[英]Why do validations not work correctly when testing my asp.net mvc 2 application via 3rd party tool(s)?
I am working with an ASP.NET MVC 2 application that performs basic CRUD operations against a DB2 table. 我正在使用对DB2表执行基本CRUD操作的ASP.NET MVC 2应用程序。 When testing my application by simply loading it in IE, if I put characters in a numbers field or numbers in a date field or some other form of data that is incompatible with the datatype in my View Model, MVC performs correct error processing on its end and the view is returned with the appropriate Model State Error messages as displayed by the Html.ValidationSummary() mvc helper.
通过仅在IE中加载应用程序来测试我的应用程序时,如果我在数字字段中放置字符或在日期字段中放置数字或与视图模型中的数据类型不兼容的某种其他形式的数据,则MVC将在其末尾执行正确的错误处理并返回由Html.ValidationSummary()mvc帮助程序显示的适当的“模型状态错误”消息的视图。
However, when I run tests with programs such as IBM AppScan or forge POST requests with Fiddler2, the application flips out. 但是,当我使用IBM AppScan之类的程序运行测试或使用Fiddler2伪造POST请求时,该应用程序将退出。
I am performing what I believe to be the same sort of test in 2 different ways and am getting various results. 我正在以两种不同的方式执行我认为是相同类型的测试,并获得了各种结果。
I am also employing the use of MVC'S AntiForgeryToken system, but that doesn't do much good because these programs just scan the request data, find the token, and make sure it's included with their forged POST. 我还使用了MVC的AntiForgeryToken系统,但这并没有多大用处,因为这些程序只是扫描请求数据,找到令牌,并确保将其包含在伪造的POST中。
Also note that I am using DataAnnotations on the server side to handle several of these validations and instead of getting the error the annotations ought to return, the page is redirected to the applications error page for uncaught exceptions. 还要注意,我在服务器端使用DataAnnotations来处理其中的一些验证,而不是获取应该返回的注释错误,而是将页面重定向到未捕获的异常的应用程序错误页面。
I'm actually quite baffled by all this. 我实际上对这一切感到困惑。 What am I missing?
我想念什么?
LukLed's comment had me do a sanity check on things and he's absolutely right. 卢克利德(LukLed)的评论让我对事情进行了理智检查,他是绝对正确的。 I'm doing it wrong.
我做错了。 When I forged request body details in Fiddler, I did it in a way where I knew the data would be incorrect, but the data would also fall under the correct validations, so the error would be caught.
当我在Fiddler中伪造请求正文详细信息时,我以某种方式来做到这一点,即我知道数据不正确,但该数据也将落入正确的验证范围内,因此会捕获错误。 My testing such as submitting characters for a number only field (I had thought this is the sort of thing that bombed the app when AppScan tested it) gave the correct results.
我的测试(例如为仅数字字段提交字符)(我曾认为这是在AppScan测试应用程序时炸毁该应用程序的那种事情)给出了正确的结果。
However, LukLed's comment had me really look at the POST data AppScan sent. 但是,LukLed的评论让我真正了解了AppScan发送的POST数据。 In every application error, the field was a string on the viewmodel.
在每个应用程序错误中,该字段都是视图模型上的字符串。 I allowed the data to pass without strenuous checks on length and a "String data right truncation."
我允许数据通过而没有费力检查长度和“字符串数据右截断”。 SQL ERROR ensued.
随后发生SQL错误。 This also brought to light that I need to do better sanitizing of the data because some of the values AppScan submitted were like:
这也表明我需要对数据进行更好的清理,因为AppScan提交的某些值如下:
'../../../../../../../../../../../../bin/id|' '../../../../../../../../../../../../ bin / id |' for an account number field and
用于帐号字段和
Foobar%0d%0aAppScanHeader:%20AppScanValue%2f1%2e2%2d3%0d%0aSecondAppScanHeader:%20whatever' for a description field. Foobar%0d%0aAppScanHeader:%20AppScanValue%2f1%2e2%2d3%0d%0aSecondAppScanHeader:%20whatever'(描述字段)。
Special characters such as these ought not be allowed in the form submission. 表单提交中不得使用此类特殊字符。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.