Geek Answers Handbook

Security with QueryString Values ​​in Asp.net MVC

How do you properly ensure that the user does not interfere with querystring values ​​or action url values? For example, you might have the “Delete Comment” action on your CommentController that accepts the CommentID. The action URL may look like / Comments / Delete / 3 to delete the comment with identifier 3.

Now, obviously, you don’t want anyone to be able to delete comment 3. Usually, the owner of the comment or the administrator has permission to do so. I have seen that this security has been applied in many ways and would like to know how some of you do it.

You make several database calls to get a comment and check if the author of the comment matches the user who is causing the delete action?

Instead, you pass the CommentID and UserID to the stored procedure, which performs the deletion, and performs the deletion if the UserID and CommentID are equal to the values ​​passed in?

Is it better to encrypt query string values?

+5
source share
7 answers

No.

This is a cardinal programming rule, especially on this day and at the age that you never trust any data coming from a user, browser, client, etc.

, , , , , . , , . .

, , . .

+17

, , , HttpModule , StackOverflow.

" ", " " " " - ...

+7

Vyrotek: . GET, POST, / GET - . , , , , , . , . .

+3

, # 46 - , , [AcceptVerbs (HttpVerbs).Delete)]

+2

Post- Accept Verbs, .

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Delete(int? id)
{
    //Delete
}

antiforgery, :

http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

+1

, querystring, , Base64 , "commentid = 4 & userid = 12345" "code = 1a2b23de12769"

" ", , .

0

.

, URL- .

, .

, .

, , .

0

More articles:


All Articles