Assume I have a form with some disabled checkboxes because the user as logged in shouldn't be able to check them. Where should I add some sanitization security to make sure they didn't hack the checkbox and cause a postback?
In the page? Database layer? In the database?
I realize it's most likely a pretty broad question.
thanks, Mark
ASP.NET Event validation mechanism takes care of that. It's been there since 2.0, I think.
If you really need to make it secure, implement checks across all layers..at a minimum, start with the database and data access layer.
I prefer to make things the user can't interact with completely invisible when possible. You can't hack what you can't see (and I don't mean hidden on the page, I mean the server doesn't generate the code for the things not logged in users can't see).
That said, assuming you need to leave controls visible, but disabled, I would add code in both the front-end and the back-end to do checks. The front-end validation code is susceptible to hacking, but it is nice to have quick validation feedback available for users that are using the system - however, the back-end should be your real fail-safe place to make sure everything is as expected and do final checks before committing changes.
Unfortunately that sometimes means you need to duplicate the effort, but for really important stuff, it is worth it.