2

I have this in my Markup:

<asp:DropDownList ID="ddlSalutation" runat="server">
  <asp:ListItem Text="Please chose" Value="" />
  <asp:ListItem Text="Mr" Value="Mr"></asp:ListItem>
  <asp:ListItem Text="Mrs" Value="Mrs"></asp:ListItem>
</asp:DropDownList>

In CS i use:

string value = ddlSalutation.SelectedValue;
// ... save value

Is it possible that a hacker can change the DropDownList from clientside and send wrong selected values to server? SelectedValue can have different values than "Mr" or "Mrs"?

Xeddon
  • 429
  • 8
  • 18

1 Answers1

1

Xeddon,

According to this post:

Hacking DropDownList value

Actually you should be able to assume that the dropdown list options have not been changed client side as long as the page has EnableEventValidation = true (which is default although you can disable it per page or in the web.config). If a new value is added to your dropdownlist client side, and a postback occurs an error will occur unless you register this new value for event validation (http://odetocode.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx)

You should definitely be fine. Should you disable EnableEventValidation, you should be able to manually validate as follows (written as would be in MVC):

public ActionResult PageOfGlory(){
    string value = Request.Form["dllSalutation"];
    string[] validSalutations = new string[]{
        "Mr",
        "Ms"
    };
    if(!validSalutations.Contains(value)){
        ModelState.AddModelError("","Invalid Salutation");
        return View();
    }
    //Add stuff to database

}

I hope this Helps!

Lucas

Community
  • 1
  • 1
Lucas Niewohner
  • 327
  • 3
  • 11