0

project type is MVC2. Let say that i have page1. after success it write somethink to row and get new inserted row id and redirect to another page and sends row id as parameter. and user can see this parameter on querystring. and can change it. i think so taht it is problem in some situation(pages). i use for it a hidden input and after post checking parameter from query string with hidden input value. if they are not equal then writing in to log and redirectiong to error page. does my way is correct. or have a good methods.

thanks...

Improve this question

1 Answer 1

Reset to default
3

Exposing IDs like this is pretty standard and is what lets browser bookmarking of specific items work. Your job is to ensure that the user can only see and modify records that they should be able to.

If the user does some URL-hacking and enters the URL to an item they are not allowed to see or modify, you can either just kick them back to the parent page, or give an Access Denied message, depending upon the app/context.

The bottom line is never trust user input, including hidden form parameters.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

yes i added field to every table. this field have some value which users have too. lets say if user registered in branch 952200 he can see only rows which this.Field.IsEqual(952000). i did it. u say that in every operation i must check if user can modify this row. yes?
Great answer. The problem with having a hidden field as the asker suggested is that the user can modify that as well, so this goes back to what Red said: never trust user input.
you say that on edit first i must check if user can edit this row or not. after success save to DB. i am right?
@AEMLoviji: Yes, security is paramount, and should be applied at as low a level as is practical, to ensure it is not circumvented.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.