|
| Validating form data in generic method |
 |
Tue, 1 Apr 2008 12:09:36 +0000 |
Hi all
I have a BasePage which all my pages inherit, and I want to have some security
checking on the Overridden PreInit Event, like this:
protected override void OnPreInit(EventArgs e)
{
ValidateUrl();
ValidateFormValues();
CheckUserLoggedIn(); //etc etc
}
I my method for checking the url for malicious characters works great - and now
I want to do a similar thing for all posted data. Here's how I imagine it...
private void ValidateFormValues()
{
if (IsPostBack)
{
Regex regMalacious = new
Regex(@"^[^<>`~!@#}%:;)(_^{&*=|']+$"); //should probably
test on accepted values instead, but you get the idea
int errors = 0;
System.Collections.Specialized.NameValueCollection formVals =
Request.Form;
string[] keys = formVals.AllKeys;
for (int i = 0; i < keys.Length; i++)
{
string name = keys[i].ToString();
string value = formVals[name].ToString();
if (!regMalacious.IsMatch(value))
{
errors++;
}
}
if (errors > 0)
{
//Log error & kick user off
}
}
}
This seems to just about work, the only problem is that .Net has a lot of post
data such as __VIEWSTATE etc which contain all sorts of characters.
My questions are:
1. Is this is viable solution, or is there an 'industry standard' way of doing
this that i've missed?
2. If this is a suitable technique, what is the best way of eliminating the
built-in .net postback stuff? (I would need to distinguish them from my form
field data)
Thanks in advance
|
| Post Reply
|
| Re: Validating form data in generic method |
 |
Thu, 3 Apr 2008 05:30:05 +0000 |
HI
I think the setting ValidateRequest property of the Page to true( which iss the
default) must take care of all ...
<%@PageLanguage="C#"ValidateRequest="true"
|
| Post Reply
|
|
|
|
|
|
|
|
|
|