All geek questions in one place

Do ASP.Net controls control SQL queries through viewstate?

Do you have controls that are part of the standard ASP.Net default parameter set - EVERYONE uses viewstate or controlstate all the time?

i.e. If I put the code below on a new web form, is my SQL string placed in an unencrypted controlstate?

<asp:SqlDataSource ID="mobileData" runat="server" DataSourceMode="DataReader" SelectCommand="SELECT * from ma.bob WHERE Vendor IS NOT NULL" />

I know how to encrypt viewstate and controlstate, but it seems crazy to me that this common use case can be so terribly insecure. Of course, you can perform an SQL injection attack by changing the control state?

I think most people think of controlstate encryption for sensitive applications, but in fact, if my assumption is correct - then this should always be done - and should visual studio enable it by default?

Am I thinking about it right, or do I have the wrong end of a stick?

+4
source share
2 answers

To answer your question, no .
From MSDN

For security reasons, the SelectCommand property is not saved β€” view state. Because it is possible to decode the contents of the presentation state on the client, storing confidential information about the database structure in the field of view may lead to information disclosure vulnerability.

+1
source

This information is never stored in ViewState.



Not all properties are created as follows.

 public string SomeProperty { get { object obj = ViewState["SomeProperty"]; return (obj == null) ? 0 : (string)obj; } set { ViewState["SomeProperty"] = value; } }

SelectCommand is assigned here in the generated C # / Vb class using PageParser. This class will contain some string like

  mobileData.SelectCommand="SELECT * from ma.bob WHERE Vendor IS NOT NULL"

and this assignment is executed every time a page is requested. ASP.Net does not need to save this in ViewState.


However, if you do something like

  <asp:HiddenField runat="server" Value="SELECT * from ma.bob WHERE Vendor IS NOT NULL" />

This will be a ViewState (what I said about the parser is also true here, but the customization tool implements the ViewState mechanism here)

+1
source

Source: https://habr.com/ru/post/1397872/

More articles:


All Articles