (javascript/sql injection) input ?

Please advise.

Thank You.

Use Bind(Include ... attribute to prevent Over-Posting Problems .

For more info check out this link: http://bradwilson.typepad.com/blog/2010/01/input-validation-vs-model-validation-in-aspnet-mvc.html

Hope this helps.

You should use ViewModels to presenting and retrieving data from views and then validate them. This will be input validation.

Then pass data from ViewModels to your DomainModels (EF). Then you should validate your domain models to prevent broken domain rules.

Further to what @ali62 posted;

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult MyAction( [Bind(Exclude="id")] User user )
{
    return View();
}

and

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult MyAction( [Bind(Include="name, email")] User user )
{
    return View();
}

继续阅读:asp.net-mvcentity-framework

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9