phdcc.Data DNN modules security
Powered by FindinSite-MS
phdcc.Data Security
phdcc.Data: Overview Examples Getting Started Security Database Versions
phdcc.Data.Form: Form Profile/Register forms Form editing Languages Layout Questions Form hooks Admin
phdcc.Data.View: View  phdcc.Data.List: List phdcc.Data.Search: Search
Last updated: CC 24/9/07


General Warning

The phdcc.Data modules provide very powerful facilities to people who have Edit permissions. Please be very careful who you access to the Admin/Edit facilities.

Indeed, the phdcc.Data modules let Admin/Edit users enter ASP.NET code that is run when the module is displayed. This code will be able to access all the DNN information in the database and on all portals.

Hosts: it is therefore strongly recommended that you only install these modules on systems which you trust the site administrators completely.

HTML and Cross-Site Scripting (XSS)

A cross-site scripting (XSS) attack is when a user enters some script (such as JavaScript) into an input text box in the hope that this is output directly so that the script runs (which is unsafe). DNN is set up NOT to stop XSS attacks - the pages validateRequest attribute is set to false in the web.config file.

The Edit Form lets you enter values which are subsequently output unchecked to the browser - this is deliberate because you may want to use HTML in your form layout. The Edit Form does no extra checks on any input values, so be very careful which users have edit permissions.

The form shown to users protects against unsafe input values (unless you set special option HTML_OK to true).

XSS detection uses the Microsoft code which defines a dangerous string as one that contains these characters anywhere in a string:

<A <! &# OnXXX = Script: Expression(

SQL injection

phdcc.Data uses Stored Procedures to access the database, so there is no chance of SQL injection attacks.

Automated form filling

You can protect against automated form filling programs using the "captcha" question type: this requires a human to read a random number and type it in.