Wrox Programmer Forums
Go Back   Wrox Programmer Forums > C# and C > C# 2005 > C# 2005
|
C# 2005 For discussion of Visual C# 2005.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the C# 2005 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old April 10th, 2008, 10:58 AM
Friend of Wrox
 
Join Date: Jun 2004
Posts: 128
Thanks: 0
Thanked 0 Times in 0 Posts
Default Restricting querystring change

Hi,

I am passing a value with querystring in URL and accessing that value in next form to display data. My problem is I am able to change the querystring value manually which I want to restrict. How could I handle in ASP.NEt 2.0 using C#.


Thanks
Lily

 
Old April 10th, 2008, 11:01 AM
samjudson's Avatar
Friend of Wrox
 
Join Date: Aug 2007
Posts: 2,128
Thanks: 1
Thanked 189 Times in 188 Posts
Default

You'll have to not use a querystring if you don't want the querystring to be edited (which it always can).

The easiest is to use the Session object to store your value temporarily.

/- Sam Judson : Wrox Technical Editor -/
 
Old April 10th, 2008, 11:56 PM
planoie's Avatar
Friend of Wrox
 
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

As Sam stated, you can't stop the user from editing the querystring.

However, you could store a check value in it as well as the actual value. Take some value, hash it, pass both on the query string. Then your receiving page hashes the real value and compares the query string hash to verify it hasn't been tampered with. Of course, if a .NET developer saw the querystring they might be able to try a few standard hash routines and figure out the hash you used and create their own. If you are still concerned then you could encrypt the data. Although, again as Sam stated, it would be considerably simpler to just put it into session.

-Peter
peterlanoie.blog
 
Old April 11th, 2008, 12:45 AM
Friend of Wrox
 
Join Date: Mar 2007
Posts: 432
Thanks: 0
Thanked 1 Time in 1 Post
Default

I could be way off base here, it's been a LONG time since I have done any Web (way back when ASP classic was new!) but isn't there two methods for POSTing data? One being querystring, the other keeping the values hidden?

I can't remember the exact terms for them, but I remember doing them when I was learning/building my website at the time! :)

Rob
The Developing Developer
Currently Working Towards: MCAD C#
My Blog: http://robzyc.spaces.live.com
 
Old April 11th, 2008, 03:14 AM
samjudson's Avatar
Friend of Wrox
 
Join Date: Aug 2007
Posts: 2,128
Thanks: 1
Thanked 189 Times in 188 Posts
Default

The two most common methods of calling a web page are GET and POST. GET uses the querystring, whereas POST can encode the parameters in the body of the sent message.

However if you are trying to redirect from one page to another (i.e. using Response.Redirect) then you can't do a POST call, only a GET (or rather you are instructing the web browser to do a GET).

POST calls are done using the HttpWebRequest classes and are not really applicable in this instance.

/- Sam Judson : Wrox Technical Editor -/
 
Old April 11th, 2008, 03:15 AM
Friend of Wrox
 
Join Date: Mar 2007
Posts: 432
Thanks: 0
Thanked 1 Time in 1 Post
Default

Ah cool, thanks for clarifying! :)

Rob
The Developing Developer
Currently Working Towards: MCAD C#
My Blog: http://robzyc.spaces.live.com
 
Old April 11th, 2008, 07:28 AM
planoie's Avatar
Friend of Wrox
 
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

Technically, if you wanted to you can post to another page. Not only does ASP.NET now support cross page posting (although from these forums it appears to be problematic) you could always create some javascript that tickles the form action attribute prior to submission to force it to post to another form. But you'd probably need to tweak several other things to keep ASP.NET from throwing up on you. I've never done this but I would imagine that some of the .NET hidden fields such as view state and event validation would need to be cleared out so there aren't errors from processing those fields.

All of this is still far more difficult than using the session.

-Peter
peterlanoie.blog
 
Old April 11th, 2008, 11:25 AM
Wrox Author
 
Join Date: Oct 2005
Posts: 4,104
Thanks: 1
Thanked 64 Times in 64 Posts
Send a message via AIM to dparsons
Default

Hello Lily,
   As has been pointed out storing the value in Session is going to be the best way to prevent the user from manipulating the data. Somethig else to consider is that if you are passing multiple values through the querystring using Session, IMHO, may not be the best route. (Personally I hate trying to juggle a plethora of session values)

An alternate solution would be to continue using query string values and set up some basic error checking in Page_Load so that the values you would *expect* to come in are in fact what is coming in.

Consider:

protected void Page_Load(object sender, EventArgs e)
{
     if(!Page.IsPostBack)
     {
        if(Request.QueryString["<value>"] != null)
        {
            if(FunctionsLib.IsNumeric(Convert.ToString(Request .QueryString["<value>"]))
            {
              //Proccess page
            }
            else
            {
              //Send message back to user about an error
            }
        }
        else
        {
           //Send message back to user about an error
        }
     }
}
This is all very basic and it deals with only 1 query string value but you could adapt this to handle all of the query string values that your page expects.

(One final note, the call FunctionsLib.IsNumeric will not work in C# out of the box, this is a custom class that I wrote that contains various functions that I find myself using more often then not.)

hth.
-Doug

================================================== =========
Read this if you want to know how to get a correct reply for your question:
http://www.catb.org/~esr/faqs/smart-questions.html
================================================== =========
.: Wrox Technical Editor / Author :.
Wrox Books 24 x 7
================================================== =========
 
Old April 15th, 2008, 08:08 AM
Authorized User
 
Join Date: Dec 2004
Posts: 68
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to DZukiewicz
Default

Another option would be to use the Cryptographic Service Providers, encrypt it with a locally stored key, shared across the web farm, but like everyone has said - massive overkill!

Server.Transfer() and Session objects are definitely the way to go!

Regards,

Dominic
 
Old April 24th, 2008, 03:05 AM
Friend of Wrox
 
Join Date: Jun 2004
Posts: 128
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I will better go with Session because as there is no round trip Server.Transfer keeps the user in the same .aspx page which I dont want.






Similar Threads
Thread Thread Starter Forum Replies Last Post
Restricting the # of digits after a decimal in a K stevenyoo321 VB How-To 1 April 18th, 2007 07:52 AM
Restricting the user from opening pages gaurav_jain2403 ASP.NET 1.0 and 1.1 Professional 1 January 19th, 2007 11:12 AM
Restricting the data in a ComboBox hemanth_p2p Visual Basic 2005 Basics 2 January 10th, 2006 02:23 AM
Restricting the forms to move aspadda Excel VBA 0 February 16th, 2004 04:39 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.