asp.net MVC 查询字符串
项目类型是MVC2。假设我有 page1。成功后,它将 somethink 写入行并获取新插入的行 id 并重定向到另一个页面并将行 id 作为参数发送。用户可以在查询字符串上看到此参数。并可以改变它。我认为在某些情况下(页面)这是问题。我使用隐藏输入,并在使用隐藏输入值的查询字符串中检查参数后。如果它们不相等,则写入日志并重定向到错误页面。我的方法是否正确。或者有好的方法。
谢谢...
project type is MVC2. Let say that i have page1. after success it write somethink to row and get new inserted row id and redirect to another page and sends row id as parameter. and user can see this parameter on querystring. and can change it. i think so taht it is problem in some situation(pages). i use for it a hidden input and after post checking parameter from query string with hidden input value. if they are not equal then writing in to log and redirectiong to error page. does my way is correct. or have a good methods.
thanks...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
像这样公开 ID 是相当标准的,并且可以让浏览器为特定项目添加书签。您的工作是确保用户只能查看和修改他们应该能够看到的记录。
如果用户进行了一些 URL 黑客攻击并输入了不允许他们查看或修改的项目的 URL,您可以将他们踢回父页面,或者给出
拒绝访问消息,取决于应用程序/上下文。最重要的是永远不要信任用户输入,包括隐藏的表单参数。
Exposing IDs like this is pretty standard and is what lets browser bookmarking of specific items work. Your job is to ensure that the user can only see and modify records that they should be able to.
If the user does some URL-hacking and enters the URL to an item they are not allowed to see or modify, you can either just kick them back to the parent page, or give an
Access Deniedmessage, depending upon the app/context.The bottom line is never trust user input, including hidden form parameters.