如何保护我的 asp.net 处理程序页面

发布于 2024-10-28 04:34:18 字数 1491 浏览 9 评论 0原文

我正在使用这种做法来使用 AJAX 添加评论,通过将数据发送到 ASP.NET 处理程序来收集信息,然后插入评论,但我担心任何人都可以使用它,我错了吗?

    //AddComment.ashx
    public void ProcessRequest (HttpContext context) {
    CommentsDB db = new CommentsDB();
    db.InsertComment(new Comment(context.Request["name"].ToString(), context.Request["comment"].ToString(), "no", int.Parse(context.Request["id"].ToString())));

    context.Response.ContentType = "text/plain";
    context.Response.Write("succeed");
}

        //Comments.js
        function AddComment()
    {
        n = document.getElementById('txtName').value;
        c = document.getElementById('txtComment').value;
        i = document.getElementById('ctl00_ContentPlaceHolder1_thread').value;
        m = document.getElementById('ctl00_ContentPlaceHolder1_Label1');
        if(n == "" || c == "" || n.length > 100 || c.length > 400)
        {
            m.innerHTML = "<center><font color=black size=3><b><font color=red>*</font> An error has occurred</b></font></center><br>";
            return;
        }
        m.innerHTML = "";
        document.getElementById('btn').disabled = true;
        $.post("./Handlers/AddComment.ashx", {'name':n, 'comment':c, 'id':i}, function(Response){
            m.innerHTML  = "<center><font color=black size=3><b>accepted</b> <img src=./Images/success-icon.png></font></center><br>";
        });         
    }

I'm using this practice to add comments using AJAX , by sending the data to an ASP.NET Handler which collect the information and then insert the comment, but I am afraid that any one could use it , am I wrong !?

    //AddComment.ashx
    public void ProcessRequest (HttpContext context) {
    CommentsDB db = new CommentsDB();
    db.InsertComment(new Comment(context.Request["name"].ToString(), context.Request["comment"].ToString(), "no", int.Parse(context.Request["id"].ToString())));

    context.Response.ContentType = "text/plain";
    context.Response.Write("succeed");
}

        //Comments.js
        function AddComment()
    {
        n = document.getElementById('txtName').value;
        c = document.getElementById('txtComment').value;
        i = document.getElementById('ctl00_ContentPlaceHolder1_thread').value;
        m = document.getElementById('ctl00_ContentPlaceHolder1_Label1');
        if(n == "" || c == "" || n.length > 100 || c.length > 400)
        {
            m.innerHTML = "<center><font color=black size=3><b><font color=red>*</font> An error has occurred</b></font></center><br>";
            return;
        }
        m.innerHTML = "";
        document.getElementById('btn').disabled = true;
        $.post("./Handlers/AddComment.ashx", {'name':n, 'comment':c, 'id':i}, function(Response){
            m.innerHTML  = "<center><font color=black size=3><b>accepted</b> <img src=./Images/success-icon.png></font></center><br>";
        });         
    }

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

凹づ凸ル 2024-11-04 04:34:19

您的假设是正确的,您的用户可能会向您的处理程序发出自己的 HTTP 请求,并提供虚假数据。他们还可以在浏览器(使用任何开发人员工具栏)中操作您的页面标记并执行相同的操作。

因此,如果您担心这一点,您将需要在服务器端进行一些验证。如果您的应用程序需要身份验证,只需在处理程序的 ProcessRequest 方法中查找当前用户名,而不是发布它。

我认为这就是您的问题的目的。另外,请清理标记,centerfont 标记已弃用。

Your assumption is correct, that your users can potentially make their own HTTP requests to your handler, and provide bogus data. They could also manipulate your page markup in their browsers (with any developer toolbar) and do the same.

So, you're going to want to do some validation on your server side if you're worried about this. If your application requires authentication, just look up the current user's name in the handler's ProcessRequest method, rather than posting it.

I think that's what your question is getting at. Also, clean up your markup, center and font tags are deprecated.

请远离我 2024-11-04 04:34:19

如果您要求评论者登录而不是检查实际用户(存储在网络服务器上 - 例如在会话中)。

或者,如果您允许未经身份验证的评论,请考虑使用一些验证码来防止自动请求。

If you require that the commenters to be logged in than check for the actual user (stored on the web server - in session for example).

Or if you allow non authenticated comments, than consider using some captcha to protect against automated requests.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文