cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Go to Detail Page WITHOUT querystring

NewfWingNut
New Here ,
Dec 11, 2006 Dec 11, 2006
I'm familiar with the Go to Detail Page behaviour, but one thing that concerns me is the passing of querystring parameters. I have a page, for example, where I list employees by group. People see different lists, depending on which group they belong to, but there's nothing to keep someone from trying different querystring values and seeing results they should not be entitled to. Let's say I see a link for Bob Jones, with the Go to Detail Page link generated as EmployeeDetails.asp?EmployeeID=27. There's nothing to keep a savvy user from changing the 27 to anything else, and perhaps seeing data they should not be permitted to see.

I'd like to have a similar functionality that calls the other screen, but passes the selected row without it being visible in the querystring.

Any suggestions? Thanks in advance for any ideas about this.

Text
TOPICS
Server side applications
461
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 4 Replies 4
latest latest Jump to latest reply
Newsgroup_User
LEGEND ,
Dec 11, 2006 Dec 11, 2006
.oO(NewfWingNut)

>I'm familiar with the Go to Detail Page behaviour, but one thing that concerns
>me is the passing of querystring parameters. I have a page, for example, where
>I list employees by group. People see different lists, depending on which group
>they belong to, but there's nothing to keep someone from trying different
>querystring values and seeing results they should not be entitled to.

That's a bug in the script and has nothing to do with passing data in
the query string. If someone is not allowed to view particular data then
your script has to prevent it by checking that the person has sufficient
privileges.

>Let's say
>I see a link for Bob Jones, with the Go to Detail Page link generated as
>EmployeeDetails.asp?EmployeeID=27. There's nothing to keep a savvy user from
>changing the 27 to anything else, and perhaps seeing data they should not be
>permitted to see.

Yep, but you have to handle that in your server-side script. If user
"foo" is logged in and tries to access ?EmployeeID=42, then your script
has to check that "foo" is allowed to see that record. Most likely this
will require some hand-coding.

> I'd like to have a similar functionality that calls the other screen, but
>passes the selected row without it being visible in the querystring.

Impossible. Of course you could use a form and send the data with the
POST method, but this only makes it a little harder to manipulate the
data, it won't prevent it. Security by obscurity doesn't work.

Micha
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Dec 11, 2006 Dec 11, 2006
In essence, you'd also apply the same filter to the details page as you do
to the list page. This would ensure that users don't see each others
records.

--
Jules
http://www.charon.co.uk/charoncart
Charon Cart 3
Shopping Cart Extension for Dreamweaver MX/MX 2004





Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
NewfWingNut
New Here ,
Dec 12, 2006 Dec 12, 2006
Thanks for the responses; I've typically done the same kind of security in the detail pages, but just wondering if there was a relatively simple way to remove info from the querystring. The company that does the vulneratiliby assessments for this client has indicated that they don't like to see "extra stuff in the URL address", but fail to offer a reasonable solution.
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Newsgroup_User
LEGEND ,
Dec 12, 2006 Dec 12, 2006
LATEST
I'm not surprised they've failed to offer a reasonable solution. There isn't
one. There isn't any vulnerability in having a querystring. Presuming, of
course, that you've protected yourself against cross-site scripting and SQL
Injection.

--
Jules
http://www.charon.co.uk/charoncart
Charon Cart 3
Shopping Cart Extension for Dreamweaver MX/MX 2004





Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices