Last post Oct 03, 2018 04:44 AM by silenttalk
Sep 30, 2018 01:56 PM|silenttalk|LINK
Hopefully this is the the most accurate area to post my question. I have developed a VB.NET wen forms application with an SQL database. It is for a membership system for a fitness class. Pretty much all of this is working and 99% of this is just for internal
I want to expose a minute part of this to end users (clients). In the existing client table there is a one Boolean field that indicates whether they want to book on to the next term of classes. Each client has a unique identifier field generated when they
join i a stand format such as 117313b1-c222-47d4-a035-9947d49e922b for example.
I have some code which sends out an email to all clients asking them if they want to re-book, i want to embed in that email a link with something like the following :-
(https://samplefitnessco.com/rebook/117313b1-c222-47d4-a035-9947d49e922b/a link to some API, REST / WCF or other solution). Once clicked it will automatically hit an endpoint that will update the Boolean re-book field in the client table to 1 and just return
a thanks you message.
I can do all the coding to send and embed the links, what I am struggling with (probably only being vb.net guy) is which technology to use for this. Almost all the examples seem to use C# and or MVC4 / 5. This whole existing web application is not written
in MVC and I really don't want to learn and rewrite it just yet.
Is it possible to use WCF to create an endpoint to update a field without opening a client side form? Should I use a WebAPI or is the a simpler method that I have overlooked. As this seems such a simple request (just alter one Boolean value for the given
UUID of the client I hope there would be a simple solution that is doable in VB>NET.
So looking forward to a little direction on this please...
Oct 01, 2018 06:16 AM|Brando ZWZ|LINK
Do you mean you want to update the database's record when user click the link?
As far as I know, the browser will send the get request to the server when user click the link.
Since the browser send the get request, we could only pass the paramester in the url without using form.
If you don't want to use WCF or web api, you could directly write a ashx or a page to receive the parameter and update the record.
The url format as below:
Page's pageload event:
Public Class ReceivewParameter
Protected strMerchantId As String
Protected strMerchantvalue As String
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
strMerchantId = Request.QueryString("MerchantId")
strMerchantvalue = Request.QueryString("MerchantValue")
Response.Write("receive parameter: " + strMerchantId & strMerchantvalue) 'here you could write the logic to update the sql database
Oct 01, 2018 05:19 PM|silenttalk|LINK
Thanks for your response, In answer to your first point yes I would like if possible to use the link embedded in the email to update the particular Boolean field in the database just by clicking on the link.
You have certainly given me something to experiment with there.
Oct 01, 2018 07:50 PM|silenttalk|LINK
OK so this certainly works in my scenario and updates the field with a single click :-)
Just thinking about security on this, what would be your comments on the below.
Any comments you have would be great to hear, and thank you so much for posting this solution ...
the insert operation.
Oct 02, 2018 05:58 AM|Brando ZWZ|LINK
Obviously use parameterized query for the insert command The fact we are using a uniqueidentifier type no majorly sensitive data is in the URL construct
The uniqueidentifier will avoid any speculative guessing of other uniqueidentifier's
The insert command in code behind limits the exposure of the only that one field (Boolean Yes= 1 or No = 0) and no other fields.
I hear on various forums to always use POST rather than GET as GET can be cached, but with the limited exposure (as I see it) not sure its a big deal.
In my opinion, if the data is not important, you could choose this way.
But I suggest you could write a logic to encrtypt the query string and add an security check logic.
You could generate a used once password and add it in the url.
If the url send to the server, the server will check the password firstly, if this password is not exists, directly return un-auth error message.
Oct 03, 2018 04:44 AM|silenttalk|LINK