Web Analytics Made Easy -
StatCounter set session var onclick - CodingForum

Announcement

Collapse
No announcement yet.

set session var onclick

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • set session var onclick

    Not sure if this is a asp or javascript question -

    I have a master details page with a button that goes to an edit page by passing the id number as a url param, but I dont want users to be able to change this number in the address bar and edit other information.

    Can I pass a session variable instead? - how do I set the session var to the id of the record requested?

    monkey
    Monkey

    My head hurts!

  • #2
    Use POST to submit your form instead of GET (the default). Then use Request.Form instead of Request.QueryString to retrieve the values.

    Using POST, your form variables aren't a part of the URL and therefore cannot be modified by the user just by fooling around in the address bar.
    Check out the Forum Search. It's the short path to getting great results from this forum.

    Comment


    • #3
      Roy

      i wasnt using a form, I used :

      a href="page.asp?id="<%recordset.fields.item("id").value%>"

      I suppose a form is going to be the best way forward

      Cheers

      monkey
      Last edited by Boxhead; Feb 10, 2004, 10:54 AM.
      Monkey

      My head hurts!

      Comment


      • #4
        It's easy enough to put a hidden form on the page and drop the data into that instead so yes, go with a form. It still won't stop someone from saving your source, editing the saved source and then posting that but it does increase the difficulty level. Usually though the worry is someone messing up the url by accident.
        Check out the Forum Search. It's the short path to getting great results from this forum.

        Comment


        • #5
          The idea is that user can change their own details and not others in a CMS. I think the solution I am going to use will work like this -

          A user logs on. A recordset is created on the next page, which creates a session var of the users unique id. When the user edits their info, the edit page will check the url id param against the session var - therefore, stopping the user from changing the url param to edit other info. An administrator can edit all info, so I will have a conditional check for authorisation level session var as well. phew!

          What do you think?

          monkey
          Monkey

          My head hurts!

          Comment


          • #6
            That's the better solution. Use the original implementation of passing the id in the url and in the edit page, check the access level of the logged in user before proceeding with the display of the edit form. The user can still change the id param in the url but in the server-side script, there is a check if the user has access to it or not by checking the session id variable against the id in the url.
            Glenn
            vBulletin Mods That Rock!

            Comment


            • #7
              Glenngv, Roy

              I have adapted my authorization script from DW to check for any user who is higher than a member or who's log on id matchs the url param, but if I change the url id it still shows the record. I have written out the session and url param and they dont math (as expected) any ideas? -

              <%
              ' *** Restrict Access To Page: Grant or deny access to this page
              authorizedUsers="administrator,member,bossman"
              authFailedURL="message.asp?m=r"
              grantAccess=false
              If Session("Username") <> "" Then
              If (false Or CStr(Session("UserAuthorization"))="") Or _
              (InStr(1,authorizedUsers,Session("UserAuthorization"))>=1) Then
              If(Session("UserAuthorization")<>"Member") Or (Session("Memid")=Request.QueryString("id")) Then
              grantAccess = true
              End If
              End If
              End If
              If Not grantAccess Then
              qsChar = "?"
              If (InStr(1,authFailedURL,"?") >= 1) Then qsChar = "&"
              referrer = Request.ServerVariables("URL")
              if (Len(Request.QueryString()) > 0) Then referrer = referrer & "?" & Request.QueryString()
              authFailedURL = authFailedURL & qsChar & "accessdenied=" & Server.URLEncode(referrer)
              Response.Redirect(authFailedURL)
              End If
              %>
              Monkey

              My head hurts!

              Comment


              • #8
                Found it!!

                should read <>"member" not Member!!

                monkey
                Monkey

                My head hurts!

                Comment


                • #9
                  Since ASP/VBScript is not case sensitive when it comes to variant names, I've found that a lot of my colleagues get VERY lazy about case sensitivity in general, or just forget about it entirely - I've probably fixed over 2 dozen or more instances of this exact error in the last year!

                  It's a good idea to modify strings so they are the same case, before you compare them, or just make sure you're always paying attention to case sensitivity. That applies to any language, really - here's an example in VBScript:

                  If UCase(string1) <> UCase(string2) Then
                  'Do Something
                  End If

                  I've seen so many people ignore case sensitivity due to the fact that ASP/VBScript isn't case sensitive with variant names, that they totally forget about it, and then start trying to compare strings that way. I say, ALWAYS be aware that VBScript is very sloppy in this regard!

                  Last edited by whammy; Feb 11, 2004, 09:57 PM.
                  Former ASP Forum Moderator - I'm back!

                  If you can teach yourself how to learn, you can learn anything. ;)

                  Comment


                  • #10
                    I always try to follow conventions no matter what langauge!

                    I always get problem by starting javascript objects with a capital letter - Document.All doesnt work!!! but in vbscript Recordset.Fields seems to be the convention!!



                    monkey
                    Monkey

                    My head hurts!

                    Comment

                    Working...
                    X