Security Validation and Making Posts to Update Data
For reasons of security, Windows SharePoint Services by default does not allow you to make posts from a Web application to modify the contents of the database unless you include security validation on the page making the request.
Updating Data for a Site or Site Collection
You can update data for a single site or site collection by adding a page directive and a FormDigest control to the page that makes the request. The following directive registers the Microsoft.SharePoint.WebControls namespace:
<%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
Note:
|
|---|
|
You can obtain the PublicKeyToken value for the current Windows SharePoint Services deployment from the default.aspx file in the Local_Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\SiteTemplates\sts folder, or from information provided for the Microsoft.SharePoint assembly at Local_Drive:\WINDOWS|WINNT\assembly in Windows Explorer. |
Include a FormDigest control within the form as follows:
<form id="Form1" method="post" runat="server">
<SharePoint:FormDigest ID="MyFormDigest" runat="server"/>
<asp:Button id="Button1" style="Z-INDEX: 101; LEFT: 282px;
POSITION: absolute; TOP: 282px" runat="server"
Text="Button"></asp:Button>
</form>
Inserting this control on an ASPX page generates a security validation, or message digest, to help prevent an attack wherein a user is tricked into posting data to the server. The security validation is specific to a user, site, and time period and expires after a configurable amount of time. When the user requests a page, the server returns the page with security validation inserted. When the user then submits the form, the server verifies that the security validation has not changed. For more information about this control, see the FormDigest class.
