|
Subject:
|
Restricting querystring change
|
|
Posted By:
|
lily611
|
Post Date:
|
4/10/2008 10:58:24 AM
|
Hi,
I am passing a value with querystring in URL and accessing that value in next form to display data. My problem is I am able to change the querystring value manually which I want to restrict. How could I handle in ASP.NEt 2.0 using C#.
Thanks
Lily
|
|
Reply By:
|
samjudson
|
Reply Date:
|
4/10/2008 11:01:24 AM
|
You'll have to not use a querystring if you don't want the querystring to be edited (which it always can).
The easiest is to use the Session object to store your value temporarily.
/- Sam Judson : Wrox Technical Editor -/
|
|
Reply By:
|
planoie
|
Reply Date:
|
4/10/2008 11:56:13 PM
|
As Sam stated, you can't stop the user from editing the querystring.
However, you could store a check value in it as well as the actual value. Take some value, hash it, pass both on the query string. Then your receiving page hashes the real value and compares the query string hash to verify it hasn't been tampered with. Of course, if a .NET developer saw the querystring they might be able to try a few standard hash routines and figure out the hash you used and create their own. If you are still concerned then you could encrypt the data. Although, again as Sam stated, it would be considerably simpler to just put it into session.
-Peter
peterlanoie.blog
|
|
Reply By:
|
robzyc
|
Reply Date:
|
4/11/2008 12:45:21 AM
|
I could be way off base here, it's been a LONG time since I have done any Web (way back when ASP classic was new!) but isn't there two methods for POSTing data? One being querystring, the other keeping the values hidden?
I can't remember the exact terms for them, but I remember doing them when I was learning/building my website at the time! 
Rob
The Developing Developer
Currently Working Towards: MCAD C#
My Blog: http://robzyc.spaces.live.com
|
|
Reply By:
|
samjudson
|
Reply Date:
|
4/11/2008 3:14:06 AM
|
The two most common methods of calling a web page are GET and POST. GET uses the querystring, whereas POST can encode the parameters in the body of the sent message.
However if you are trying to redirect from one page to another (i.e. using Response.Redirect) then you can't do a POST call, only a GET (or rather you are instructing the web browser to do a GET).
POST calls are done using the HttpWebRequest classes and are not really applicable in this instance.
/- Sam Judson : Wrox Technical Editor -/
|
|
Reply By:
|
robzyc
|
Reply Date:
|
4/11/2008 3:15:54 AM
|
Ah cool, thanks for clarifying!
Rob
The Developing Developer
Currently Working Towards: MCAD C#
My Blog: http://robzyc.spaces.live.com
|
|
Reply By:
|
planoie
|
Reply Date:
|
4/11/2008 7:28:03 AM
|
Technically, if you wanted to you can post to another page. Not only does ASP.NET now support cross page posting (although from these forums it appears to be problematic) you could always create some javascript that tickles the form action attribute prior to submission to force it to post to another form. But you'd probably need to tweak several other things to keep ASP.NET from throwing up on you. I've never done this but I would imagine that some of the .NET hidden fields such as view state and event validation would need to be cleared out so there aren't errors from processing those fields.
All of this is still far more difficult than using the session.
-Peter
peterlanoie.blog
|
|
Reply By:
|
dparsons
|
Reply Date:
|
4/11/2008 11:25:01 AM
|
Hello Lily, br / As has been pointed out storing the value in Session is going to be the best way to prevent the user from manipulating the data. Somethig else to consider is that if you are passing multiple values through the querystring using Session, IMHO, may not be the best route. Personally I hate trying to juggle a plethora of session values br / br / An alternate solution would be to continue using query string values and set up some basic error checking in Page_Load so that the values you would expect to come in are in fact what is coming in. br / br / Consider: br / br / protected void Page_Load object sender, EventArgs e br / { br / if !Page.IsPostBack br / { br / if Request.QueryString[ <value> != null)
{
if(FunctionsLib.IsNumeric(Convert.ToString(Request.QueryString["<value>Wrox Books 24 x 7
===========================================================
|
|
Reply By:
|
DZukiewicz
|
Reply Date:
|
4/15/2008 8:08:59 AM
|
Another option would be to use the Cryptographic Service Providers, encrypt it with a locally stored key, shared across the web farm, but like everyone has said - massive overkill!
Server.Transfer() and Session objects are definitely the way to go!
Regards,
Dominic
|
|
Reply By:
|
lily611
|
Reply Date:
|
4/24/2008 3:05:19 AM
|
I will better go with Session because as there is no round trip Server.Transfer keeps the user in the same .aspx page which I dont want.
|
