0

I have tried using several things one of which was QueryString. Here is my code:

function () { var tid = $(this).text(); 
  var url = "SearchResult.aspx?about=" + encodeURIComponent(tid) + ""; 
  window.location = url; 
}

protected void Page_Load(object sender, EventArgs e)
{
    string arg = Request.QueryString["about"];
}

But the problem is all we know that data can be seen in url and can be modified by any user.

Now what to do so that i could pass my data and it won't be visible to any user.

Is there some way using __doPostBack() or Not?

Improve this question
4
  • 1
    It's unclear to me what you mean by "not visible". If you POST data to the server you can hide it from view by using hidden fields, but you cannot prevent users from altering the posted data if they want to. Besides, if this is a search function ("SearchResult.aspx suggests to me that it is), you might want to stick with the query string so that users can bookmark the search result. To get a better answer, I think you need to be more specific in what it is that you're trying to achieve. Commented Mar 5, 2016 at 9:39
  • If you really need to prevent user from seeing and understanding the data you pass, you may encrypt your data (tid in this case) in JS and decrypt in C#. See for example these questions which explain how to do that: stackoverflow.com/questions/746347/…, stackoverflow.com/questions/6830685/…. Commented Mar 5, 2016 at 9:41
  • @SashaDu The script will be accessible to the user though, and the entire encryption process can be reproduced from that, so what's the gain? Commented Mar 5, 2016 at 9:43
  • @Oskar Lindberg: We do not know exactly what is the Jay case and why he needs to protect the query string. So I suppose he just do not wish the user to see and understand and ask questions about the data appearing in the query string. I suppose his intention is not to achieve a full protection against hackers... Commented Mar 5, 2016 at 9:47

1 Answer 1

Reset to default
0

Well you can post the data like 

$.post('SearchResult.aspx', {about : encodeURIComponent(tid)});

and in sever side:

   string arg = Request.Form["about"];

but this is also not safe. anybody can post anything. unless there is a access token.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Even with an access token or whatever, one specific user can still manipulate the POST data.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.