tags:

views:

270

answers:

2
Q: 

A potentially dangerous Request.Form value was detected: Dealing with these errors proactively, or after the fact.

I'm noticing this error more and more in my error logs. I've read through the questions here talking about this error, but they don't address what I would like to do (see below).

I'm considering three options, in the order of preference:

1) When submitting a form (I use formviews almost exclusively, if that helps), if potentially dangerous characters are detected, automatically strip them out and submit.

2) When submitting a form, if potentially dangerous characters are detected, alert the user and let them fix it before trying again.

3) After the exception is generated, deal with it and alert the user.

I'm hoping one of the first two options might be able to do somewhat globally...I know for the 3rd I'd have to alter a TON of Try-Catch blocks I already have in place. Doable, but labor intensive. I'd rather be proactive about it if at all possible and avoid the exception all together.

Perhaps one approach to #1 would be to write a block of code that could loop through all text entry fields in a formview, during the insert/update event, and strip the characters out. I'm ok with that, but I'd rather not have to heavily alter all my Insert/Update events to accomplish this. Or maybe I just create a different class to do the text checking/deleting, and only insert 1 line of code in each Insert/Update event. If anyone can come up with some example code of any of these approaches that would be a help.

Thanks for any ideas or information. I'm definitely open to other solutions too; these are only the 3 that came to mind. I can say that I don't want to turn request validation off though.

+1  A: 

A simpler solution which works great for many cases might be: only allow alphanumeric characters in your textboxes. Granted, this won't work for any large blobs of text you expect to get, but for simpler things it works like a charm.

Checking for non-alphanumeric characters existing in fields on form submission and throwing an alert dialog with some javascript is then pretty straightforward.

And of course, run the same checks on the server before you actually do anything with the submitted values.

Tom Tresansky  2010-03-17 17:33:36
"Checking for non-alphanumeric characters existing in fields on form submission and throwing an alert dialog with some javascript is then pretty straightforward." only problem is how do I implement it? do you have any code examples of how to check all the text entry fields through javascript?I can't custom code it for each text entry area on each form (with fieldnames for each field etc). That would take forever...and I wouldn't want to have to alter that much code to accomplish this one task.
Albert  2010-03-17 18:01:35
Typically, you'd add a css class to each field you wanted this behaviour to apply to, then have your javascript get all the elements with the class and apply the same logic to them. Are you using any sort of client-side libraries? Doing this with jQuery is pretty simple: use $('.CLASS') to get a collection of all the elements, loop through them, call .val() to get the current field values, and check them with something like: http://www.coderanch.com/t/119775/HTML-JavaScript/alphanumeric-validation.
Tom Tresansky  2010-03-17 18:41:26
+1  A: 

I Would prefer #2 or #3. In #1 you are altering what user entered without their knowledge.

You can go ahead and hook to Submit event of the form, and iterate through the editable fields and do a sanity check.

For oprion #3, you can override the OnError methods of the Page class, and can provide a custom error message indicating the problem. (Also, you can use ELMAH or Application_Error event) to handle these errors.

I would suggest you do both client as well as Server side approach when doing validations.

Ramesh  2010-03-17 17:46:55
"You can go ahead and hook to Submit event of the form, and iterate through the editable fields and do a sanity check." Do you have/can you find any code examples of this? I'll look into #3.
Albert  2010-03-17 18:02:54
http://www.eggheadcafe.com/articles/20041016.asp Section:Preventing Form Submissions that programmatically call __doPostBackTo loop across all fields, you can use document.getElementsByTagName
Ramesh  2010-03-17 20:32:54

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?