[codeaholic]

Thank you all for your help in advanced.
(I have posted this somewhere else, but I'm posting it again so more people would see this)

i couldn't find a way to integrate Umbraco or DNN into my already existing website.

I needed a way to let the people who use my websites edit certain content.

I had no luck in dealing with DotNetnuke, Umbraco and other CMS packages out there.

So what I did instead was, I used labels to hold the content of certain pages, and I allow users, only if they have administrator rights, to edit that content by using a free text editor called FreeTextBox, which is an state of the art control.

it works like this:

If (admin)

{

textEditor.visible = true;

lblContent.text = textEditor.text;

}

It does what I want it to do.

The problem is,since I'm not very experienced I'm worried that this approach may expose my web application to security risks, or there might be a better way of doing this.


Thanks in advanced for your help.

[5thWall]

Put your code in the code tags next time m'kay.

.NET can detect XSS type attacks and should throw an error if somebody tries to put malicious javascript into a text field. You should also be using parameterized queries when inserting stuff into your database to protect against SQL injection.

The next place you should be looking at is how people can become admin. If that's secure then .NET won't even render the control to html unless it's set to visible.

I think you shouldn't have too much to worry about for most attacks as long as you keep your .NET up to date on the server and sanitize stuff before you send it to the database. Nothing is completely secure but I don't see any obvious vulnerabilities with what you've given so far.