Security Validation and Making Posts to Update Data
Published: May 2010
For reasons of security, by default, Microsoft SharePoint Foundation does not allow you to make posts from a Web application to modify the contents of the database unless you include security validation on the page making the request.
You can update data for a single site or for a site collection by adding a page directive and a FormDigest control to the page that makes the request. The following directive registers the Microsoft.SharePoint.WebControls namespace:
<%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=220.127.116.11, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
You can obtain the PublicKeyToken value for the current SharePoint Foundation deployment from the default.aspx file in the %ProgramFiles%\Common Files\Microsoft Shared\web server extensions\14\TEMPLATE\SiteTemplates\sts folder, or from information provided for the Microsoft.SharePoint assembly at Local_Drive:\WINDOWS|WINNT\assembly in Windows Explorer.
Include a FormDigest control within the form, as follows:
<form id="Form1" method="post" runat="server"> <SharePoint:FormDigest ID="MyFormDigest" runat="server"/> <asp:Button id="Button1" style="Z-INDEX: 101; LEFT: 282px; POSITION: absolute; TOP: 282px" runat="server" Text="Button"></asp:Button> </form>
Inserting this control on an ASPX page generates a security validation, or message digest, to help prevent an attack wherein a user is tricked into posting data to the server. The security validation is specific to a user, site, and time period and expires after a configurable amount of time. When the user requests a page, the server returns the page with security validation inserted. When the user then submits the form, the server verifies that the security validation has not changed. For more information about this control, see the FormDigest class.