发表新帖
发表新帖

ASP.Net MVC - handling bad URL parameters

前端 未结
关注
5 1739
不知归路
不知归路 2021-02-01 07:21

What\'s the best way to handle a visitor constructing their own URL and replacing what we expect to be an ID with anything they like?

For example:

ASP.Net MVC -

相关标签:
5条回答
  • 轻奢々
    2021-02-01 07:57

    Here is some useful infromation that might help. If you have a action method 

    public ActionResult Edit(int? id)
{}

    then if someone types in 

    /Home/Edit/23

    the parameter id will be 23. however if someone types in 

    /Home/Edit/Junk

    then id will be null which is pretty cool. I thought it would throw a cast error or something. It means that if id is not a null value then it is a valid integer and can be passed to your services etc. for db interaction.

    Hope this provides you with some info that I have found whilst testing.

    0 讨论(0)
  • 别那么骄傲
    2021-02-01 08:06

    You can specify constraints as regular expressions or define custom constraints. Have a look at this blog post for more information:

    http://weblogs.asp.net/stephenwalther/archive/2008/08/06/asp-net-mvc-tip-30-create-custom-route-constraints.aspx

    You will still need to deal with the situation where id 43243 doesn't map to anything which could be dealt with as an IActionFilter or in your controller directly.

    0 讨论(0)
  • 一整个雨季
    2021-02-01 08:08

    Here's an example of a route like yours, with a constraint on the number:

    routes.MapRoute(
    "Question",
    "questions/{questionID}",
    new { controller = "StackOverflow", action = "Question" },
    new { questionID = @"\d+" } //Regex constraint specifying that it must be a number.
);

    Here we set the questionID to have at least one number. This will also block out any urls containing anything but an integer, and also prevents the need for a nullable int.

    Note: This does not take into account numbers that larger than the range of Int32 (-2147483647 - +2147483647). I leave this as an exercise to the user to resolve. :)

    If the user enters the url "questions/foo", they will not hit the Question action, and fall through it, because it fails the parameter constraint. You can handle it further down in a catchall/default route if you want:

    routes.MapRoute(
    "Catchall",
    "{*catchall}", // This is a wildcard routes
    new { controller = "Home", action = "Lost" }
);

    This will send the user to the Lost action in the Home controller. More information on the wildcard can be found here.

    NB: The Catchall should reside as the LAST route. Placing it further up the chain will mean that this will handle all others below it, given the lazy nature of routes in ASP.NET MVC.

    0 讨论(0)
  • 轻奢々
    2021-02-01 08:09

    The problem with that approach is that they still might pass an integer which doesn't map to a page. Just return a 404 if they do that, just as you would with "foo". It's not something to worry about unless you have clear security implications.

    0 讨论(0)
  • 不思量自难忘°
    2021-02-01 08:14

    In ASP.NET MVC, you can define a filter implementing IActionFilter interface. You will be able to decorate your action with this attribute so that it will be executed on, before or after your action.

    In your case, you will define it to be executed "before" your action. So that, you will be able to cancel it if there is an error in the passed parameters. The key benefit here that you only write the code which checking the passed paramaters once (i.e you define it in your filter) and use it wherever you want in your controller actions.

    Read more about MVC filters here: http://haacked.com/archive/2008/08/14/aspnetmvc-filters.aspx

    0 讨论(0)
 看不清?
提交回复
热议问题