Starting from this article, we have learned the web development principles. The so-called "no rules" and "No square area" are exactly the same in our programming field. We need to design many rules for our programming, of course, these rules are all things you need to pay attention to after so many years of refining. If we don't pay attention to them, our website will face a lot of vulnerabilities, next I will start to talk about some basic principles in Web development.
- Some basic principles of Web Development
(1) The minimum permission principle is to only allow users to do what, rather than "not allow users to do what ".
(2) the browser displays the server.CodeAttackers cannot view the Aspx. CS code on the server side unless the server has a vulnerability. The target is saved as the execution result of aspx, but not Aspx. CS.Source code, JS, and HTML are output to the browser for execution. Therefore, you cannot view JavaScript and HTML in the browser.
(3) C # The code runs on the server and JS Code runs on the browser client.
(4) do not go to the server to complete what can be done on the browser side.
(5) The client is untrusted.
- Principle 1
(1) C # The code runs on the server and JS Code runs on the browser client.
(2) write the following code in onclick of the button control to confirm the implementation of Button submission:
1) <input type = "Submit" name = "delete" value = "delete" onclick = "Return confirm ('Are you sure you want to delete it? ') "/>
2) The code runs on the browser and has nothing to do with the server.
(3) on the server, "The message window is displayed"
1) response. Write ("<SCRIPT type = 'text/JavaScript '> alert (" deleted successfully !") </SCRIPT> ");
2) It does not really run on the server, but generates JavaScript code to the browser. The browser will run alert when parsing the document. It is not recommended to use this method, we recommend that you use registerclient later. startupscript. It is only rendered to the browser, so the code on the server side will not be executed until the dialog box is closed.
3) for the server-side code, generating a bunch of HTML code is a bunch of strings that have no meaning. It makes sense only when executed on the browser side.
(4) Case 1: Introduce system.windows.formsin the project, then start the test with cassini.dev.exeProgramRemote tests on other computers prove that the C # code is running on the server.
Note: drag and drop a control on the web form, introduce the namespace, and name the control MessageBox. Show (). Double-click the control and write the following code under its event:
MessageBox. Show ("I am on the server ");
(5) 127.0.0.1 is the loopback address, which means to access the local machine through the loopback address. Even the local Internet address cannot be accessed. localhost is the alias of 127.0.0.1, it cannot be accessed externally.
(6) Any IP address 0.0.0.0 (any IP address). You do not need to write the bound IP address. You can access network programs through any network adapter.
(7) Case 2: With Asp.net, you can create a trojan file on the visitor's disk and write a file in the Trojan file that causes shutdown by others, in this way, when others click, they will force the shutdown. Hey, the code is written as follows: fille. writealltext ("C:/muma.exe", "I'm a Trojan, I want you to shut down, you will immediately shut down "zookeeper starts the test program with cassinidev.exe to allow others to perform remote tests (vs built-in servers cannot perform remote tests). EXE is generated to the server disk instead of the visitor's disk, because the C # code is running on the server, rather than in the browser, the browser only returns HTML content.
(8) Case 3. Two people access the self-incrementing 1 page separately, because the variable content of different users is isolated.
1) drag and drop a button and label control, double-click the button control, and write the following code:
1Protected VoidButton#click (ObjectSender, eventargs E)2 3 {4 5IntI =Convert. toint32 (label1.text );6 7I ++;8 9Label1.text =I. tostring ();10 11}
- Principle 2
(1) do not go to the server to complete what can be done on the browser side.
(2) When the button hides a control, the server should not write code. on the client side, JavaScript and Dom can be used to operate the control. For example, to operate the database, it is obviously impossible on the browser side, at this time, you need to write the server code to verify the user name and password, which can be placed on the browser side (the user name and password are all written to death). Technically, this is acceptable, but the security is poor, therefore, it must be placed on the server side.
(3) drag and drop a button and Textbox Control to hide the button control.
1Textbox1.visible =False;2 3<Input type ="Button"Value ="Hide Client"Onclick ="Document. getelementbyid ('textbox1'). style. Display = 'none'"/>
Note: Here is the development principle 1. The next blog is web development principle 2. We hope we can learn it together. Our group number is:159227188And you are welcome to discuss it here.