Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Jul 01, 2012 04:54 AM by yousaid
Jun 28, 2012 08:22 PM|LINK
Take a look at this url
http://localhost:29299/Manager/NewsDetail.cshtml?Newsid=7. The QueryString looks like this:
grid.Column(format: @<a href="~/manager/NewsDetail?Newsidfirstname.lastname@example.orgID">Details</a>) or this
grid.Column(format: @<a href="@Href("~/Manager/NewsDetail.cshtml?Newsid=" + item.newsID)">Details</a>),
The problem is that if the user changes the id from 7 or guesses what the next number is, the article or item is pulled up.I don't want the numbers or Item id to show so users Can not guess the next sequence.How do I fix the Url not to show this?
Jun 28, 2012 08:54 PM|LINK
how is that a problem ? if end user will enter different id he will simply see different news...
anyway you can find some info about routing here:
if you want something unique and hard to guess you can use GUID , but it will look like this: 3F2504E0-4F89-11D3-9A0C-0305E82C3301
Jun 29, 2012 05:02 AM|LINK
I don't want the numbers or Item id to show so users Can not guess the next sequence
I agree with Tom. Why is this a problem? You can stop people seeing news or other data they are not entitled to see by protecting it through roles and permissions, and if they want to manipulate the querystring, they will. That's why you should validate
the values. You should also have proper handling in place in case they change it to a value that doesn't exist in the database. That's more likely to happen if you make the value more complicated to guess.
Jun 29, 2012 09:09 PM|LINK
Even if you use Url Routing you need something that tells you what article to bring up.
What Tom suggested will work better than using an integer Newsid if your goal is to not let users guess article ids. But may not be SEO friendly.
Another way is to keep a unique name for each article then you can call the page like this:
Web Pages allows you to use Url parts instead of query string parameters.
Still you will need to validate the Url part since you would not want someone to try to pass in possibly malicious code through the url.
Jul 01, 2012 04:54 AM|LINK
All solutions presented here including the original perceived issue all work. I just thought there was a better way.
The best methos maybe to use seesions, but then they are sometimes resource intensive.