ASP.NET Bad Practices: What you shouldn’t do in ASP.NET (Part 1)

I’ve been blogging for Windows Azure stuff for the past 3 years. Nonetheless, I’m still catching up .NET and its family pretty closely.

We’ve been listening to the best practices so far from anywhere (such as MSDN, conferences, blogs, etc.). But whether to follow the best practices or not could be another side of the story. Today, I’m gonna blog something special (at least to me). Not best practices, but bad practices. Aha! This serves as the warnings to you when developing ASP.NET application, things that you shouldn’t do in ASP.NET.

I’ve been gathered quite a few bad practices from various sources including personal experiences, feedback from colleagues, online articles and blogs, presentations, MSDN, and so many more. I’ll be discussing 5 of them first in this post will catch up more in upcoming posts.


Don’t get me wrong when you see the title. I’m not saying to use ASP.NET is a bad practice. Not even saying that ASP.NET is bad. To me, ASP.NET is awesome web development platform and I really love it. In fact, some of the web vulnerabilities or shortages has been answered and covered by ASP.NET by default.

Unfortunately, sometimes there’re always misuses, overuses, abuses, or deprecated features that we should really paying attention to. Coz they really can be timed-bomb in your house and make your days worst.

Most of them within the discussion here are ASP.NET related. However, you might see some of them are pretty generic web programming mistakes / bad practices, which also applicable in ASP.NET.

Additionally, you will also find some that are generic in .NET which applicable in others .NET app, not only applicable in ASP.NET. But I believe they’re significant enough to be in the discussion.

Alright, now let’s go for them now!

ASP.NET Bad Practices


1. Not Validating User Input

This is very fundamental yet frequently-made mistake. The impact might be pretty serious if it’s combined with others bad practices (discussed subsequently)


  • Forget to validating user input
    • Think all users are bad guys!
    • Especially Textboxes and FileUploaders


  • Potential of SQL Injection victim
  • Potential of Cross Site Scripting victim


  • Validate! Validate! Validate!
    • max length
    • type (int, string, etc.)
    • special character (with Regex)
  • Double Protection
    • Client Side + Server Side
    • ASP.NET Validation Controls


2. Connection to database with inline SQL


  • Executing database command with inline SQL query and concatenated string


string cmd = string.Format("SELECT ProductId, ProductName, QuantityPerUnit, UnitPrice FROM PRODUCTS WHERE ProductName like ‘%{0}%’", searchText);


  • Potential of SQL Injection victim


  • Cmd.Parameters.Add()
    • This is slightly better


sqlCmd.Parameters.Add(new SqlParameter("@ProductName", txtProductName.Text));


  • Stored Procedure
  • ORM (Entity Framework / NHibernate / etc.)


3. User accounts privilege on database access


  • Give more than sufficient permission database access


  • Unauthorized access
  • If it’s SQL Injected, you will be like this:


  • Find out what permission the app really needs
  • Give only what they need
    • Execute Store Proc only
    • Execute Table only


4. Paging in data controls


  • Using Default Paging on ASP.NET data controls
  • It’s actually depending on your data source


  • It’s bringing entire data in the table while just showing a fraction of it
  • Unnecessary round trip from web server to DB Server


  • When data is relatively small
  • Assess your trade-off
    • Dev effort VS performance


  • Using custom server side paging
  • Using effective data source:
    • ADO.NET EF Data Source
  • TIPS: Use SQL Profiler to see the generated T-SQL when performing paging


5. Storing big objects in viewstate and sessions


  • Storing big / plenty objects in ViewStates and Sessions


  • Performance
  • Big size page, due to viewstate, like this:


  • Memory leakage on web / app server


  • Know really what you need
  • Store only what you use
  • Disposing them away when no longer in used


Okay, that’s all for the part 1. Check out again the part 2 soon.

This entry was posted in ASP.NET, Bad Practices and tagged . Bookmark the permalink.

2 Responses to ASP.NET Bad Practices: What you shouldn’t do in ASP.NET (Part 1)

  1. Pingback: ASP.NET Bad Practices: What you shouldn’t do in ASP.NET (Part 2) | Wely's Cloud Journey

  2. Pingback: ASP.NET Bad Practices: What you shouldn’t do in ASP.NET (Part 3) | Wely's Cloud Journey

Leave a Reply

Your email address will not be published. Required fields are marked *