[ASP.Net] Validation of Postbacks..

[Pc_Madness]

Hey guys, I just wanted to check if I need to do this. On my page I'm getting a variable passed via the query string (Request["id"]), and on page load I check to make sure that I'm allowed to access this particular ID.

When you push an asp.net submit button, does the browser resend the ID, or is it kept server side and as such I don't need to validate it again?

Thanks :)

[azcodemonkey]

  Pc_Madness said:

Hey guys, I just wanted to check if I need to do this. On my page I'm getting a variable passed via the query string (Request["id"]), and on page load I check to make sure that I'm allowed to access this particular ID.

When you push an asp.net submit button, does the browser resend the ID, or is it kept server side and as such I don't need to validate it again?

Thanks :)

If it's in the URL, it'll be sent back with the request.

[amrinders87]

  azcodemonkey said:

If it's in the URL, it'll be sent back with the request.

Not quite true as ASP.Net pages also perform Postbacks.

In the Page_Load event, I would add this code:

if (!Page.IsPostBack)
{
	   //do validation here and if ID is invalid disable the buttons or redirect
}

This code will only get executed when the page loads and not on postbacks because the query string will not change. If the user changes the query string, the url, then it will no longer be a post back and hence the validation code would fire again.

[azcodemonkey]

  amrinders87 said:

Not quite true as ASP.Net pages also perform Postbacks.

Yeah, it is true. The query string is sent back in postback as well as first load. How he validates it is beside the point.

[sbauer]

  azcodemonkey said:

Yeah, it is true. The query string is sent back in postback as well as first load. How he validates it is beside the point.

Yup, it's true.

[Dav-id]

If you rely on the querystring I highly recommend you validate it each time you want to access it otherwise what happens if a user changes this?

[sbauer]

  whoreman said:

If you rely on the querystring I highly recommend you validate it each time you want to access it otherwise what happens if a user changes this?

Yeah, but you should validate all user input regardless of how it's entered.

[Pc_Madness]

Thanks guys. :) I think I might be lazy and use a static variable to hold it instead. :)

[amrinders87]

  azcodemonkey said:

Yeah, it is true. The query string is sent back in postback as well as first load. How he validates it is beside the point.

  sbauer said:

Yup, it's true.

Seems like both of you don't understand ASP.Net Page architecutre. The url gets sent to the page when the page is first requested. After that, the url does not get sent because of PostBacks. Go ahead try it. Create a blank page and add a button. Set breakpoint in page load to see the query string collection. Next, view the page with a query string variable. Once the page loads, change the query string paramter value in the url and click the button to do a post back. You will see that the QueryString collection still has the old value.

So, you should validate the QueryString parameters in the Page_Load event handler when the page first loads, when IsPostBack is false as I have showed in my previous post.

Hope this helps.

[amrinders87]

  Pc_Madness said:

Thanks guys. :) I think I might be lazy and use a static variable to hold it instead. :)

I hope you realize the implications of making a static variable. That variable will be SHARED among all the instances of that page class. So, if multiple users are using the same page, they will be sharing the same value. Security :o risk IMO.

[sbauer]

  amrinders87 said:

Seems like both of you don't understand ASP.Net Page architecutre. The url gets sent to the page when the page is first requested. After that, the url does not get sent because of PostBacks. Go ahead try it. Create a blank page and add a button. Set breakpoint in page load to see the query string collection. Next, view the page with a query string variable. Once the page loads, change the query string paramter value in the url and click the button to do a post back. You will see that the QueryString collection still has the old value.

So, you should validate the QueryString parameters in the Page_Load event handler when the page first loads, when IsPostBack is false as I have showed in my previous post.

Hope this helps.

My comment was the fact that querystring values are still sent via postback. I was responding to his response, not yours. I know the architecture well, but thanks for your concern. Of course changing the querystring in the URL doesn't apply when you hit the button as it's a local change.

[amrinders87]

  sbauer said:

My comment was the fact that querystring values are still sent via postback. I was responding to his response, not yours. I know the architecture well, but thanks for your concern. Of course changing the querystring in the URL doesn't apply when you hit the button as it's a local change.

My bad, I should I guess I should have looked at your signature :laugh:

[Pc_Madness]

  amrinders87 said:

I hope you realize the implications of making a static variable. That variable will be SHARED among all the instances of that page class. So, if multiple users are using the same page, they will be sharing the same value. Security :o risk IMO.

Argh. :( I thought it was a copy of the page per user. *sigh* I miss PHP. :(

[amrinders87]

  Pc_Madness said:

Argh. :( I thought it was a copy of the page per user. *sigh* I miss PHP. :(

Well you have full control. Static variable is shared among all instances of that class. So if two users use the application at about the same time, there will be two instances of that class and both will be sharing that single variable.

But as I have said above, you can validate the query string in Page_Load event in if the if not PostBack. Afterwards, you can use it and you should be safe.