NerdyHearn
Home
Blog

Contact
Mailing List

Software

Active Directory Products
Object Compare
Permission Compare

IPhone Products
Calls To Calendar
SMS To CSV
SMS To Gmail
Voicemail To Gmail

Sites
How Long For Me
SaveMySerials

Blog
Twitter

NerdyHearn - Blog


<< Back To All Blogs

ASP.NET Best Practices

Tuesday, October 7th, 2008

I have been reminded of some of my bad programming practices over the past few weeks as I have been working on ImapBack so I figured while I am in the process I would share the things that I think are very important for all developers to remember while posting information to ASP.NET websites.

Parameterized Statements
This is definitely the most important of all. You MUST parameterize ALL statements that will be executed on your SQL Server (or any other database server). Parameterizing a statement treats all passed input as literals, and therefore will not allow for SQL injection on your server. An example of using a parameterized statement would be as follows for SQL Server in C#:

SqlParameter toAdd = new SqlParameter();
toAdd.ParameterName = "MyVar";
toAdd.Value = "MyMaliciousInput";
Command.Parameters.Add(toAdd);

The query could be something such as "INSERT INTO [MyTable] (MyCol) VALUES (@MyVar)"

HtmlEncode and HtmlDecode
This is just another safeguard to further protect your website from malicious input. You can easily use Server.HtmlEncode and Server.HtmlDecode to turn all abnormal characters into a safely-postable html-encoded string.

Do not disable Request Validation
Request validation is a very useful security safeguard provided by ASP.NET. It works by checking all input variables to the server for potentially malicious markup, and halts execution if any is detected. There are times that it is necessary to disable Request Validation, but do so sparingly, and make SURE that you know what you are doing when you do so.

Limit the Scope of Input
Many programmers use Request.Params while receiving input from a user, and this can be dangerous, and can also allow a user to falsify data that needs to be posted, as opposed to read from the query string. Depending on the scope, design, and reasons behind using different input methods, you should either use Request.QueryString or Request.Form to respectively pull from GET variables, or POST variables.

Hopefully that will help some of you get started on ASP.NET best practices. There are obviously MANY more aspects to consider, but these are the immediate gotchas that many often run into while developing in ASP.NET.

Feel free to provide your own suggestions in the comments!

ASP.NET Tom Out.

Tags

CSharp Web_Development

Related Blogs

Autostarting a Windows Service directly after install in C#
Enumerating the values of an enum in C#
Impersonating a user in ASP.NET
Awesome .NET 4: Named and Optional Parameters for Classes and Methods
Writing console output from a Windows form in C#

Comments

Currently no comments.

Add A Comment

Name:


URL:


Email Address: (not public, used to send notifications on further comments)


Comments:



Enter the text above, except for the 1st and last character:


NerdyHearn - Latest tech news relating to C#, ASP.NET, SharePoint, PHP, general development, and more. SaveMySerials - Protect yourself from theft, fire, natural disasters and more by recording your serial numbers