My way of editing content and security concerns

I'm using lables to let others edit the content of my website

Page 1 of 1

1 Replies - 525 Views - Last Post: 02 July 2010 - 04:08 PM Rate Topic: -----

#1 codeaholic  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 27
  • Joined: 06-November 09

My way of editing content and security concerns

Posted 01 July 2010 - 08:09 PM

Thank you all for your help in advanced.
(I have posted this somewhere else, but I'm posting it again so more people would see this)

i couldn't find a way to integrate Umbraco or DNN into my already existing website.

I needed a way to let the people who use my websites edit certain content.

I had no luck in dealing with DotNetnuke, Umbraco and other CMS packages out there.

So what I did instead was, I used labels to hold the content of certain pages, and I allow users, only if they have administrator rights, to edit that content by using a free text editor called FreeTextBox, which is an state of the art control.

it works like this:

If (admin)

{

textEditor.visible = true;

lblContent.text = textEditor.text;

}

It does what I want it to do.

The problem is,since I'm not very experienced I'm worried that this approach may expose my web application to security risks, or there might be a better way of doing this.


Thanks in advanced for your help.

Is This A Good Question/Topic? 0
  • +

Replies To: My way of editing content and security concerns

#2 5thWall  Icon User is offline

  • Occasional Member

Reputation: 31
  • View blog
  • Posts: 530
  • Joined: 17-September 08

Re: My way of editing content and security concerns

Posted 02 July 2010 - 04:08 PM

Put your code in the code tags next time m'kay.

.NET can detect XSS type attacks and should throw an error if somebody tries to put malicious javascript into a text field. You should also be using parameterized queries when inserting stuff into your database to protect against SQL injection.

The next place you should be looking at is how people can become admin. If that's secure then .NET won't even render the control to html unless it's set to visible.

I think you shouldn't have too much to worry about for most attacks as long as you keep your .NET up to date on the server and sanitize stuff before you send it to the database. Nothing is completely secure but I don't see any obvious vulnerabilities with what you've given so far.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1