黑客是否可以修改作为 Ajax.ActionLink 调用一部分发送的任何参数
我在视图中有以下 Ajax.actionlink 来在问题下添加答案:-
@Ajax.ActionLink("Add Answers",
"Create", "Answer",
new { questionid = question.QuestionID},
new AjaxOptions
{
InsertionMode = InsertionMode.Replace,
HttpMethod = "Get",
UpdateTargetId = "removetable"
})
while 将调用以下操作方法:-
public ActionResult Create(int questionid)
{
ViewBag.IsRight = new SelectList(repository.FindAllAnswerDescription().ToLis(), "IsRight", "description", 1);
ViewBag.questionid = questionid;
Answer answer = new Answer();
return PartialView("_answer",answer); }
所以我的问题是黑客是否能够修改 new { Questionid = Question.QuestionID }, 通过ajax链接发送的参数?如果是的话我怎样才能避免这种情况。 BR
已编辑:- 我正在使用 post action 方法上的辅助方法 (IsauthorizedBy) 进行以下检查,以检查用户是否有权回答问题:-
[HttpPost]
public ActionResult Create(int questionid, Answer a)
{
q = repository.findquestion(questionid);
if ((q == null) || (!q.IsauthorizedBy(User.Identity.Name))){
return ("error");}
if (ModelState.IsValid)
{
repository.AddAnswer(a);
repository.Save();
return PartialView("_details",a);
}
return(a);}
那么它会处理试图修改问题 ID 并回答问题的黑客吗?他无权回答这个问题。 BR
i have the following Ajax.actionlink inside a view to add an answer under a question:-
@Ajax.ActionLink("Add Answers",
"Create", "Answer",
new { questionid = question.QuestionID},
new AjaxOptions
{
InsertionMode = InsertionMode.Replace,
HttpMethod = "Get",
UpdateTargetId = "removetable"
})
while will call the following action method:-
public ActionResult Create(int questionid)
{
ViewBag.IsRight = new SelectList(repository.FindAllAnswerDescription().ToLis(), "IsRight", "description", 1);
ViewBag.questionid = questionid;
Answer answer = new Answer();
return PartialView("_answer",answer); }
so my question is will a hacker be able to modify the new { questionid = question.QuestionID}, parameter send by the ajax link ? and if yes how i can avoid this.
BR
Edited:-
i am doing the following check using a helper method (IsauthorizedBy) on the post action method to check if the user is authorized to answer a question or not:-
[HttpPost]
public ActionResult Create(int questionid, Answer a)
{
q = repository.findquestion(questionid);
if ((q == null) || (!q.IsauthorizedBy(User.Identity.Name))){
return ("error");}
if (ModelState.IsValid)
{
repository.AddAnswer(a);
repository.Save();
return PartialView("_details",a);
}
return(a);}
so will it handel a hacker who will try to modify the question id and answer a question he is not authorized to answer.
BR
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
是的,但您想确保在服务器端他们可以通过查询他们的权限和一些数据库方案来访问这个问题,以确保他们可以访问这个问题。如果不可行,那么您可以使用
Html.AntiModelInjectionFor 来自
mvcsecurity.codeplex.com plus
[验证AntiModelInjection()]
Yes but you want to ensure on the server side they have access to this question by querying their permissions and some database scheme in place ensuring they have access to this. If it's not feasible then you can use
Html.AntiModelInjectionFor from
mvcsecurity.codeplex.com plus
[ValidateAntiModelInjection()]
您永远不会相信来自客户端的任何内容。一切都可以在途中改变,无论是在脚本中还是在网络上。
由于它只是一个 id,因此您需要小心并在服务器上进行额外的检查
You never trust anything coming from the client-side. Everything can be altered on the way, either in the scripts or on the network.
Since it's only an id, you need to be careful and do extra checks on the server