|
The simple answer is not to use query strings - they are wide open to hacking and sql injection. Use stored procedures and only pass what is absolutely necessary. Nobody should be able to see what stroed proc you are executing, so the params are meaningless.
Bob
Ashfield Consultants Ltd
|
|
|
|
|
in the address
www.abc.com/id=1
i don't want to display id=1
in the address bar.
this leads to database hacking.
Can i do it?
If you have an apple & I have an apple and we exchange our apples, then each of us will still have only one apple but if you have an idea & I have an idea and we exchange our ideas, then each of us will have two ideas!
|
|
|
|
|
Pankaj Garg wrote: www.abc.com/id=1
i don't want to display id=1
in the address bar.
this leads to database hacking
Not if you are using stored procs because:
1) www.abc.com?ggsttfgj=1 would be pretty meaningless, but your code knows that ggsttfgj is really the id
2) all you are passing is a stored proc parameter. Nobody has any idea what stored proc is going to be called
Can you hack this to get into a database?
http://www.codeproject.com/script/Forums/Edit.aspx?fid=12076&select=2590541&floc=/script/Forums/View.aspx&fa=r
Its all about relative security, and if you are not using stored procs or parametrised queries then you may as well use plain text as you are open to sql injection anyway.
Bob
Ashfield Consultants Ltd
|
|
|
|
|
Pankaj Garg wrote: i don't want to display id=1
in the address bar.
You can't avoid that unless you use cross page postbacks. But, it doesn't lead to hacking, the worst it leads to is someone wandering your DB. you should have permission layers so even if someone uses the id of another user, they won't get to the data. If you build it right, there's no reason to worry about ids on the URL, and having them there has a lot of benefits ( such as bookmarkable pages )
Christian Graus
Please read this if you don't understand the answer I've given you
"also I don't think "TranslateOneToTwoBillion OneHundredAndFortySevenMillion FourHundredAndEightyThreeThousand SixHundredAndFortySeven()" is a very good choice for a function name" - SpacixOne ( offering help to someone who really needed it ) ( spaces added for the benefit of people running at < 1280x1024 )
|
|
|
|
|
By validating querystring values. Alternatively, you can encrypt the querystring values.
|
|
|
|
|
u have any link regarding the same?
If you have an apple & I have an apple and we exchange our apples, then each of us will still have only one apple but if you have an idea & I have an idea and we exchange our ideas, then each of us will have two ideas!
|
|
|
|
|
I don't have. Validating query string values are pretty easy. Before processing make sure the values you got from querystring is valid. To prevent SQL Injection, you need to use parameterized queries instead of appending query in a string.
|
|
|
|
|
Put your variable in a session
We are not a Code Charity
|
|
|
|
|
is there any way to change the page name like
www.abc.aspx/id=2
to
www.abc.aspx/2
something like this.
If you have an apple & I have an apple and we exchange our apples, then each of us will still have only one apple but if you have an idea & I have an idea and we exchange our ideas, then each of us will have two ideas!
|
|
|
|
|
OK, I dont think you are totally understanding what you are doing.
You just edit the URL that you are going to in the http link or where ever it is you click and navigate from one page to another.
Store the variable id in a session instead then you can just have your URL as www.abc.co.uk/Page.aspx
We are not a Code Charity
|
|
|
|
|
Pankaj Garg wrote: is there any way to change the page name like
www.abc.aspx/id=2
to
www.abc.aspx/2
No, but its your code so you could do www.abc.aspx?2 - waht ever you want to put after the ? is up to you and your app, nothing else cares (well within reason)
Bob
Ashfield Consultants Ltd
|
|
|
|
|
|
.netman wrote: Put your variable in a session
Not recommended until the data you are passing is sensitive. If it is not, a query string validation will do.
|
|
|
|
|
The problem with query string is passing it from page to page
We are not a Code Charity
|
|
|
|
|
If it is handled properly, it's the most efficient and simple method to pass value from page to page.
|
|
|
|
|
hai friends
i want to programatically sort gridview colums
i manually filling the gridview with code
and i have a 3 buttons with text 'column1' , 'column2' , 'column3'
if i click on button 'column1' then gridview should be sorted basing on 'column1'
plz help me...
its urgent ....
thanks in advance
vijay
|
|
|
|
|
|
In asp.net i want to create report other than crystal report because.When i host to sever crystal report is not working. So any other method
|
|
|
|
|
Try Microsoft Report Viewer
http://www.codeproject.com/KB/webforms/ReportViewer.aspx
We are not a Code Charity
|
|
|
|
|
Hi,
I have a XSD having too many element specified. I want to validate my textbox value with a specified element only.
Can anybody suggest me how to do this thing?
Thanks
|
|
|
|
|
Hi
I declared a connection string in my page_load event.
So ive got this:
string connectionString;
SqlConnection con
connectionString = ConfigurationManager.ConnectionStrings[project].ConnectionString;
con = new SqlConnection(connectionString);
Now when I try and reference con.open(); in a different event e.g. onclick it doesnt work.
However when i delclare:
string connectionString2 = ConfigurationManager.ConnectionStrings[project].ConnectionString;
SqlConnection con2 = new SqlConnection(connectionString2);
in the onclick event it works. If you declare in page_load does it not work in a different event?
any help would be great!
cheers
We are not a Code Charity
|
|
|
|
|
i think after postback , it initiates the variable form the scratch
If you have an apple & I have an apple and we exchange our apples, then each of us will still have only one apple but if you have an idea & I have an idea and we exchange our ideas, then each of us will have two ideas!
|
|
|
|
|
So do I need to put the connection string in a postback check as well then?
We are not a Code Charity
|
|
|
|
|
HI,
Please try to put the Connection strings and variables outside the IsPostBack and check. It will work.
Meeram395
|
|
|
|
|
Ive tried that already.
I delcare the name connectionString and con at the top of the page.
I have then specufy connection string code in the page load.:
connectionString = ConfigurationManager.ConnectionStrings[project].ConnectionString;
con = new SqlConnection(connectionString);
However I cannot reference it once outside of the page_load say in an onclick event.
it recognises the con.open(); but doesnt perform the query.
There is no mistake with the query, it works fine.
Ive got the query in a try/catch/finally statement would this affect it?
Thanks for the help, really puzzling me.
We are not a Code Charity
|
|
|
|