Cutting edge: Validating ASP.NET Query Strings

摘要

Not all ASP.NET pages use the query string. However, the query string can be used as input for Web pages. As such, it is a potential vehicle for attacks on pages with security holes. If your pages need a query string barrier, be ready to write the same code over and over again in all of the pages where you use the query string.rnThe QueryString module presented in this column requires no coding in source pages and automatically checks the posted query string against a given schema saved in a separate XML file. This means there's zero impact on existing code, while offering one more built-in barrier against attackers. But remember that this is no silver bullet.