• 0

[ASP.Net] Validation of Postbacks..


Question

Hey guys, I just wanted to check if I need to do this. On my page I'm getting a variable passed via the query string (Request["id"]), and on page load I check to make sure that I'm allowed to access this particular ID.

When you push an asp.net submit button, does the browser resend the ID, or is it kept server side and as such I don't need to validate it again?

Thanks :)

Link to comment
https://www.neowin.net/forum/topic/607596-aspnet-validation-of-postbacks/
Share on other sites

13 answers to this question

Recommended Posts

  • 0
  Pc_Madness said:
Hey guys, I just wanted to check if I need to do this. On my page I'm getting a variable passed via the query string (Request["id"]), and on page load I check to make sure that I'm allowed to access this particular ID.

When you push an asp.net submit button, does the browser resend the ID, or is it kept server side and as such I don't need to validate it again?

Thanks :)

If it's in the URL, it'll be sent back with the request.

  • 0
  azcodemonkey said:
If it's in the URL, it'll be sent back with the request.

Not quite true as ASP.Net pages also perform Postbacks.

In the Page_Load event, I would add this code:

if (!Page.IsPostBack)
{
	   //do validation here and if ID is invalid disable the buttons or redirect
}

This code will only get executed when the page loads and not on postbacks because the query string will not change. If the user changes the query string, the url, then it will no longer be a post back and hence the validation code would fire again.

  • 0
  whoreman said:
If you rely on the querystring I highly recommend you validate it each time you want to access it otherwise what happens if a user changes this?

Yeah, but you should validate all user input regardless of how it's entered.

  • 0
  azcodemonkey said:
Yeah, it is true. The query string is sent back in postback as well as first load. How he validates it is beside the point.
  sbauer said:
Yup, it's true.

Seems like both of you don't understand ASP.Net Page architecutre. The url gets sent to the page when the page is first requested. After that, the url does not get sent because of PostBacks. Go ahead try it. Create a blank page and add a button. Set breakpoint in page load to see the query string collection. Next, view the page with a query string variable. Once the page loads, change the query string paramter value in the url and click the button to do a post back. You will see that the QueryString collection still has the old value.

So, you should validate the QueryString parameters in the Page_Load event handler when the page first loads, when IsPostBack is false as I have showed in my previous post.

Hope this helps.

  • 0
  Pc_Madness said:
Thanks guys. :) I think I might be lazy and use a static variable to hold it instead. :)

I hope you realize the implications of making a static variable. That variable will be SHARED among all the instances of that page class. So, if multiple users are using the same page, they will be sharing the same value. Security :o risk IMO.

  • 0
  amrinders87 said:
Seems like both of you don't understand ASP.Net Page architecutre. The url gets sent to the page when the page is first requested. After that, the url does not get sent because of PostBacks. Go ahead try it. Create a blank page and add a button. Set breakpoint in page load to see the query string collection. Next, view the page with a query string variable. Once the page loads, change the query string paramter value in the url and click the button to do a post back. You will see that the QueryString collection still has the old value.

So, you should validate the QueryString parameters in the Page_Load event handler when the page first loads, when IsPostBack is false as I have showed in my previous post.

Hope this helps.

My comment was the fact that querystring values are still sent via postback. I was responding to his response, not yours. I know the architecture well, but thanks for your concern. Of course changing the querystring in the URL doesn't apply when you hit the button as it's a local change.

  • 0
  sbauer said:
My comment was the fact that querystring values are still sent via postback. I was responding to his response, not yours. I know the architecture well, but thanks for your concern. Of course changing the querystring in the URL doesn't apply when you hit the button as it's a local change.

My bad, I should I guess I should have looked at your signature :laugh:

  • 0
  amrinders87 said:
I hope you realize the implications of making a static variable. That variable will be SHARED among all the instances of that page class. So, if multiple users are using the same page, they will be sharing the same value. Security :o risk IMO.

Argh. :( I thought it was a copy of the page per user. *sigh* I miss PHP. :(

  • 0
  Pc_Madness said:
Argh. :( I thought it was a copy of the page per user. *sigh* I miss PHP. :(

Well you have full control. Static variable is shared among all instances of that class. So if two users use the application at about the same time, there will be two instances of that class and both will be sharing that single variable.

But as I have said above, you can validate the query string in Page_Load event in if the if not PostBack. Afterwards, you can use it and you should be safe.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Here in the UK we used to have a mobile network that would've been perfect for Trump. It was called ... Orange!
    • Trump's team takes down Trump Mobile coverage map that includes "Gulf of Mexico" by David Uzondu Image via Depositphotos.com When Donald Trump returned to office in January this year, one of the first things he did was sign an executive order to officially rename the Gulf of Mexico to the "Gulf of America". It was a signature move, but it seems his own team might have forgotten about it. The rollout for the new Trump Mobile service, a venture headed by his sons, is already facing issues with its pre-orders, and now has a whole new self-inflicted problem to deal with. A post from Travis Akers (@travisakers) has shown that the Trump Mobile official coverage map, intended to show potential customers their signal strength, prominently featured the name "Gulf of Mexico." It appears shortly after Akers's post went live, the Trump team took down the page, so if you visit trumpmobile.com/coverage, you would get a 404 error. Anyways, here's a screen recording of what the page looked like before the take down (double click to enlarge): So, how could the Trump team make such a mistake on something so politically important to them? From the recording, it looks like the coverage map is powered by Mapbox, a popular location platform for developers. Mapbox, by default, still uses "Gulf of Mexico" because its core map data is built on global sources like OpenStreetMap, which have not adopted the unilateral name change. Even though the official name is different in the US, these global datasets stick to the international consensus. Other tech companies, like Google, address this by changing their maps to display "Gulf of America" only for users in the US, a decision that annoyed the president of Mexico. The funny thing is, fixing this would have been pretty simple. Mapbox is quite flexible, and you can edit "natural features", including bodies of water. Here's how we did it (click to enlarge): The Trump Mobile coverage map has been offline for over five hours, as the Trump team presumably works to fix the issue and bring the page back online.
    • Maybe stop using that ###### once and for all? One can live withouth it. Anything META is cancer.
    • This also highlights the dangers of giving corporations unencrypted access to your documents / photos. It would appear this persons data has likely been scanned by Ai, which found something it didn't like, locking access to the account.
  • Recent Achievements

    • Week One Done
      rozermack875 earned a badge
      Week One Done
    • Week One Done
      oneworldtechnologies earned a badge
      Week One Done
    • Veteran
      matthiew went up a rank
      Veteran
    • Enthusiast
      Motoman26 went up a rank
      Enthusiast
    • Mentor
      M. Murcek went up a rank
      Mentor
  • Popular Contributors

    1. 1
      +primortal
      684
    2. 2
      ATLien_0
      266
    3. 3
      Michael Scrip
      194
    4. 4
      +FloatingFatMan
      177
    5. 5
      Steven P.
      140
  • Tell a friend

    Love Neowin? Tell a friend!