Reputation: 3257
asp.net MVC QueryString
project type is MVC2. Let say that i have page1. after success it write somethink to row and get new inserted row id and redirect to another page and sends row id as parameter. and user can see this parameter on querystring. and can change it. i think so taht it is problem in some situation(pages). i use for it a hidden input and after post checking parameter from query string with hidden input value. if they are not equal then writing in to log and redirectiong to error page. does my way is correct. or have a good methods.
thanks...
Upvotes: 0
Views: 314
Answers (1)
Reputation: 171559
Exposing IDs like this is pretty standard and is what lets browser bookmarking of specific items work. Your job is to ensure that the user can only see and modify records that they should be able to.
If the user does some URL-hacking and enters the URL to an item they are not allowed to see or modify, you can either just kick them back to the parent page, or give an Access Denied message, depending upon the app/context.
The bottom line is never trust user input, including hidden form parameters.
Upvotes: 3
Related Questions
- ASP.NET MVC - Getting QueryString values
- Use querystring variables in MVC controller
- How to handle query string in Asp.net MVC 5
- Accessing querystring in ASP.NET MVC6
- Concating Querystring in ASP.NET MVC
- ASP.Net MVC 3 Querystring Parameter
- searching by query string in asp.net mvc
- Request.QueryString in MVC
- Working with query strings
- Having trouble with Asp.net MVC passing in a querystring as a parameter