California State University, Sacramento



1. Web site is partitioned into restricted areas (protected using SSL) and public areas

a. Web sites that consist of both public (anonymous) and restricted (secure) areas should be partitioned to separate the restricted content into one or more subdirectories.

b. Restricted subdirectories are protected by requiring authenticated access (configured in the section of the Web.config file)

c. Unauthenticated access to restricted pages (e.g. expired session) should redirect to the default login page.

2. Code-behind files are used rather than inline server-side script blocks

a. Check every .aspx (page) file: No blocks with runat="server" should be found.

3. Code-behind files are not used as a container for Business Logic and/or Data Access Logic

a. Code-behind files should only contain presentation-related programming logic such as event handlers which work with the UI elements ( Server Controls, HTML Controls).

4. Master Pages are used as a means to create a consistent layout for web applications

5. Web site is fully-functional when JavaScript is disabled in the browser

6. Server-side validation is performed on all user inputs from sources such as HTML controls, Query String, and Cookies

a. The validation code should check that the length, type, and range of data is valid. 

7. Input form field values are retained when form is redisplayed to the user after input validation fails

8. Data paging is used for unbounded or long lists of data

9. Sensitive information such as passwords and connection strings are not stored in any client-side state

10. Web site is fully-functional when cookies are disabled in the browser

11. The DataGrid server control is not used

a. The DataGrid control has been superseded in the .NET Framework 2.0 by the GridView control. This new control should be used in place of the DataGrid as it has several improvements  (msdn2.en-us/library/05yye6k9(VS.80).aspx) over the DataGrid.

12. HTTP error codes are handled using custom error reporting pages

a. Custom error pages are set up in the Web.config file in the section.

b. Unhandled exceptions within an application should be caught and managed in a consistent and safe manner. This can be best achieved by using a global error handler that can trap all unhandled exceptions, log the details, then present a safe error page to the user (without exposing any sensitive data).

13. Configurable application settings are stored in the web application's Web.config file

14. Database connection string should be encrypted

a. Encrypting Sections of the Web.config File   (msdn2.en-us/library/y13fw6we(vs.80).aspx) (MSDN Library)

Check these resources:

1. MSDN Coding Techniques and Programming Practices ((v=VS.71).aspx )

2. Enterprise Solution Patterns Using Microsoft .NET ( )

3. tutorials for beginners ()

4.

Code Fragments

Web.Config

Default.aspx.vb

Partial Public Class _Default

Inherits System.Web.UI.Page

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load

'Use the following code if you want to have relative address to the database file

'Use these settings in the ProductDB.vb class or in the Connection.vb class

Dim strServerPath As String = Server.MapPath("/")

Application.Add("ServerPath", strServerPath)

End Sub

Protected Sub bntFind_Click(ByVal sender As Object, ByVal e As EventArgs) Handles bntFind.Click

Try

Dim myProduct As Product = ProductDB.findProduct(CInt(Me.txtProductID.Text))

Me.lblProductName.Text = myProduct.ProductName

Catch ex As Exception

Me.lblProductName.Text = ex.Message

End Try

End Sub

End Class

Product.vb

imports Microsoft.VisualBasic

'***********************************************************************************************************************

'Class Name: Product.vb

'Version: 1.00

'Programmer/s: Spiros Velianitis

'Date: February 6, 2010

'Purpose: Implements the Product domain class. etc..

'***********************************************************************************************************************

Public Class Product

'Declaration of constants

'Declaration of module lever variables

Private mintProductID As Integer

Private mstrProductName As String

Public Sub New(ByVal intProductID As Integer, ByVal strProductName As String)

Me.mintProductID = intProductID

Me.mstrProductName = strProductName

End Sub

Public ReadOnly Property ProductID() As Integer

Get

Return mintProductID

End Get

End Property

Public ReadOnly Property ProductName() As String

Get

Return mstrProductName

End Get

End Property

End Class

ConnectionDA.vb

Public Class ConnectionDA

Public Shared Function getConnection() As String

'Use the following code if you want to relative address to the database

'Dim strServerPath As String = HttpContext.Current.Application("ServerPath")

'Return ConfigurationManager.ConnectionStrings("localDBProvider").ConnectionString & strServerPath & _

'"/ProductManager" & ConfigurationManager.ConnectionStrings("localDBFilePath").ConnectionString

Return ConfigurationManager.ConnectionStrings("localDB").ConnectionString

End Function

End Class

ConnectionDA.vb

imports Microsoft.VisualBasic

Imports System.Data.OleDb

Imports System.Data

Public Class ProductDB

Public Shared Function findProduct(ByVal intProductID As Integer) As Product

Dim sel = "SELECT Products.ProductID, Products.ProductName FROM (Products) WHERE (((Products.ProductID)=" _

& intProductID & "));"

Dim conString As String = ConnectionDA.getConnection()

Dim con As OleDbConnection = New OleDbConnection(conString)

Dim cmd As OleDbCommand = New OleDbCommand(sel, con)

cmd.Connection.Open()

Dim rdr As OleDbDataReader = cmd.ExecuteReader(CommandBehavior.CloseConnection)

If rdr.Read() Then

Return New Product(intProductID, rdr.GetString(1))

Else

Throw New Exception("ERROR: Product Not Found")

End If

End Function

Public Shared Function insertProduct(ByRef myProduct As Product) As Integer

Return 5

End Function

End Class

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download