I have developed a custom web part for SharePoint, and I'm concerned about its security. The web part is essentially a quiz framework that starts with the user's register; They enter their name and email address only for the successful quiz, the results are entered in a list, and those registration variables are kept directly in the list.
Should I be concerned about SQL injection attacks? Did data survive by SharePoint before it was added to the list? Or, does SharePoint use the parameters shared with the details prepared? Alternatively, does it just go into verbatim?
Thanks for any insights.
UPDATE Let me repeat that I am putting code in a SharePoint list, so it is not going to 'directly' in the database like me There is uncertainty about the process that takes place (especially about safety) when any item is added to the list and (I'm assuming) somewhere in a database table, here are some codes that I use I am: Users through standard HTML input Get input. How data is used When you use the object model to worry about SQL injection As SharePoint handles it for you, it will not be needed (it internally uses parametrified stored procedures). You need to worry about the XSS and the choice, however, while displaying quiz results for the user / judge, however, easily call the SharePoint Web Service / Client Object Model without the unread HTML. Do the stuff in the context of the current user.
output.Write (" using
(SPS ite sitesus site = new SPS ite ("http://www.mycompany.com")) {(SPWeb webSuccessWrite = siteSuccessWrite.OpenWeb ( )) Using {SPList insertResults = webSuccessWrite.List [resultsList]; SPListItem quizEntry = insertResults.Items.Add (); Quiz ["first name"] = first name; Quiz ["last name"] = last name; Quiz ["email"] = Email; Quiz ["phone"] = phone; Quiz ["department"] = department; Quiz ["score"] = score; QuizEntry.Update (); }}
Comments
Post a Comment