保护对查询字符串的篡改 [英] Protect Tampering Of Query String

问题描述

大家好，



我们有一个asp.net网络应用程序，我们使用javascript函数window.open

传递页面之间的数据，如window.open（Students.aspx？ID = 123456）;

，在Students.aspx页面中，我们通过Request.QueryString [ID]得到值。 br />


但我们遇到问题，最终用户可以更改网址中的ID，并可以看到其他学生的学生信息，如更改ID = 123456到ID = 132540并查看学生数据。





请告诉我们如何保护这个。

也注意到我们无法重写应用程序更改以使用不同的方式传递数据



非常感谢

解决方案

< blockquote>

Quote：

永远不要使用查询字符串传递敏感数据，因为这些信息对用户可见并且可以很容易地修改，从而代表潜在的安全风险。

--MSDN



您可以使用公共属性以更安全的方式传递值。在 PreviousPage 的帮助下，可以在下一页访问公共属性。

示例：

 Label1 .Text = PreviousPage.ID; 

还有其他方法可以做到这一点。查看MSDN中的详细文章

如何：在ASP.NET Web之间传递值表格页面 [ ^ ]



如有任何疑问，请告诉我们：）

您需要实施某种身份验证，以便人们需要登录以使用系统，然后检查登录的人是否有权访问他们请求的资源，因此如果某人在查询字符串上有学生ID 1234，则首先检查登录的人是否有权访问学生1234的数据，要么是因为他们是*那个学生，要么是因为他们是管理员。



你不应该花时间做某事ASP.NET论坛 [ ^ ]

Hi All,

We have an asp.net web application and we are use the javascript function window.open
to pass data between pages like, window.open("Students.aspx?ID=123456");
and in the Students.aspx page we get the value by Request.QueryString["ID"].

but we face a problem, the end user can change the ID in the url and can see students info for other student like change ID=123456 to ID=132540 and see the student data.


Please let me know how we can protect this.
also notice that we can't rewrite the application change to use different way for the passing data

Thank you very much

解决方案

Quote:

Never pass sensitive data using a query string, because the information is visible to users and can easily be modified, thus representing a potential security risk.

--MSDN

You can use public properties to pass the value in a more secure way. The public properies can be accessed in the next page with the help of PreviousPage.
Example:

Label1.Text = PreviousPage.ID;

There are other ways too to do this. Check this detailed article in MSDN
How to: Pass Values Between ASP.NET Web Forms Pages[^]

Incase of any doubts, please let me know :)

You need to implement some kind of authentication so people need to log in to use the system, and then you check that the person logged in has access to the resources they are requesting, so if someone has student ID of 1234 on the querystring, you first check the logged in person has the right to access student 1234's data, either because they *are* that student or because they are an admin.

Things you shouldn&#39;t spend time doing | The ASP.NET Forums[^]

这篇关于保护对查询字符串的篡改的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！