ASP. NET advanced programming basics Article 7-Development Principles 2

Starting from this blog, we will introduce web development principles 2. In the previous blog, we will mainly introduce some basic web development principles, in this article, we will give an in-depth explanation on the basis of the previous article.

1. Client verification cannot replace server Verification

(1) For <asp: button>, onclick is a server event, and onclientclick is an onclick event that is finally generated in the client browser.

(2) The withdrawal amount cannot exceed 100 yuan

1) Client: <Form ID = "form1" runat = "server" onsubmit = "If (parseint (document. getelementbyid ('textbox1 '). value, 10)> 100) {alert ('only withdraw 100 yuan at most '); Return false;} ">

2) on the server side: label1.text = "the withdrawal is successful, and the amount is:" + textbox1.text;

(3) If you disable javascript (Internet Options-> Security-> Custom Level-> script-> activity script-> disable, the client-side JavaScript verification is disabled, you can withdraw more than 100 RMB ).

(4) data verification is also required on the server.

(5) The client check is for a good client experience. The server check is the last check to prevent malicious requests. asp will be discussed later. net validation is ASP. the built-in data validation technology of. NET will verify both the client and the server.

Note: to create a web page, drag and drop a Textbox Control, button control, label control, and button controlCodeIs:

<Asp: button id = "button1" runat = "server" text = "button" onclientclick = "VaR value = document. getelementbyid ('textbox1 '). value; If (parseint (value, 10)> 100) {alert ('amount cannot exceed 100 '); Return false;} "onclick =" button#click "/>

Write the following code under the event of the button control:

 1       Protected   Void Button#click ( Object  Sender, eventargs E)  2   3   {  4  5           If (Convert. toint32 (textbox1.text)> 100  )  6   7   {  8   9 Label1.text = "  The amount of withdrawal prohibited exceeds 100 RMB  "  ;  10   11   } 12   13           Else  14   15   {  16   17 Label1.text = "  Withdrawal successful, amount is  " + Textbox1.text;  18   19   }  20   21 }

 

1. Do not include sensitive data,AlgorithmWritten on the browser side

(1) Let's take a simple example to illustrate:

 1 <SCRIPT src = "../script/jquery-1.4.1.min.js" type = "text/JavaScript"> </SCRIPT> 2   3 <SCRIPT type = "text/JScript"> 4   5 $ ("# Btnlogin"). Click ( Function  (){  6   7               If ($ ("# Username"). Val () = "admin" & $ ("# password"). Val () = "citsoft" ){  8   9 Alert ("Logon successful" );  10   11   }  12   13               Else  {  14   15 Alert ("Logon Failed" );  16  17   }  18   19   });  20   21 </SCRIPT>

 

(2) viewSource codeWe can see what the user name and password are. In the era when dynamic website space is still very small, many people use this method on their homepages.

1. Do not hide confidential information in HTML

(1) Visible = false if the password on the server side is incorrect. hyperlink1.visible = false of the server side control is not output to the client at all, $ ("# Control ID") cannot be used in combination with jquery "). show () to display the control with visible = false, because the control is not rendered to HTML at all.

(2) Permission verification should be performed before the confidential page is opened, rather than on a page. If it is correct, it is directed to the confidential page. If it is incorrect, it is not oriented.

(3) The Code is as follows:

Note: Create a download page. aspx and import the pure JavaScript code:

 1 <Body> 2   3 <Form ID = "  Form1  " Runat = "  Server  " > 4   5 <Div> 6   7 <Input type = " Text  " Id = "  Password  " /> 8   9 <Input type = "  Button  " Value = "  OK  " Onclick = " VaR passwordid = document. getelementbyid ('Password '). value; If (Password = '000000') {document. getelementbyid ('div1 '). style. display = '';}  " /> 10   11 <Div id = "  Div1  " Style = "  Display: None  " > <A href = "  Http://www.cnblogs.com/hanyinglong.zip  " > Click to download </a> </div> 12   13 <Br/> 14   15 <Asp: textbox id = "  Textbox1  " Runat = "  Server  " > </ASP: textbox> 16   17 <Asp: button id = "  Button1 " Runat = "  Server  " Onclick = "  Button#click  " TEXT = "  Button  " /> 18   19 <Br/> 20   21 <Asp: hyperlink id = " Hyperlink1  " Runat = "  Server  "  22   23 Navigateurl = "  Http://www.cnblogs.com/hanyinglong.zip  " Visible = "  False  " > </ASP: hyperlink> 24   25 </Div>26   27 </Form> 28   29 </Body>

 

Write the following code under the event of the button control:

 1    Protected   Void Button#click ( Object  Sender, eventargs E)  2   3   {  4  5           If (Textbox1.text = "  111  "  )  6   7   {  8   9 Hyperlink1.visible = True  ;  10   11   }  12  13 }

 

1. XSS Vulnerability

(1) do not trust data submitted by users.

(2) alert messages are too ugly. Therefore, an ashx page is developed to display the showmessage. ashx message in a unified manner.

 1 Context. response. contenttype = "  Text/html  "  ;  2   3 Context. response. Write ( "  <Center> <font color = 'red'>  " + Context. request ["  MSG  " ] + "  </Font> </center>  "  );  4   5 Context. response. Write ( "  <A href = 'javascript: history. Back (); '> return to the previous page </a>  " );

 

(3) When a message needs to pop up inside the system, you only need to direct the user's redirect to showmessage. ashx? MSG = 'message', for example:

Response. Redirect ("showmessage. ashx? MSG = username cannot be blank ");

(4) Create a New post sending folder and add the view. aspx and ass. aspx pages to the folder. First

1) drag and drop a textbox and button control in Add. aspx, set textmode = "multiline" for Textbox, and double-click the button control to write the following code under its event: validaterequest = "false"

File. appendalltext ("C:/1.txt", textbox1.text +" <br/> ");

2) Add the following code to the view. ASPX page:

// Response. Write (file. readalltext ("C:/1.txt "));

Response. Write (httputility. htmlencode (file. readalltext ("C:/1.txt ")));

Note: Write <SCRIPT type = "text/JavaScript"> alert ('go to Han Yinglong's blog Park! '); </SCRIPT>

(5) We can detect the request data. If the request database has a <, it is regarded as a malicious request and cannot be submitted. aspx adopts this policy by default, the disadvantage of doing so is thatProgramProgrammers cannot post in HTML code. Therefore, a better processing strategy is to display the content posted by users as is and use httputility. htmlencoding can convert special characters such as <,/in the string to HTML characters, that is, not using <SCRIPT> as the tag for defining the script, but as "& lt; script & gt; ", which can be directly displayed on the page.

(6) modify the viewing code and change context. response. Write (LINE + "<HR/>"):

Context. response. Write (httputility. htmlencode (line) + "<HR/>.

(7) In aspx, the request data is verified by default. If the data contains <. /If there are characters with potential XSS attacks, an error will be reported. For some CMS systems that do need to submit HTML content, close it, add the validaterequest = "false" attribute to the page at the top of the page.

(8) If You Need To htmlencode the content before it is displayed, you can use httputility. you can also use the literal control to display htmlencode. If you modify the model attribute of literal to encode, htmlencode is automatically executed and then displayed.

Note: Let's talk about the development principle 2. From the next section, let's talk about the processing of special paths and request objects.