security - Securing Ajax Requests in ASP.net via Autenticated Webforms -

-

I have already read and Now let me explain my scenario, below will be the code snippet that can help in explaining the subject. [WebMethod [EnableSession = True] [ScriptMethod] Public Static String CreateTitle (string strTitleName) {String strResult = "custom json string"; If (session ["Authorized"] == "Truth" & amp; amp; String.INNLLI below (strTitleName) {string strTitle = Server.HtmlEncode (strTitleName); InsertRecordInDB (strTitle); StrResult = "custom jSOn string" + Encrypt MD5 ("Record ID"); Return return}

and the Javascript call to send the parameters below is the BtnCreateTitle_click button. The client side's click event is the TxtTitle title name accepting the textbox. Validated pages have also been made to validate the textbox. CreateTitle is a page method that I call using ScriptManager 

  function BTN Cretalitlical (avent) {if (Page.ClientValidate ()) {if ($ get ("getTxtTitle")) {PageMethods.CreateTitle ($ ("txtTitle" value, success, failure, references); The success of the function shows a deep message that the title was created and shows a link with the encrypted records id as the query string to the URL, whose creation is to see the title details. Is for.  
 Now the burning question,  
     
  1.  Is it safe enough? What am i missing  
  2.  How can I make this process more secure and fast?    
     
     
     Unscrupited to restrict any method for authenticated and authorized users When you show the dub id in the query string, then you open the possibility that a certified and authorized user can try to use records that are not of them. This occurs especially when the DB ID integer or some others easily recognize the identifier. Using guides as DB ID can reduce its risk, though not at all.  
     You should always remember that there is no trust input. Security (ie encryption, etc.) is not a reliable technique through ambiguity. Your service should always verify that the records requested by the current user Permission has been granted to recover. Sometimes this is known as the level of level security, it can only be done programmatically.  
     Instead of being able to see the records, instead of being able to see the record, It is essential that they actually have the right to use the record.  
     This means that you  
     BTW: Any HTTP request is probably valid for the hazardous input.  
     Hope this helps,

Comments

Post a Comment

Popular posts from this blog

qt - switch/case statement in C++ with a QString type -

-
I want to use switch-case in my program but the compiler generates an error. How can I use the switch statement with QString ? The compiler gives me this error: The expression of the switch type 'QString' is invalid My code is as follows : boolStopWord (the word QString) {bool flag = false; Switch (word) {case "the": flag = true; break ; "On" case: flag = true; break ; Case "in": flag = true; break ; Case "your": flag = true; break ; Case "near": flag = true; break ; Case "all": flag = true; break ; Case "this": flag = true; break ; } Return flag; } How do I use the switch statement with a Caststring ? You can not use the switch statement in C ++ language with integral or enum types. You can formally enter the square type of object in the switch statement, but this means that the compiler will look for a user-defined conversion to convert it to an integral or enum type.
Read more

python - sqlite3.OperationalError: near "REFERENCES": syntax error - foreign key creating -

-
I'm trying to create a predefined key after checking the manual and I wrote it: Db.execute ("create table" Table 2 (id, integer primary key, somedata integer) "db.execute" (table creation table 2 does not exist (name text, maintain reference (id) ") and found this: sqlite 3. Operation error: near" references ": syntax error Your second ligne is wrong db.execute ("create table if table does not exist 2 (name text, my_id integer, foreign key (my_id) reference Maintenance (ID)) ") as explained
Read more

Python's equivalent for Ruby's define_method? -

-
What is a Python equivalent for Ruby's define_method , which is the dynamic generation of class methods will allow? (As can be seen in Wikipedia) Functions are first-class objects in Python and assign them The properties of a class or an example can be a way of doing the same thing as a Wikipedia example: colors = {"black": "000", "red": "F00", "green": "0f0", "yellow": "ff0", "blue": "00f", "magenta": "fff", "cyan": "0ff", "white": " FFF "} Class MyStream (ARR): Pass for Name, Code in colors.iteritems (): def _in_colour ( W code = code): return '& lt; Span style = "color:% s" & gt;% s & lt; / Span & gt; ' % (Code, self) setter (histrive, "in_" + name, _in_ color)
Read more