stackoom
  简体   繁体   中英

How can I protect my asp.net Handler page

 原文  2011-03-31 16:16:30       asp.net/ ajax/ handlers

Question

I'm using this practice to add comments using AJAX , by sending the data to an ASP.NET Handler which collect the information and then insert the comment, but I am afraid that any one could use it , am I wrong !? 

    //AddComment.ashx
    public void ProcessRequest (HttpContext context) {
    CommentsDB db = new CommentsDB();
    db.InsertComment(new Comment(context.Request["name"].ToString(), context.Request["comment"].ToString(), "no", int.Parse(context.Request["id"].ToString())));

    context.Response.ContentType = "text/plain";
    context.Response.Write("succeed");
}

        //Comments.js
        function AddComment()
    {
        n = document.getElementById('txtName').value;
        c = document.getElementById('txtComment').value;
        i = document.getElementById('ctl00_ContentPlaceHolder1_thread').value;
        m = document.getElementById('ctl00_ContentPlaceHolder1_Label1');
        if(n == "" || c == "" || n.length > 100 || c.length > 400)
        {
            m.innerHTML = "<center><font color=black size=3><b><font color=red>*</font> An error has occurred</b></font></center><br>";
            return;
        }
        m.innerHTML = "";
        document.getElementById('btn').disabled = true;
        $.post("./Handlers/AddComment.ashx", {'name':n, 'comment':c, 'id':i}, function(Response){
            m.innerHTML  = "<center><font color=black size=3><b>accepted</b> <img src=./Images/success-icon.png></font></center><br>";
        });         
    }

2 answers

solution1
 1  2011-03-31 16:24:13

Your assumption is correct, that your users can potentially make their own HTTP requests to your handler, and provide bogus data. They could also manipulate your page markup in their browsers (with any developer toolbar) and do the same.

So, you're going to want to do some validation on your server side if you're worried about this. If your application requires authentication, just look up the current user's name in the handler's ProcessRequest method, rather than posting it.

I think that's what your question is getting at. Also, clean up your markup, center and font tags are deprecated.

solution2
 0  2011-03-31 18:09:51

If you require that the commenters to be logged in than check for the actual user (stored on the web server - in session for example).

Or if you allow non authenticated comments, than consider using some captcha to protect against automated requests.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Can I protect my ASP.NET application against decompilers? How can I protect my ASP.Net Source Code From My Developers How can I protect my ASP.NET API with own Token System Can i invoke ASP.net page handler in console app? How can I add namespaces to my asp.net page? How can I export my ASP.NET page to Excel? ASP.Net How can I respond to a request sent to my generic handler ASP.NET How can I use my class in Page_Load of my aspx.cs How can I protect/obfuscate/etc an ASP.NET MVC app's source code when deployed? How can I add a video to my page if i'm using asp.net?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM