.NET2 Web site form - can it be Broken?

**Durbs** · 10 December 2008, 15:49

If using SP's entirely and you dont have any dynamic SQL hiding anywhere then you should be good. Make sure you dont leave the customErrors mode="On" when finished developing it to give anyone a clue about any exceptions.

Also use the length= attribute for your textboxes to prevent people pasting huge amounts of text in to force DB errors.

**Durbs** · 10 December 2008, 15:54

Also ensure the DB user the application is connecting as does not have any permissions beyond what it needs, its easy to just grant the user dbo knowing your app will work fine whereas it seldom needs that level of access.

**wxman** · 10 December 2008, 16:06

Hi Durbs,

Thanks for the heads up, I have now lmited the size of the text boxes to the max size of the SQL fields - in most cases varchar(100)

Not sure what to do about the web.config custom error mode as I have a custom 404 page??

<customErrors mode="On">
<error statusCode="404" redirect="404ErrorPage.aspx" />
</customErrors>

**Durbs** · 10 December 2008, 16:20

Sorry, typo in my original post! "On" is ok and what you'd use in your case as you are explicitely defining an action for 404.

"On" Always display custom (friendly) messages.
"Off" Always display detailed ASP.NET error information.
"RemoteOnly" Display custom (friendly) messages to remote users, detailed to local

So dont use "Off"

**voodooflux** · 10 December 2008, 16:22

Originally posted by Durbs View Post

Make sure you dont leave the customErrors mode="On" when finished developing it to give anyone a clue about any exceptions.

Originally posted by wxman View Post

Not sure what to do about the web.config custom error mode as I have a custom 404 page??

<customErrors mode="On">
<error statusCode="404" redirect="404ErrorPage.aspx" />
</customErrors>

"On" is the correct production setting - "Off" is the mode that will generate detailed exception messages.

EDIT: durbs beat me to it.

**NickFitz** · 10 December 2008, 16:25

You should also check out Cross-site scripting (XSS) and Cross-site request forgery (XSRF) to be on the safe side, although there's a reasonable chance ASP.NET offers some level of protection against them.

**Durbs** · 10 December 2008, 16:27

You can also catch unhandled exception i.e not 404 by using:

<customErrors defaultRedirect="error.htm" mode="On" />

Then create an all encompassing error.htm page that doesnt give any dodgy geezers a clue as to what caused your app to fall over (and also presents a nicer screen to the users than the browser error screen)

**NickFitz** · 10 December 2008, 16:41

FWIW, I think ASP.NET's idea of redirecting errors to a different URL is a fundamentally broken concept

**Durbs** · 10 December 2008, 16:57

I can fully understand what you mean for 5xxx errors but the ability to do this for errors is great as you get to keep the user on your site by displaying them actual content rather than any sort of error. I'd assume an error of any nature would have the bulk of users simply clicking back to Google. At least it gives you a last ditch attempt to say 'sorry, we couldnt do that, but do you want to buy one of THESE instead'.

.NET2 Web site form - can it be Broken?