0

I have a GridView containing hyperlinks which can be added dynamically. Here is my .aspx code.

<asp:GridView ID="TeamGrid" runat="server" AutoGenerateColumns="False" HeaderStyle-BackColor="#337AB7" HeaderStyle-ForeColor="White" CssClass="table table-condensed" CellPadding="4" ForeColor="#333333" GridLines="None" Width="350px">
  <AlternatingRowStyle BackColor="White" ForeColor="#284775" />
    <Columns>
      <asp:HyperLinkField DataTextField="Team" DataNavigateUrlFields="Team_ID" DataNavigateUrlFormatString="Team.aspx?Team_ID={0}" HeaderText="Team" ItemStyle-Width="250">
        <ItemStyle Width="250px"></ItemStyle>
      </asp:HyperLinkField>

      <asp:BoundField DataField="Position" HeaderText="Position" ItemStyle-Width="150">
        <ItemStyle Width="150px"></ItemStyle>
     </asp:BoundField>
   </Columns>
</asp:GridView>

This is how I add data to the grid.

DataTable dt = new DataTable();
dt.Columns.AddRange(new DataColumn[3] { new DataColumn("Team_ID"), new DataColumn("Team"), new DataColumn("Position") });

foreach(Team team in UserTeams)
{
    if (team.Leader_ID.Equals(UserID)) //check whether user is the leader of the team.
    {
        dt.Rows.Add(team.Team_ID, team.Team_Name, "Leader");
    }
    else
    {
        dt.Rows.Add(team.Team_ID, team.Team_Name, "Member");
    }
}
TeamGrid.DataSource = dt;
TeamGrid.DataBind();

TeamGrid is the ID of Grid. Team is a Object.

I want to hide/encrypt the parameters which I send using URL. (Parameter-Team_ID) And decrypt in the result page. (Team.aspx) How can I do this? (I'm new to asp.net and C#)

Improve this question
3
  • In short, you can't secure your code this way. Commented Sep 3, 2015 at 20:39
  • You can, but the short answer is - it does nothing. More info here: stackoverflow.com/questions/4614542/… or the other 500 or so questions on stack overflow with a similar request... so my question is: what exactly are you trying to achieve by doing this? Commented Sep 3, 2015 at 20:53
  • I want to hide my Team_ID from user. User does not need to know the Team_ID and Team_ID is the primary key of my database table. I use this ID to handle data in the result page. If this is not the relevant one, what can I do to hide Team_ID from users? Commented Sep 4, 2015 at 8:46

1 Answer 1

Reset to default
0

If your aim is to prevent people guessing the Team_ID parameter in your query string, you should not use Team_ID, as query strings cannot be encrypted effectively and if you're using an Identity db value for Team_ID, this can be guessed easily enough.

What you can do is create a new field in your Team object / table called something like "Team_Key". The Team_Key will be a randomized string which will always be unique. A good way of ensuring you get a unique Team_Key every time a Team object is created, is by doing something like this...

team.Team_Key = Guid.NewGuid().ToString();

You then need to replace all references to Team_ID in your code with Team_Key instead e.g.

DataNavigateUrlFormatString="Team.aspx?Team_ID={0}"

becomes...

DataNavigateUrlFormatString="Team.aspx?Team_Key={0}"

Your grid databinding and Team.aspx codebehind will also obviously need updating.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

In result page, I use that Team_ID to handle data. If I use this Team_Key, how can I get Team_ID? Team_ID is the primary key of my data base table.
In your code on Team.aspx, you'll be able to get the Team_Key using Request.QueryString("Team_Key")
... Then you'll need to look up the Team by the Team_Key instead of Team_ID. It will be fine doing it this way as Team_Key is unique
Yes, Team_Key can be retrieved in that way. But I need to get Team_ID. Without Team_ID I cannot get data from table.
You can get the data from the table if you add a new field called Team_Key like I mentioned earlier. The Team_Key is a guid generated at the time a new Team record is inserted. If you have existing Team records already in the table, just create new guids for each of these and add them to the table. This way you're only using Team_Key from now on to get the appropriate Team from the table. This is so no one can guess the query string... A guid is pretty much impossible to guess without a brute force attack
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.