[英]ASP.NET Request Validation and Server-side validation
I am confused between ASP.NET Request validation and server-side validation. 我对ASP.NET请求验证和服务器端验证感到困惑。 If we set ValidateRequest="false", as follows.
如果我们设置ValidateRequest =“ false”,则如下。
<%@ Language="C#" ValidateRequest="false" %>
<html>
<script runat="server">
void btnSubmit_Click(Object sender, EventArgs e)
{
// If ValidateRequest is false, then 'hello' is displayed
// If ValidateRequest is true, then ASP.NET returns an exception
Response.Write(txtString.Text);
}
</script>
<body>
<form id="form1" runat="server">
<asp:TextBox id="txtString" runat="server"
Text="<script>alert('hello');</script>" />
<asp:Button id="btnSubmit" runat="server" OnClick="btnSubmit_Click"
Text="Submit" />
</form>
</body>
</html>
Then can we use server-side validation such as RequiredFieldValidator Control? 然后,我们可以使用诸如RequiredFieldValidator Control之类的服务器端验证吗?
Are they different things? 他们是不同的东西吗? But they both have validate key words.
但是它们都有有效的关键词。
Thanks for explaining them. 感谢您的解释。
Yes, they are different. 是的,它们是不同的。
ValidateRequest
causes an error to be thrown and aborts the request if any of the submitted form field values contain "dangerous" values, such as that script tag you have there, to prevent script injection attacks. 如果任何提交的表单字段值包含“危险”值(例如您在那里的脚本标记),
ValidateRequest
都会引发错误并中止请求,以防止脚本注入攻击。
The validator controls such as RequiredFieldValidator
do not stop page processing if they fail. 验证程序控件(例如
RequiredFieldValidator
在失败时不会停止页面处理。 They are to help you process your rules and typically have nothing to do with protecting the server or application from attack. 它们是为了帮助您处理规则,通常与保护服务器或应用程序免受攻击无关。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.