从URL链接获取参数 [英] Getting parameters from URL link
问题描述
大家好,
我第一次尝试制作一些Web代码,而不仅仅是旧的应用程序代码...我使用C#语言进行了大量工作,所以我决定制作ASP.NET/C#...
我目前有点挣扎,因此需要一些帮助来正确完成操作以及操作方法.
我的情况:
我有一个新闻邮件系统,用户可以在其中访问我的主站点,并使用两种类型的操作:
1.订阅新闻邮件
2.退订新闻邮件
1.说明:
订阅新闻邮件;它只会搜索数据库,以检查电子邮件地址是否已经注册.如果是,它只是采取了从DB是记录和编辑工作了.
如果它在数据库中尚不存在,它将使用用户电子邮件在数据库中创建一个新记录....(此功能按预期工作)
2.说明:
退订新闻邮件;为确保其正确的用户退订,我希望按照以下方案进行操作:
1.用户类型的电子邮件地址,然后点击取消订阅".
2.用户被定向到网页,告诉电子邮件已发送到键入的地址,并带有链接以确认其正确的用户链接.
3.用户选中他/她的电子邮件框,然后单击通过电子邮件发送给他们的链接以确认取消订阅(例如www.mysite.com/confirmunsub.aspx).
4.用户在链接到的站点上收到一条消息,告诉他们该电子邮件现在已成功取消订阅.
我需要索取协助的电子邮件中的链接...
为了方便用户,我想他们需要点击只有链接!所以我认为可能需要某种POST请求吗?使用类似www.mysite.com/confimunsub.aspx?adressTxt=myemail@e.com之类的URL.
那将是用户使用的链接,当他们使用它时,confirmunsub.aspx将从帖子链接中提取信息(adressTxt字段= myemail@e.com),因此,在PageLoad运行时,它将自动退订该用户以及所有用户需要做的是,单击已发送电子邮件中的链接,并查看有关他们已成功取消订阅的确认....
有什么主意吗?
我认为使用某种POST请求可能有可能吗?但是我需要技术方面的帮助,以及如何正确进行操作.
最好的问候
Hi folks,
I''m trying for my very first time, to make some web code instead of just the old application code... I worked a lot with C# language, so I decided to make ASP.NET / C#...
I''m kinda struggled at the moment, so need some help to how its done correctly, and how.
My case:
I have a news mail system, where users can visit my main site, and use two types of actions:
1. Subscribe news mail
2. Unsubscribe news mail
1. Explanation:
Subscribe news mail; it will just search the Database, to check if the email adresse is registred already. If it is, it just take out that record from DB and editting it.
If it doesn''t exist already in DB, it will just create a new record in DB with user email.... (This function works as intended)
2. Explanation:
Unsubscribe news mail; To make sure that its the right user unsubscribing, I want it to be done as following scenario:
1. User type email adress, and click on "Unsubscribe".
2. the user get directed to web page, telling that an email has been sended to the typed adress with a link to confirm its the right user.
3. The user check his/her email box, and clicking on the link sended by email to them to confirm unsubscribing (eg. www.mysite.com/confirmunsub.aspx).
4. The user got a message on the site they are linked to, telling them that the email now has succesfully unsubscribed.
Its the link in the email I need som assistance to...
To make it easy for the user, I want them needing to click the link ONLY! So I think it maybe need to be some kind of POST request? with a URL like www.mysite.com/confimunsub.aspx?adressTxt=myemail@e.com .
That would be the link the user use, and when they use it, the confirmunsub.aspx will extract the information out of the post link (adressTxt field = myemail@e.com), so when the PageLoad is running, it will automatically unsubscribe the user, and all the user will need to do, is click the link in the sended email, and see the confirmation about they have been succesfully unsubscribed....
any idea?
I think that it may be possible with some kind og POST request? But I need help to the techniqe, and how it should be done correctly.
Best Regards
推荐答案
用户转到的页面可以简单地将电子邮件地址从查询字符串中拉出,然后执行所需的任何操作,然后向用户展示动作状态.
您的问题到底在哪里?
The page the user goes to could simply pull the email address out of the query string and perform whatever action you want, and hen present the user with the status of the action.
Where exactly is your issue?
我同意JSOP上面写的内容....
我不认为这是个好方法.查询字符串中的任何内容都是可见的,如果您将此作为确认步骤来执行,那么我可以对其进行篡改,并根据它进行操作.
范例1:
取消订阅的UserA.您已将电子邮件发送到userA@a.com.他看到了确认链接,并将查询字符串电子邮件ID更改为userB@a.com
这可能会导致取消订阅其他人的ID或您的数据库中的电子邮件ID无效!
示例2:如果这将是模型,则用户可以猜测出它没有涉及太多的安全性,因此电子邮件ID中可能包含一些通配符,这可能会影响您的应用程序/数据库.
有想法吗?
I agree to what JSOP has written above though....
I don''t think this is a good way to do it. Anything in query string is visible and if you take this as a confirmation step to do it then i can tamper with it and action according to it will occur.
Example1:
UserA unsubscribed. You sent email to userA@a.com. He see''s the confirmation link and changes the query string email id to userB@a.com
This can lead to someone else id un-subscribed or an invalid email id in your DB!
Example2: If this will be the model, user can guess out that not much of security is involved and thus some wild characters can be included in the email id that might affect your application/database.
Thoughts?
答案#2:
其真正的,你有一些方便的修正,可以让我们称为后喷射.但!它要求您知道数据库中的电子邮件地址,并且数据库表格仅包含电子邮件地址,并且订阅时为真/假.因此,有ain''t任何真正interessting有信息来获得.
这里唯一的安全性问题是some1与数据库进行交互,进行som注入,导致用户可能获得错误的订阅.即使他们还没有证实自己...
另外,我应该在每封新闻电子邮件的末尾添加一个退订链接" ...这也可能是这样做的一种方法,但是对于该解决方案,我还没有想出"+"和-" .
无论如何,我看不到应该如何删除里面包含电子邮件信息的POST URL.
仍然欢迎任何建议...
答案1:
真正的问题是如何自动取消动作.
可能有一些关于如何取消订阅的经验.对他们的新闻邮件系统采取的行动,这与我的做法有所不同...任何想法都将被考虑在内:)
Answer #2:
Its true that you with some handy fixes, can make what we known as POST injections. BUT! It require you to KNOW the email adresses in the database, and the database tabel contains email adresses ONLY, with an true/false for subscription. So there ain''t any real interessting information there to get.
Only security issue here, is some1 interacting with the Database, doing som injections which leads to user could get false subs. even tho they havn''t confirmed themself...
Alternativly I should just add an "Unsubscribe link" at the end of each news email... That could be a way to do it also, but I havn''t figured +''s and -''s for this solution yet.
No matter what, I can''t see how I should get rid of POST URLs with the email info inside.
any suggestions are welcome still...
Answer #1:
The real issue is how to make automatically unsub action.
It could be some1 have experience with how they did an unsub. action to their news mail system, which is different from the way I though... any ideas will be taken to consideration :)
这篇关于从URL链接获取参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
