 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / General / February 2008Passing Arguments to Web Forms (Revisited)
I'm still having issues with this and would love to hear from more people about how they are approaching this issue. After thinking about all the ways to pass arguments to a Web form (query strings, context items, application objects, view state), I started favoring using the Session object. I created a generic method that retrieved a variable from the Session object and then deleted it so that I didn't end up with a ton of unused variables for each user. The problem with this approach is that, if the user hits refresh, all is lost. My view state is gone and, since I deleted the session object variables, they are gone also. I looked into PreviousPage.ViewState but this does not seem to be available. Also, I suspect a refresh would trash that as well. Everything seems to be pointing to query strings. But I hate the fact that even the most casual of users could modify the query arguments (or just type them wrong) and end up changing someone else's data. I know I could perform verification of the user, but for some tasks, this require additional trips to the database, which I would like to minimize. How is everyone else doing this on sites that require the user to be logged in? Thanks.  SignatureJonathan Wood SoftCircuits Programming http://www.softcircuits.com > Everything seems to be pointing to query strings. But I hate the fact that > even the most casual of users could modify the query arguments (or just [quoted text clipped - 4 lines] > How is everyone else doing this on sites that require the user to be > logged in? Query strings. Most of our urls end with "?id={GUID}". We retrieve the user from the Membership provider and the page data database. We then ensure that the page data belongs to the authenticated user. If you want to minimize trips to the DB you could construct a SQL Join when retrieving the page data: select * from MyTable t inner join Users u on t.UserId = u.UserId where t.id = @id and u.username = @username If you get no rows back then the querystring parameter isn't valid for that user. Scott, > Query strings. Most of our urls end with "?id={GUID}". We retrieve the > user from the Membership provider and the page data database. We then [quoted text clipped - 8 lines] > If you get no rows back then the querystring parameter isn't valid for > that user. My SQL isn't up to where it should be. I was thinking about just doing a WHERE clause. I guess it doesn't matter how, your point seems to be to use query strings and then provide some sort of verification when going to the database. I have a site where users can perform certain tasks, but then the same tasks can also be done by a trainer, who signs up users. So when the end user it performing the tasks, I can compare to the current user. But when the trainer is doing the tasks, then he won't match the user associated with the data. Anyway, I appreciate your input. I may need to go that way. But it doesn't seem ideal. SignatureJonathan Wood SoftCircuits Programming http://www.softcircuits.com Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.