Q-V

Any attack that involves substituting executable code for plain text.

A way of compromising a Web application by entering client script into a Web page instead of text, typically by typing it into a text box. When the script is displayed in the same page or in another page, the script executes, potentially damaging the application. You can prevent script injection attacks by encoding user input to normalize executable code it might contain.

An ASP.NET control that runs on the server when the Web page is called and that renders HTML as part of the page. For example, the MxDataGrid server control runs on the server, reading data and creating items for each data record, and then renders an HTML <table> element into the page to display the data.

A user s individual working space in Web server memory. The server maintains the session from the time the user first visits an application on the Web server until the user has been idle for a specified timeout period or until the user closes the browser.

A form of state management in which information can be stored independently in Web server memory for each user of an application.

To simulate or fake a value or user identity. For example, if your application passes values in a query string, a malicious user can easily spoof those values.

Storing information that a process will need later. Because Web pages are stateless, ASP.NET includes several facilities for state management, including cookies, viewstate, the Application object, and the Session object.

Not storing information about the values in an object. Web pages are stateless, in that the Web page doesn t remember anything about the last time it was displayed. ASP.NET provides a number of state management mechanisms to overcome this limitation of Web pages.

A sequence of bytes that you can read or write. Streams can represent data in a file, data being sent over a communications channel, or data from another program.

A sequence of characters that can consist of alphabetic characters, numerals, and punctuation.

A password that includes eight or more characters that combine a mixture of uppercase and lowercase letters, numerals, and punctuation marks. Strong passwords also should not include names or other easy-to-guess strings.

A discrete block of code that can be called as needed to perform a task. Unlike functions, subroutines do not return a value.

A combination of controls and static HTML that defines the layout of data in a DataList or Repeater control.

A set of statements used to implement structured exception handling (error handling) in Visual Basic .NET. A Try- Catch block encloses other Visual Basic .NET statements that might result in an error. Visual Basic .NET first attempts to execute the statements that follow the Try statement; if any of the statements following Try cannot be executed, the statements following Catch are executed instead.

The process of ensuring that the information provided by a user is correct and complete.

A form of state management in which information is stored in the Web page in a hidden field so that it can be extracted again after a postback. Controls on the page store their nondefault values in viewstate before ASP.NET renders the page; when the page is re-created on postback, the controls can read the values out of viewstate and restore themselves to the state they were when the page was last created.

A path to a file or other resource that isn t necessarily the physical path. Instead, the virtual path is usually a name that maps to the physical path. For example, in the URL http://localhost/myapplication/test.aspx, the virtual path myapplication/ might map to the physical path C:\WebMatrix\.

In Internet Information Services (IIS), an alias for Web pages stored in a location other than in the default \inetpub\wwwroot directory or in a subdirectory beneath it.