Qus: What are the best practices to follow to secure connection strings in an ASP.NET web application?
Ans: 1. Always store connection strings in the site's Web.config file. Web.config is very secure. Users will not be able to access web.config from the browser.
2. Do not store connection strings as plain text. To help keep the connection to your database server secure, it is recommended that you encrypt connection string information in the configuration file.
3. Never store connection strings in an aspx page.
4. Never set connection strings as declarative properties of the Sql DataS ource control or other data source controls.
Qus: Why is "Connecting to SQL Server using Integrated Security" considered a best practice?
Ans: Connecting to SQL Server using integrated security instead of using an explicit user name and password, helps avoid the possibility of the connection string being compromised and your user ID and password being exposed.
Qus: What is the advantage of storing an XML file in the applications App_Data folder?
Ans: The contents of the App_Data folder will not be returned in response to direct HTTP requests.
Qus: What is Script injection?
Ans: A script injection attack attempts to send executable script to your application with the intent of having other users run it. A typical script injection attack sends script to a page that stores the script in a database, so that another user who views the data inadvertently runs the code.
Qus: What is SQL injection?
Ans: A SQL injection attack attempts to compromise your database by creating SQL commands that are executed instead of, or in addition to, the commands that you have built into your application.
Qus: What are the best practices to keep in mind when accepting user input on a web application?
Ans: 1. Always use validation controls whenever possible to limit user input to acceptable values.
2. Always check the Is Valid property of the aspx page. Run the server side code only if the Is Valid property value is true. A value of false means that one or more validation controls have failed a validation check.
3. Always perform server side validation irrespective of client side validation being performed or not. This will protect your web application even if the client has by passed the client side validation by disabling java script in the web browser.
4. Also make sure to re validate user input in the business logic layer of your application.
Qus: What are the steps to follow to avoid Script Injection attacks?
Ans: 1. Encode user input with the Html Encode method. This method turns HTML into its text representation.
2. If you are using the Grid View control with bound fields, set the Bound Field object's Html Encode property to true. This causes the GridView control to encode user input when the row is in edit mode.
Qus: What are the steps to follow to avoid SQL Injection attacks?
Ans: Always use parameterized queries or stored procedures instead of creating SQL commands by concatenating strings together.
Qus: Can you encrypt view state data of an aspx page?
Ans: Yes, you encrypt view state data of an aspx page by setting the page's View State Encryption Mode property to true.
Qus: What is the difference between login controls and Forms authentication?
Ans: Login control provides form authentication. If we implement for authentication through form authentication then we do it through code. On the other hand, login control allows the easy implementation.
Qus: What is Fragment Caching in ASP.NET?
Ans: Fragment caching allows to cache specific portions of the page rather than the whole page. It is done by implementing the page in different parts.
Qus: What is partial classes in .net?
Ans: When there is a need to keep the business logic separate from the User Interface or when there is some class which is big enough to have multiple number of developers
Qus: Explain how to pass a query string from an .asp page to aspx page.
Ans: From HTML in asp page:<a href="abc.aspx?qstring1=test">Test Query String</a>
From server side code: <%response.redirect "webform1.aspx?id=11"%>.
Qus: What is a View State?
Ans: If a site happens to not maintain a View State, then if a user has entered some information in a large form with many input fields and the page is refreshes, then the values filled up in the form are lost.
Qus: What is the difference between src and Code-Behind?
Ans: With the ‘src’ attribute, the source code files are deployed and are compiled by the JIT as needed.
Though the code is available to everyone with an access to the server (NOT anyone on the web)
Qus: What is the difference between URL and URI?
Ans: A URL (Uniform Resource Locator) is the address of some resource on the Web. A resource is nothing but a page of a site. There are other type of resources than Web pages, but that's the easiest conceptually.
Qus: What is the Pre-Compilation feature of ASP.NET 2.0?
Ans: Previously, in ASP.NET, the pages and the code used to be compiled dynamically and then cached so as to make the requests to access the page extremely efficient.
Qus: How can we create custom controls in ASP.NET?
Ans: Custom controls are user defined controls. They can be created by grouping existing controls, by deriving the control from System.Web.UI.Web Controls.
Qus: What is an application domain?
Ans: It's a way in CLR to maintain a boundary between various applications to ensure that they do not interfere in working of any other application.
Qus: Explain the two different types of remote object creation mode in .NET.
Ans: SAO Server Activated Object (call mode): lasts the lifetime of the server. They are activated as Single Call/Singleton objects. It makes objects stateless.
Qus: Describe SAO architecture of Remoting.
Ans: Remoting has at least three sections:-
1. Server
2. Client: This connects to the hosted remoting object
3. Common Interface between client and the server .i.e. the channel.
