locked
Avoiding injection RRS feed

  • Question

  • User-326746839 posted

    Hi,

    Despite of URL Routing, once the name has been displayed in the address bar it comes a little handy for hackers to tryout different combinations so they can reach your datasource

    Can that be prevented ?

    Carlos N. Porras
    (El Salvador) 

    Tuesday, December 18, 2012 2:13 PM

Answers

  • User-330204900 posted

    Hi Carlos, I have not done any public facing site with DD as yet but the same does apply for Corporate sites so wat I do is add my Secure Dynamic Data MetaModel and the tie the site down so users can only get to parts of the site that they have permission to access. As for data I have filters that hide them selves and these pre filter the data so the user only see the data he or she is poermitted to see.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, December 21, 2012 7:13 AM

All replies

  • User-151368862 posted

    Using parameteres in your server side code, to manage database always avoid injection attacks
    So dont make up your query by concatenating query with controls values

    Just getting the name of a user does not really mean that any hacker has a way to pass through the
    default DB authentication and the one you have implemented in your application
    Dive here if you want to know more
    http://www.marcofolio.net/features/how_you_can_prevent_an_sql_injection.html

    Tuesday, December 18, 2012 11:25 PM
  • User1139353921 posted

    Use Encrypt and Decrypt Logic for URL Routing.

    Tuesday, December 18, 2012 11:33 PM
  • User-326746839 posted

    Thank you  usman400

    I'll check your link ....

    Carlos N. Porras
    (El Salvador) 

    Wednesday, December 19, 2012 11:12 AM
  • User-326746839 posted

    Not quite sure that can be done in ASP.Net Dynamic Data ManikandanUlagu 

    It seems that global.asx file sets the way in which URL routes are uesd for Dynamic Data to use proper templates ... so I don't know how can the routing be altered in order to be able to use aliases or something similar ...

    Or simply hiding the URL to the end user interfase showing nothing more than a fixed url ficticious adddress 

    Carlos N. Porras
    (EL Salvador) 

    Wednesday, December 19, 2012 11:15 AM
  • User-330204900 posted

    Hi Carlos, I have not done any public facing site with DD as yet but the same does apply for Corporate sites so wat I do is add my Secure Dynamic Data MetaModel and the tie the site down so users can only get to parts of the site that they have permission to access. As for data I have filters that hide them selves and these pre filter the data so the user only see the data he or she is poermitted to see.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, December 21, 2012 7:13 AM