<< Back To All Blogs
ASP.NET Best Practices
Tuesday, October 7th, 2008
I have been reminded of some of my bad programming practices over the past few weeks as I have been working on ImapBack so I figured while I am in the process I would share the things that I think are very important for all developers to remember while posting information to ASP.NET websites.
This is definitely the most important of all. You MUST parameterize ALL statements that will be executed on your SQL Server (or any other database server). Parameterizing a statement treats all passed input as literals, and therefore will not allow for SQL injection on your server. An example of using a parameterized statement would be as follows for SQL Server in C#:
SqlParameter toAdd = new SqlParameter();
toAdd.ParameterName = "MyVar";
toAdd.Value = "MyMaliciousInput";
The query could be something such as "INSERT INTO [MyTable] (MyCol) VALUES (@MyVar)"
HtmlEncode and HtmlDecode
This is just another safeguard to further protect your website from malicious input. You can easily use Server.HtmlEncode and Server.HtmlDecode to turn all abnormal characters into a safely-postable html-encoded string.
Do not disable Request Validation
Request validation is a very useful security safeguard provided by ASP.NET. It works by checking all input variables to the server for potentially malicious markup, and halts execution if any is detected. There are times that it is necessary to disable Request Validation, but do so sparingly, and make SURE that you know what you are doing when you do so.
Limit the Scope of Input
Many programmers use Request.Params while receiving input from a user, and this can be dangerous, and can also allow a user to falsify data that needs to be posted, as opposed to read from the query string. Depending on the scope, design, and reasons behind using different input methods, you should either use Request.QueryString or Request.Form to respectively pull from GET variables, or POST variables.
Hopefully that will help some of you get started on ASP.NET best practices. There are obviously MANY more aspects to consider, but these are the immediate gotchas that many often run into while developing in ASP.NET.
Feel free to provide your own suggestions in the comments!
ASP.NET Tom Out.
Awesome .NET 4: Named and Optional Parameters for Classes and Methods
Enumerating a user secure certificate store in C#
Calling .NET WebService From PHP
Currently no comments.
Add A Comment
Email Address: (not public, used to send notifications on further comments)
Enter the text above, except for the 1st and last character: