19.1. Remembering User Input Is Evil
Accepting data in a public Web form is a risky business with many potential pitfalls. The bad guys out on the WWW (Wild West Web) use data input fields as prime methods (attack vectors in geekspeak) to disrupt Web servers and run their own nasty code. After they worm their way in, they steal information, deface sites, and use the computer as a zombie to send spam and even more malicious content.
The best defense is not to allow any data into your Web application until you check the data and cleanse it. If you start with the assumption that anything a user can submit to your site is evil until proven otherwise, you're more likely to implement appropriate validation to stay out of trouble.
Your advantage over the hackers is that for every text box on a page, you know exactly what data is acceptable in terms of business rules and data integrity. You know whether you'll accept letters from A to Z and how many. If you're requesting a number, you know the valid range, such as 1 to 150. The validation controls help you enforce your requirements.
Get ASP.NET 3.5 For Dummies® now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
