Asp. Net basics-9. Web development principles

Directory:

9.1.some basic principles of Web Development

9.2 Principle 1
9.2.1 C # The code runs on the server and JS Code runs on the browser client.

9.2.2 "pop-up message window" on the server"

9.2.3 case study (the client and server do not affect each other)

9.3 Principle 2

9.4 Principle 3

9.4.1 client verification cannot replace server Verification

9.1.some basic principles of Web Development

● Minimum permission principle. Only users are allowed to perform ***, rather than "users are not allowed to perform ***"
● The browser displays the output text of the server code execution. the browser cannot view the server's aspx and cs code unless the server has a vulnerability.
Is the execution result of the stored aspx, but the source code of the aspx is not visible. JavaScript and html are output to the browser for execution, so it is impossible for viewers to view js and html.

 

9.2 Principle 1

 

9.2.1 C # The code runs on the server and JS Code runs on the browser client.

Client confirmation. aspx <Form id = "form1" runat = "server"> <div> <asp: button ID = "Button1" runat = "server" OnClientClick = "return confirm ('Do you really want to delete it? ') "Text =" delete "OnClick =" button#click "/> <br/> <asp: label ID = "Label1" runat = "server" Text = "Label"> </asp: Label> </div> </form> Write a button event Protected void button#click (object sender, EventArgs e) { Label1.Text = "deleted successfully! "+ DateTime. Now; } Generate on the client ● Do not go to the server to do anything that can be done on the browser side. ● The client is untrusted.

9.2.2 "pop-up message window" on the server"

Context. Response. Write ("<script type = 'text/javascript '> alert ('deleted successfully') </script>"); understand why. It is not really running on the server side, but the JavaScript code is generated to the browser side. the browser will run alert when parsing the document. It is not recommended to use this method to understand it, we recommend that you use RegisterClientStartupScript later. It is only rendered to the browser, so the code on the server side will not be executed until the dialog box is closed (in the context. response. write ("<script type = 'text/javascript '> alert ('deleted successfully') </script>") and set the breakpoint)

 

9.2.3 case study (the client and server do not affect each other)

● Case 1: Add a reference to System. Windows. Forms in the project, and then start the test program with cassinidev.exe to allow students to perform remote testing. It proves that the C # code runs on the server.

● 127.0.0.1 is the LoopBack address, which means to access the local machine through the LoopBack address, even the local Internet address cannot be accessed. Localhost is the alias 127.0.0.1. Is not accessible externally.

● Any IP address 0.0.0.0 (Any IP address) does not need to be written into the bound IP address. network programs can be accessed through Any network adapter.

● Case 2: Great ASP. Net, you can create a trojan file on the visitor's disk

● File. WriteAllText ("c:/muma.exe", "Trojan Horse () {Sunflower Point hand (); drop Dragon 18 Palm (); pandatv ();}");

● Start the test program with cassinidev.exe to allow students to perform remote tests (VS built-in servers cannot be remotely accessed ). Exe is generated to the server disk, rather than the visitor's disk, because the C # code is running on the server, rather than in the browser. The browser only obtains the returned HTML content.

● Case 3: open two pages to access the self-incrementing 1 page, which does not affect each other. Because the status is saved in the ViewState of the page.

 

9.3 Principle 2

● Do not go to the server to do anything that can be done on the browser side.

● Do not write the server code when hiding a control with a button. You can use JavaScript and dom on the client. For example, if you want to operate the database, it is obviously not possible on the browser side. At this time, you need to write the server code. Operations such as checking the user name and password can be put on the browser side (the user name and password are written to death), technically, but the security is too poor, so they must be put on the server side.

 

9.4 Principle 3

• The client is untrusted.

• Client verification cannot replace server Verification

• Do not write sensitive data and algorithms on the client.

• Do not hide confidential information in html to ensure security

• Permission verification should be performed before the confidential page is opened, rather than on a page. If it is correct, it is redirected to the confidential page. If it is incorrect, it is not oriented.

• Do not trust the data submitted by users

 

9.4.1 client verification cannot replace server Verification

Client verification. aspx <Form id = "form1" runat = "server" onsubmit = "if (parseInt (document. getElementById ('textbox1 '). value, 10)> 100) {alert ('only withdraw 100 yuan at most '); return false;} "> <div> <asp: textBox ID = "TextBox1" runat = "server"> </asp: TextBox> <asp: button ID = "Button1" runat = "server" Text = "Button" OnClick = "button#click"/> <asp: label ID = "Label1" runat = "server" Text = "Label"> </asp: Label> </div> </form> Set the withdrawal amount to not exceed 100 RMB • Client: <form id = "form1" runat = "server" onsubmit = "if (parseInt (document. getElementById ('textbox1 '). value, 10)> 100) {alert ('only withdraw 100 yuan at most '); return false;} "> • Server: Label1.Text = "withdrawal successful, amount:" + TextBox1.Text; • <Asp: For a Button, onclick is a server event, and OnClientClick is The onclick code that is finally generated to the client browser.   • If JavaScript is disabled (Internet Options → Security → Custom Level → script → activity script → disabled, you can use "Developer Tools"), the client JavaScript verification will be disabled, you can withdraw more than 100 yuan. • Data verification is also required on the server. For the code, see the remarks. Client verification. aspx. cs Protected void button#click (object sender, EventArgs e) {if (Convert. toInt32 (TextBox1.Text)> 100) {this. label1.Text = "withdrawal prohibited is greater than 100";} else {this. label1.Text = "successfully withdrawn" + TextBox1.Text + "Yuan ";}} Client verification is for a good client experience. server-side verification is the last check to prevent malicious requests. ASP. Net Validation is the built-in data Validation technology of ASP. Net. It verifies both the client and server at the same time.