http://weblogs.asp.net/hernandl/archive/2005/05/04/never-trust-user-input-the-asp-net-viewstate-case.aspxThis morning I came across an interesting post about user input validation ( ASP.NET __VIEWSTATE crypto validation prone to replay attacks ) and the popular ASP.NET viewstate artifact that many people use thinking their state information (Read: User InputenCommunityServer 2007 SP1 (Build: 20510.895)http://weblogs.asp.net/hernandl/archive/2005/05/04/never-trust-user-input-the-asp-net-viewstate-case.aspx#405921Fri, 06 May 2005 13:17:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:405921Hernan de LahitteHernan de LahitteSorry Scott about my sentence choice. However, I suggest you to polish your writing style so your boss won't feel sick when reviewing you. :-)<img src="http://weblogs.asp.net/aggbug.aspx?PostID=405921" width="1" height="1">http://weblogs.asp.net/hernandl/archive/2005/05/04/never-trust-user-input-the-asp-net-viewstate-case.aspx#405621Wed, 04 May 2005 16:01:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:405621Daniel AugerDaniel AugerServer-side viewstate is another option. <br><a target="_new" href="http://msdn.microsoft.com/msdnmag/issues/03/02/CuttingEdge/">http://msdn.microsoft.com/msdnmag/issues/03/02/CuttingEdge/</a> <br>In that article, if I remember correctly, he stores thew viewstate in a file on the server, but it is very easy to convert the example to use a session variable for the viewstate.<img src="http://weblogs.asp.net/aggbug.aspx?PostID=405621" width="1" height="1">http://weblogs.asp.net/hernandl/archive/2005/05/04/never-trust-user-input-the-asp-net-viewstate-case.aspx#405620Wed, 04 May 2005 15:52:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:405620Scott MitchellScott MitchellEep, you chose to summarize my article with the worst sentence in the entire entry! Chalk full of parenthetical side comments and a bit of a run-on... if I wrote this in a book my editor would likely vomit all over his keyboard. <br> <br>Wally, what was your client's rationale for NOT requerying the database for pricing data? Was it solely because of performance reasons?<img src="http://weblogs.asp.net/aggbug.aspx?PostID=405620" width="1" height="1">http://weblogs.asp.net/hernandl/archive/2005/05/04/never-trust-user-input-the-asp-net-viewstate-case.aspx#405598Wed, 04 May 2005 13:19:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:405598WallymWallymI agree with you. :-) However, I had a customer that was adament that they would not requery the database for pricing information. They believed that their situation was valid. Its a battle I lost, though I did state that I felt that their reasons were not valid.<img src="http://weblogs.asp.net/aggbug.aspx?PostID=405598" width="1" height="1">