堆栈内存溢出
  简体   繁体   English

ASP.NET中的CustomerId和Request.QueryString

[英]CustomerId and Request.QueryString in ASP.NET

 原文  2011-04-13 19:20:49       c#/ asp.net/ request.querystring

问题描述

Request.QueryString is not very safe. Request.QueryString不是很安全。 Incase someone is logged in. Just by typing in the URL 有人登录。只需键入URL即可 

myaccount.aspx?custId=10

One can get the information of another Customer. 人们可以获得另一个客户的信息。

So its not safe at all. 所以它根本不安全。 The reason for posting this was because, I wanted an alternative way of passing customerId between pages. 发布这个的原因是因为,我想要一种在页面之间传递customerId的替代方法。 Perhaps encrypt it? 或许可以加密吗?

7 个解决方案

解决方案1
 2  2011-04-13 19:24:51

Query strings are safe and are not flawed . 查询字符串是安全的没有缺陷

What is flawed and unsafe is trusting user input data. 有缺陷和不安全的是信任用户输入数据。 It is your responsibility to verify the data being sent to the server is not malicious and that the requested action is allowed for the logged in user. 您有责任验证发送到服务器的数据不是恶意的,并且允许登录用户请求的操作。

You should take that query stirng value, make sure it is the valid type (your example appears to be an integer) and then before fetching the customer's data, make sure the user is allowed to access that customers data. 您应该获取该查询的stirng值,确保它是有效类型(您的示例似乎是一个整数),然后在获取客户的数据之前,确保允许用户访问该客户数据。

解决方案2
 2 已采纳  2011-04-13 20:47:42

Really for myaccount.aspx you shouldn't need to a user to pass their ID in as a parameter. 实际上,对于myaccount.aspx,您不需要用户将其ID作为参数传递。

As others have said, use Membership. 正如其他人所说,使用会员资格。 Or create a hash (an encypted value) of a user's ID and password and save that as a cookie or in the session object. 或者创建用户ID和密码的哈希值(加密值),并将其保存为cookie或会话对象。 You can read that instead of an input parameter. 您可以读取它而不是输入参数。

解决方案3
 1  2011-04-13 19:23:17

That's not the responsibility of the QueryString . 这不是QueryString的责任。 You should implement an authenication and authorization system, preferably with a MembershipProvider and RolesProvider . 应该实现一个身份验证和授权系统,最好使用MembershipProviderRolesProvider

解决方案4
 1  2011-04-13 19:24:48

It does what it's supposed to do. 它做了它应该做的事情。 It is up to you to secure your site. 您可以自行保护您的网站。 No one said everything in the querystring is used for sensitive access related functionality. 没有人说查询字符串中的所有内容都用于敏感访问相关功能。

解决方案5
 1  2011-04-13 19:26:06

There is no safe way to pass it. 通过它没有安全的方法。 Once the user has logged in, store the ID in Session or something equivalent, then always take it from there. 一旦用户登录,将ID存储在Session或等效的内容中,然后始终从那里获取。

解决方案6
 1  2011-04-13 19:26:11

您可以查看asp.net会员资格

解决方案7
 0  2011-04-13 19:22:38

您应该使用ASP.NET 安全性对客户进行身份验证和授权,以便检查登录用户是否可以访问查询字符串中指定的客户ID。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ASP.NET中的Request.QueryString和OutputCache - Request.QueryString and OutputCache in ASP.NET asp.net中的Request.QueryString - Request.QueryString in asp.net 使用Request.QueryString数组更新ASP.NET中的排序列 - Updating sort column in ASP.NET with Request.QueryString Array 如果Request.QueryString不存在,则设置ASP.NET变量 - ASP.NET Set variable if Request.QueryString does not exist asp.net C#Request.QueryString [“ sms”] +符号 - asp.net C# Request.QueryString[“sms”] + sign 使用asp.net中的request.querystring重定向到另一个asp.net页 - redirecting to another asp.net page using request.querystring in asp.net 将Request.QueryString转换为Datetime,然后在C#asp.net中的linq中使用datacontext进行获取 - convert Request.QueryString toDatetime and then fetch using datacontext in linq in c# asp.net 在ASP.net中使用Sessions和Request.QueryString保存服务器端值 - Saving values server side vs. using Sessions and Request.QueryString in ASP.net 如何在ASP.NET中检查Request.QueryString是否具有特定值? - How to check that Request.QueryString has a specific value or not in ASP.NET? Gridview中的Request.QueryString - Request.QueryString in Gridview
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM