This is a migrated thread and some comments may be shown as answers.

Server side validation to prevent sql injection and other attacks

2 Answers 87 Views
Grid
This is a migrated thread and some comments may be shown as answers.
Clive Hoggar
Top achievements
Rank 1
Clive Hoggar asked on 24 Jan 2010, 12:35 PM
Hi

I have had trouble on an older site with cross-site scripting attacks and I want to be extra sure that I have the proper level of validation in place for upgrading the site.

My question is:

If I have a RadGrid with template columns and the editForm in window mode, and use the standard asp.net validators,
with - regular expression validation for best security -  what happens if the attacker has javascript turned off (the usual case)?

IE does the server side equivalent validation take place anyway, and prevent the postback?

And if not, how do I add the server side validation? ie get access to the edit or insert data before it is irrevocably
saved to the database.

Additionally I would want to check for the insertion of words like script, select, insert, update, delete, files with .js extension etc.

Thanks!

Clive

2 Answers, 1 is accepted

Sort by
0
Clive Hoggar
Top achievements
Rank 1
answered on 24 Jan 2010, 06:42 PM
Suggestion to Telerik:

By the way, a valuable item for developers would  be some RadValidators with additional functionality over the
standard asp.net validators, with more built in regular expressions, length limits, and that will work server side even if javscript is turned off .

According to some analysts, there is going to be a big increase in the level of sql injection and cross site scripting attacks
during 2010.

Clive
0
Tsvetoslav
Telerik team
answered on 28 Jan 2010, 08:26 AM
Hi Clive,

The sequence of events that take place on the client and on the server related to the MS validator controls is not dependent on our RadControls but is purely a feature of the ASP.NET Framework. Those validator controls have been implemented in such a way as to always perform server-side validation no matter if client scripts have been disabled or not. 

As for getting the new values entered into the Edit/Insert form of the grid, you need to attach an event handler to the Update/Insert command of the grid, cast the incoming e.Item object to GridEditFormItem/GridEditFormInsertItem and use the latter's ExtractValues method passing to it an empty hash table. The hash table will be populated with key-value entries corresponding to the new values entered for the fields of the edit/insert form.

Thanks for the new controls suggestion - in the future, if the need for such controls gets expressed by a considerable number of developers we shall give it due consideration.

I hope this information.

Best wishes,
Tsvetoslav
the Telerik team

Instantly find answers to your questions on the new Telerik Support Portal.
Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Tags
Grid
Asked by
Clive Hoggar
Top achievements
Rank 1
Answers by
Clive Hoggar
Top achievements
Rank 1
Tsvetoslav
Telerik team
Share this question
or