Developer forum

Forum » Development » Base.Request() security checks

Base.Request() security checks

E-mail notifications

Reply
Posted on 27/05/2008 10:10:09

I have a question about Base.Request()
Which variable is returned if it is in the Querystring and Form collection?
What is the order of processing?

Are the security check also available via a seperate function?
For example if i want to get a variable only from querystring and then want to do the security checks.

Regards,
Remi


Replies

 
Nicolai Høeg Pedersen
Posted on 27/05/2008 11:03:15
Reply
r.muller wrote:

I have a question about Base.Request()
Which variable is returned if it is in the Querystring and Form collection?
What is the order of processing?

Are the security check also available via a seperate function?
For example if i want to get a variable only from querystring and then want to do the security checks.

Regards,
Remi


 

Hi Remi

 

Base.Request returns this:

Database.SQLEscapeInjection(HttpContext.Current.Request(key))

 

Current.Request is a call to HttpRequest.Item which returns from Querystring, Form, Cookies and servervariables.

See the description of it here: http://msdn.microsoft.com/en-us/library/system.web.httprequest.item.aspx

 

As you can see, you can use Database.SQLEscapeInjection(value) to include the security check.

 

So you can do like this to only get the querystring:

Database.SQLEscapeInjection(HttpContext.Current.Request.QueryString(key))

 

Regards, Nicolai

 
Posted on 27/05/2008 11:08:26
Reply

Tested on this form it returns the querystring value alone.

 

<

form action="Default.aspx?ID=<!--@ParagraphPageID-->&amp;felt=tester" method="post">

 

</

<input name="felt" type="text" /> <input type="submit" value="send" />form>

 

It runs the parameter through Database.SQLEscapeInjection. If you use the Base.Request("fieldname", false) SQLEscapeInjection is not performed.

 
Posted on 27/05/2008 12:23:02
Reply

Thank you for your great input!

 

I'll go with Database.SQLEscapeInjection(HttpContext.Current.Request.Form(key)) where Form parameters are prefered over Querystring.

 

 

For your information i tried replying on the topic 'Dynamicweb Security Update' but this gives an error also when I cancel:

---------------------------------------------------------------
XML Parsing Error: no element found
Location: http://documentation.dynamicweb.dk/Developer-forum-25346.aspx?action=EditPost&ThreadID=643&ReplyID=-1
Line Number 1, Column 1:
---------------------------------------------------------------

 
Nicolai Høeg Pedersen
Posted on 27/05/2008 14:02:20
Reply
r.muller wrote:

Thank you for your great input!

 

I'll go with Database.SQLEscapeInjection(HttpContext.Current.Request.Form(key)) where Form parameters are prefered over Querystring.

 

 

For your information i tried replying on the topic 'Dynamicweb Security Update' but this gives an error also when I cancel:

---------------------------------------------------------------
XML Parsing Error: no element found
Location: http://documentation.dynamicweb.dk/Developer-forum-25346.aspx?action=EditPost&ThreadID=643&ReplyID=-1
Line Number 1, Column 1:
---------------------------------------------------------------


 

Hi Remi

 

You can not answer that thread without deleting all of my post. Because - the text in that box is SQL injection and is now stopped by the filter described. Had to put the content in the thread by disabling the feature for a moment and add it...

 

You must be logged in to post in the forum