如何保护我的 asp.net 处理程序页面
我正在使用这种做法来使用 AJAX 添加评论,通过将数据发送到 ASP.NET 处理程序来收集信息,然后插入评论,但我担心任何人都可以使用它,我错了吗?
//AddComment.ashx
public void ProcessRequest (HttpContext context) {
CommentsDB db = new CommentsDB();
db.InsertComment(new Comment(context.Request["name"].ToString(), context.Request["comment"].ToString(), "no", int.Parse(context.Request["id"].ToString())));
context.Response.ContentType = "text/plain";
context.Response.Write("succeed");
}
//Comments.js
function AddComment()
{
n = document.getElementById('txtName').value;
c = document.getElementById('txtComment').value;
i = document.getElementById('ctl00_ContentPlaceHolder1_thread').value;
m = document.getElementById('ctl00_ContentPlaceHolder1_Label1');
if(n == "" || c == "" || n.length > 100 || c.length > 400)
{
m.innerHTML = "<center><font color=black size=3><b><font color=red>*</font> An error has occurred</b></font></center><br>";
return;
}
m.innerHTML = "";
document.getElementById('btn').disabled = true;
$.post("./Handlers/AddComment.ashx", {'name':n, 'comment':c, 'id':i}, function(Response){
m.innerHTML = "<center><font color=black size=3><b>accepted</b> <img src=./Images/success-icon.png></font></center><br>";
});
}
I'm using this practice to add comments using AJAX , by sending the data to an ASP.NET Handler which collect the information and then insert the comment, but I am afraid that any one could use it , am I wrong !?
//AddComment.ashx
public void ProcessRequest (HttpContext context) {
CommentsDB db = new CommentsDB();
db.InsertComment(new Comment(context.Request["name"].ToString(), context.Request["comment"].ToString(), "no", int.Parse(context.Request["id"].ToString())));
context.Response.ContentType = "text/plain";
context.Response.Write("succeed");
}
//Comments.js
function AddComment()
{
n = document.getElementById('txtName').value;
c = document.getElementById('txtComment').value;
i = document.getElementById('ctl00_ContentPlaceHolder1_thread').value;
m = document.getElementById('ctl00_ContentPlaceHolder1_Label1');
if(n == "" || c == "" || n.length > 100 || c.length > 400)
{
m.innerHTML = "<center><font color=black size=3><b><font color=red>*</font> An error has occurred</b></font></center><br>";
return;
}
m.innerHTML = "";
document.getElementById('btn').disabled = true;
$.post("./Handlers/AddComment.ashx", {'name':n, 'comment':c, 'id':i}, function(Response){
m.innerHTML = "<center><font color=black size=3><b>accepted</b> <img src=./Images/success-icon.png></font></center><br>";
});
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您的假设是正确的,您的用户可能会向您的处理程序发出自己的 HTTP 请求,并提供虚假数据。他们还可以在浏览器(使用任何开发人员工具栏)中操作您的页面标记并执行相同的操作。
因此,如果您担心这一点,您将需要在服务器端进行一些验证。如果您的应用程序需要身份验证,只需在处理程序的 ProcessRequest 方法中查找当前用户名,而不是发布它。
我认为这就是您的问题的目的。另外,请清理标记,
center和font标记已弃用。Your assumption is correct, that your users can potentially make their own HTTP requests to your handler, and provide bogus data. They could also manipulate your page markup in their browsers (with any developer toolbar) and do the same.
So, you're going to want to do some validation on your server side if you're worried about this. If your application requires authentication, just look up the current user's name in the handler's
ProcessRequestmethod, rather than posting it.I think that's what your question is getting at. Also, clean up your markup,
centerandfonttags are deprecated.如果您要求评论者登录而不是检查实际用户(存储在网络服务器上 - 例如在会话中)。
或者,如果您允许未经身份验证的评论,请考虑使用一些验证码来防止自动请求。
If you require that the commenters to be logged in than check for the actual user (stored on the web server - in session for example).
Or if you allow non authenticated comments, than consider using some captcha to protect against automated requests.