ansaurus

Question

Protect value from changies using reflection?

Answer 1

A:

Use ReadOnly value, if you want a constant value. or just use const.

Use Enum, in case that you have a few 'safe values' that you want to customer (programmer) to choose one of them.

Edit: Apparently, enum not safe enough. you can use readonly field with the following format:

public class SafeValue
{
    private string _value;

    public static readonly SafeValue Value1 = new SafeValue("value1");
    public static readonly SafeValue Value2 = new SafeValue("value2");

    private SafeValue(string value)
    {
        _value = value;
    }

    public override string ToString()
    {
        return _value;
    }
}

Mendy 2010-04-25 06:38:04

readonly would work, assuming the value never needs to change once set in the constructor, but how does Enum help? Someone can still change the value through reflection.

Mike Two 2010-04-25 06:40:37

@Mike: I edited my answer to explain it.

Mendy 2010-04-25 06:44:31

@Mendy - enums are not validated; I can change your enum value to -142526 and the system won't care.

Marc Gravell 2010-04-25 08:12:23

@Marc interesting. care to say how?

Mendy 2010-04-25 08:22:58

@Mendy - you can cast any int value. The compiler doesn't check. so 'SomeEnum value = -142526;' Won't compile but `SomeEnum value = (SomeEnum) -142526;` will. Even if -142526 isn't a valid value in `SomeEnum`.

Mike Two 2010-04-25 08:58:46

See @KMan's point about readonly...

Marc Gravell 2010-04-25 09:30:13

@Marc now I'm totally confused. the `readonly` directive compiled into MSIL, but not honored?

Mendy 2010-04-25 09:49:38

readonly can't force the field to never change via Reflection (or direct memory tweaking), but it could create all sorts of interesting side effects due to compiler optimizations assuming the field never changes.

Dan Bryant 2010-04-25 10:17:30

@Mendy - yup; this is required for remoting and some (not all) forms of serialization

Marc Gravell 2010-04-25 17:23:58

Answer 2

+2 A:

You can even change the private readonly field using reflection. So, your best bet may the const.

KMan 2010-04-25 06:59:39

Answer 3

+6 A:

Please understand that I mean this with all respect:

You are wasting your time. Seriously.

Reflection is not to be considered when specifying an API or contract.

Believe this. It is not possible to stop reflection. If a consumer is bent on peeking into your code and flipping bits that have been hidden for a reason, well, the consequences are on them, not you.

Sky Sanders 2010-04-25 07:10:14

Answer 4

+6 A:

You are trying to protect your system from something that is stronger than your code. If you don't trust certain code, run it with partial trust - then when it asks to reflect your type it will be denied.

Reflection (and related techniques like DynamicMethod) can with enough trust get virtually unrestricted access to your data (even, for example, changing the characters of a string without ever re-assigning it); thus you must reduce trust for non-trusted code.

In a similar way, anyone with debugger or admin access to your process (or the dlls it loads) can subvert your code. This is not an interesting attack, as the "hacker" must already have at least as much access than your code (probably more).

Marc Gravell 2010-04-25 08:17:41

The attack is interesting in the case of an anti-theft or anti-tampering package. You can't really protect against somebody crashing your app if they have full control over your app, but you can make it much more difficult to modify certain key state that enforces your protection scheme. I don't think this is what the OP is doing, however.

Dan Bryant 2010-04-25 10:26:07

ansaurus

tags:

views:

answers:

Protect value from changies using reflection?

related questions