How to open make a link open in new tab?

Question

how to open the btnSMS.PostBackUrl with a new tab / new window? Or is there anyway to go to that URL then automatically go to another page?

More information: That URL is a method to send SMS using service provider (Clickatell). But the URL got nothing other than stating if the message send was successful or not. I don't want the user who use my ASP.NET to stuck there. I want to allow them to go back to my website after sending the message.

protected void btnSMS_Click1(object sender, EventArgs e)
{

    String HP = txtHP.Text;
    String URL = "http://api.clickatell.com/http/sendmsg?user=myuser&password=mypassword&api_id=myapi_id&to=";
    String Text = "&text=" + txtSMS.Text;
    btnSMS.PostBackUrl = URL + HP + Text;

    string username;
    //Sql Connection to access the database
    SqlConnection conn6 = new SqlConnection("MY CONNECTION");
    //Opening the Connnection
    conn6.Open();
    string mySQL;
    username = HttpContext.Current.User.Identity.Name;
    //Insert the information into the database table Login
    mySQL = "INSERT INTO Table_Message(Username, Message, Title, SendTo) VALUES('" + username + "','" + txtSMS.Text.Trim() + "','" + txtTitle.Text.Trim() + "','" + txtHP.Text.Trim() + "')";

    SqlCommand cmdAdd = new SqlCommand(mySQL, conn6);
    //Execute the sql command
    cmdAdd.ExecuteNonQuery();
    //Close the Connection
}

Answer 1

I think a better way to implement this is to make the form post to a URL in your site, which you can react to, then do the post to the service you're using from your server, and redirect the user to the appropriate URL.

UPDATE

I assume you're using web-forms here.

Issue is that you can post to the URL you want, but your user doesn't see any change on the page. Another issue is that, you're putting your password and API_ID for the service in the post back URL, which is visible to anyone who can navigate to your page and hit F12 key. Making your API_ID available to public is a big mistake. It supposed to be something only you and the remote service should know.

Here's my solution.

When you first load the page, you'll show an empty form and allow the user to enter the data you want.

Then in the click event Handler, you get the data you want and post to the service manually. A HTTP post contains a list of key-value pairs that you want to send to the service. You have to build the post request manually, and get the response from the remote service.

So here's how your click handler should look like.

protected void btnSMS_Click1(object sender, EventArgs e)
 {
    Dictionary<string,string> postValues = new   Dictionary<string,string>();

    // gather the key value pairs ou want from your controls and add them to the dictionary.
   // and call postSynchronous method (which I'll explain below)
   string result = postSynchronous(URLtoPOST,postValues);

   if (result= yourSuccessValue){
       // redirect to a page that says.. 'Yay!! you successfully posted to the service ?'
       Server.Transfer("successPage.aspx");
   }else
   {
      // what to do if it fails ?
   }
}

Now the postSynchronous method (or what ever you want to call it) is something you have to write manually, which will take a RUL to post to and a list of key-value pairs to send with the post, then build the actual post request.

Have a look at this link for a tutorial to learn how to do this. http://petewarden.typepad.com/searchbrowser/2008/09/how-to-post-an.html

I tried to embed the code for the method and any related methods but it was too long.

So, what's better when doing things this way is that you never send your API keys or passwords down to your user's browser, so they'll never know it. (Otherwise they can use the keys to access the service as you which is a security hole)

What's bad in this, compared your solution is that you're posting on your server, which brings that CPU and network load to your server. But I guess it's good trade off for the security benefits you get.

hope this helps. and feel free to ask any questions.

Answer 2

Your button should closely reflect as below:

<asp:Button runat="server" ID="btnSMS"  UseSubmitBehavior="false"  OnClick="btnSMS_Click1"  Text="Send/> 

Then in the code-behind build your postback url and then after the submition add the following:

protected void btnSMS_Click1(object sender, EventArgs e)
        {


 String HP = txtHP.Text;
            String URL = "http://api.clickatell.com/http/sendmsg?user=myuser&password=mypassword&api_id=myapi_id&to=";
            String Text = "&text=" + txtSMS.Text;
            string UrlFinal = URL + HP + Text;

            string username;
            //Sql Connection to access the database      
            SqlConnection conn6 = new SqlConnection("Data Source=19-17\\sqlexpress;" + "Initial Catalog = Suite2; Integrated Security =SSPI");
            //Opening the Connnection      
            conn6.Open();
            string mySQL;
            username = HttpContext.Current.User.Identity.Name;
            //Insert the information into the database table Login      
            mySQL = "INSERT INTO Table_Message(Username, Message, Title, Startdate, Enddate, SendTo) VALUES('" + username + "','" + txtSMS.Text.Trim() + "','" + txtTitle.Text.Trim() + "','" + txtHP.Text.Trim() + "')";

            SqlCommand cmdAdd = new SqlCommand(mySQL, conn6);
            //Execute the sql command      
            cmdAdd.ExecuteNonQuery();
            //Close the Connection 

            this.ClientScript.RegisterStartupScript(this.GetType(),
                                        "navigate",
                                        "window.open('" + UrlFinal + "');",
                                        true); 

        }

This should open in a new windows. Alternatively one can use window.navigate as well which will open another page in the same browser.

Answer 3

Is it possible to add the property target="_blank" to the btnSMS item? If it's a link element it would look like this:

id="btnSMS" href="" target="_blank"

Answer 4

An important tangent --- you are leaving yourself dangerously open to a SQL injection attack.

You should never, never, never concatenate text input from a user with a SQL query.

Use @Parameter values in your SQL query string and then use the SqlCommand parameters to replace those values.

string mySQL = "INSERT INTO Table_Message(Username, Message, Title, SendTo) VALUES(@Username, @Message, @Title, @SendTo)";
SqlCommand cmdAdd = new SqlCommand(mySQL, conn6);
cmdAdd.Parameters.AddWithValue("@Username", username);
cmdAdd.Parameters.AddWithValue("@Message", txtSMS.Text.Trim());
cmdAdd.Parameters.AddWithValue("@Title", txtTitle.Text.Trim());
cmdAdd.Parameters.AddWithValue("@SendTo", txtHP.Text.Trim());
cmdAdd.ExecuteNonQuery();

It would be even better to specify the type explicitly:

cmdAdd.Parameters.Add("@Username", SqlDbType.NVarChar, 100).Value = username;

See Troy Hunt's awesome series - http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html