ASP.NET: Am I safe from SQL Injection and XSS in this situation?_问答_开发者

ASP.NET: Am I safe from SQL Injection and XSS in this situation?

开发者 https://www.devze.com 2023-01-24 11:03 出处：网络

I\'ve a blog-driven ASP.NET website. Under the post, there is a Comment block to let readers post comments.

I've a blog-driven ASP.NET website. Under the post, there is a Comment block to let readers post comments.

I've used some TextBoxes and TextArea for that.

To Prevent XSS:

开发者_如何学C

I've filtered the input by using: Server.HtmlEncode() Method (I don't care about text formatting).

To Prevent SQL-Injection:

I'm using Linq To SQL (that should be like parametrized queries I think!).

Am I Safe now?

cuz I've set ValidateRequest="false" in the page directive.

Here is the code:

ArticlesDataClasses dc = new ArticlesDataClasses();

        ArticleComment newComm = new ArticleComment()
        {
            ArticleID = int.Parse(Request.QueryString["ArticleID"]),
            CommentAuthor = Server.HtmlEncode(txtName.Text),
            CommentText = Server.HtmlEncode(txtComment.InnerHtml).Replace("\n", "<br />"),
            CommentAuthorEmail = Server.HtmlEncode(txtMail.Text),
            CommentTime = DateTime.Now,
            Enabled = false
        };

        dc.ArticleComments.InsertOnSubmit(newComm);
        dc.SubmitChanges();

Thanks..

Parameters and encoding are the major ones, but you also may want to take into cross-site request attack, and prevent posting if the referrer isn't your site:

http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx