Leading technology: Subclass and rewrite asp.net pages

Source: Internet
Author: User
Tags sql injection sql injection attack stop sql injection

Recently a very fortuitous opportunity, I found a large web site, which is full of some extremely simple Web user controls, specifically some ASCX files. This approach is often considered necessary when developers discover unusual behavior in the server controls they are using.

As a result, developers replace all of these server controls within a site with user controls that contain modified versions of the original control (and because of the consequences of not being able to determine what the replacement server control would entail), developers have replaced a large number of other controls. Developers think it is more reliable to place such an extra layer of abstraction between the page and the controls. Another benefit is that you can easily replace the user control (if needed) in a asp.net application without modifying the binaries and restarting the application. (This is not always the case, but some deployment scenarios require that action to be taken.) )

Once there was a company that asked me to review apps, the first question they ask me is, "is there a better way to replace the entire site's server controls without a lot of rework per page?" ”

In my April 2007 column, I gave several solutions to the limited (and sometimes temporary) modification of the ASP.net Web site without modifying the original source code. This month I found several tricks to replace the server controls and URLs by declaring them without having to modify the source code.

I couldn't answer their questions immediately, but I knew how to find a solution. I think if I had developed the ASP.net infrastructure, I would put some sort of setting in the configuration file so that developers could map the markup to the control declaratively. This is not a whole new idea in asp.net. As early as ASP.net 1.x, you can declaratively change some code-related content, such as the base class for Web pages and user controls. (However, this method applies only to pages and user controls that do not explicitly use the INHERITS clause in the page directive.) So I have a question about why server controls can't take this approach. It turns out I was right at the time: ASP.net 2.0 was the only one to offer the <tagMapping> festival.

Background knowledge

I'd like to introduce some background information to you first. This scenario began with an internal security review when the customer discovered that there was a vulnerability in the application that could lead to a classic SQL injection attack. The company applied a quick fix to the vulnerability, but it caused another problem.

On the customer's web site, many pages allow a fixed five-character code to be included in the query string. This code is then used to compose the SQL statement. The company was still running code similar to the following:

Dim Code as String = Request.QueryString ("code"). ToString ();
Dim command as String = _
"SELECT * FROM Customers WHERE id= '" & Code & "'"

To say the truth, I really hope your site is no longer running similar code! This code completely blindly trusts any information passed through a query string and attaches that information to the string that makes up the SQL command. Doing so would create a very serious security risk. Sophisticated hackers can easily detect seemingly normal, dangerous texts that can turn the original and SQL commands written for a particular purpose into dangerous attacks. If you need more information about SQL injection, it is recommended that you read Paul Litwin's article "Stop SQL injection attacks before They stop you".

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.