project type is MVC2. Let say that i have page1. after success it write somethink to row and get new inserted row id and redirect to another page and sends row id as parameter. and user can see this parameter on querystring. and can change it. i think so taht it is problem in some situation(pages). i use for it a hidden input and after post checking parameter from query string with hidden input value. if they are not equal then writing in to log and redirectiong to error page. does my way is correct. or have a good methods.
thanks...
Exposing IDs like this is pretty standard and is what lets browser bookmarking of specific items work. Your job is to ensure that the user can only see and modify records that they should be able to.
If the user does some URL-hacking and enters the URL to an item they are not allowed to see or modify, you can either just kick them back to the parent page, or give an Access Denied message, depending upon the app/context.
The bottom line is never trust user input, including hidden form parameters.
Related
I would like to create the following form:
Step 1: The user enters his contact details.
Step 2: A confirmation page, where the user has the possibility to confirm or edit his entered data again (back to step 1)
The contact details are stored in an entity domain object. The properties have annotations for validation.
My problem:
When I pass the contact object to the confirmation page, I get the message
Could not serialize Domain Object Vendor\Extension\Domain\Model\Object. It is neither an Entity with identity properties set, nor a Value Object.
I understand that I cannot pass a non-persistent domain object. A tip I found was to convert the object to an array and back again later. This works to display the input on the confirmation page. But if the user edits the data, I lose the validation functionality when converting to an array.
Another possibility would be to persist the object already after step 1 (temporarily?) . The problem here is that the data must not be displayed in the backend (they are not yet confirmed). In addition, unused data is created if the user cancels the process.
Is it possible to save objects temporarily?
What is the most elegant solution to this problem?
If you only wan't to create a form, why don't you use a form plugin like Ext:form or Ext:powermail? These have a summary page by default. And you have the possibility to write the entered data into you're database.
I currently have an Angular 2 app where the user can submit a form to create a new item. When the submit button is clicked, it calls a function that sends the data to the server and navigates to a new page when the server confirms that the data has been saved successfully.
My problem comes because the form submission appends the form parameters to the URL. So for example if I had an input named title and submission took me to the route mytitle which is the input for the title field, Angular (or whatever injects the GET parameters) would try to navigate to mysite.com/mytitle?title=mytitle instead of just mysite.com/mytitle. Even adding [ngModelOptions]="{standalone: true}" to all of my inputs still leaves a question mark with no parameters after it.
This is a problem because it causes Angular to reload the app because the given route does not match any routes in my route definitions. Is there a way to disable the GET parameters being injected into the URL entirely? POST doesn't work either because I have nowhere to post to, and my next URL uses data from the form itself.
I found an answer to my question, the "Submit" button defaulted to being of type "submit", so changing it to type "button" removed the GET parameters injection behavior.
Check setValue in your form control. Example: Set value this way this.form.controls['val'].setValue='' rather than assigning an empty value
(i.e. this.form.controls['val'] == 0).
If your problem still exists, kindly add button type submit to the button and manually give the click function access to it.
The question is generally language/framework agnostic but if it matters I work with Grails and most interested in grails specific solution if such exists.
There's a form mapped to URL: /foo/create. When user type in this URL to his browser the form is shown.
Form action attribute directs to /foo/save and has method POST. If saving is successful, then standard post-redirect-get pattern is applied, and user is redirected to /foo/show.
But, if user specified incorrect data, they should see the same form again with error messages and all their data preserved. To implement this behavior, I do forward to the controller which produces the form (the same is mapped to /foo/create).
After that user sees the form with data and error messages, but URL field is changed in browser to /foo/save. And if user change focus to URL field and press enter - 404 will be shown (because nothing is mapped to /foo/save + method=GET pair).
The long story short: URL /foo/save is shown in a browser (as there were no redirection after form was submitted) but it directs to nowhere if accessed by HTTP GET method.
How to deal with this situation? Surely, I can map something to /foo/save but I wonder if there's a way not to change URL shown in a browser after form with wrong data was submitted?
Two approaches:
The form submits to itself, i.e. /foo/create submits to /foo/create, only if successful the page is redirected to /foo/show. This should use a post-redirect-get cycle as well and store the submitted data in the session, but could be a simple POST without redirect.
/foo/save always redirects again, either to /foo/create if the data was invalid or to /foo/show if the data was valid. This will always use a post-redirect-get cycle with the data saved in the session.
I have an ASP page that takes two arguments on the querystring. On the page is a form that posts back to itself.
If I do the form post once, and then try to refresh the page, it doesn't repost the form. It loads the page as though it were loading for the first time, missing the querystring values.
Is there a way to ALWAYS force a repost when I refresh a page that is the result of a FORM post?
It sounds like the problem you're having is loss of some essential parameters to your page when posting. In ASP there are two primary methods of passing parameters, in the url string via GET or from a form POST. The former passes you values in the QueryString dictionary while the latter gives them to you in the Form dictionary. Fortunately for you it is possible to accept a parameter that exists in EITHER dictionary by looking to Request object:
Request["a"] will find a regardless of being in Request.QueryString["a"] or Request.Form["a"].
This will help you in your current dilemma because you can simply write your querystring parameters to your Form on initial load of the page as <input type="hidden" fields. On subsequent posts your Request["a"] search for your parameters will find them regardless of being passed in the URL (on initial load) or via post on subsequent calls.
The problem was that I was going into the Firefox address bar and pressing Enter. This caused the URL to reload (and of course it didn't have the querystring after it reposted). So -- lesson is to do a check of the incoming vars and form vars to see if the page has been manually refreshed I suppose...
You could still maintain the submitted values in this situation.
What you would need to do is log the most recent request in either a Cookie, Session or data/file store, and on each request, check to see if the request was handled before you remove the data.
Since what you were after was the querystring it could just be something like this:
Response.Cookies("tempdata")("querystring") = Request.ServerVariables("QUERY_STRING")
Response.Cookies("tempdata")("querystring_handled") = false
then when you are done with that request you can clear the cookie value or set the querystring_handled = true.
There are probably situations where this could cause some conflicts, but just so you know, it is still going to be possible for you to remember the request once it is received by the server.
Which action does the form use: GET or POST? Normally, a form would use the POST action, but in this case, if you refresh the page with the posted form, you will not get anything in query string, because query string only gets passed via the GET action. Assuming that this issue is not caused by page caching, it seems to me like it works as designed (if the form POSTs data). Just make sure that you process the form variables if the query string is missing.
I am using T4MVC to redirect to another action return RedirectToAction(MVC.MyController.MyAction());.
In result it is doing get request.
Is there any way to make post request from controller. I want to keep all the same but only make post instead get. I cant find any methods for that. I found one post helper here http://geekswithblogs.net/rakker/archive/2006/04/21/76044.aspx but i cant pass any values i need using this post helper. I was trying to pass values through TempData but they are not coming when i using this helper. May be some one have any ideas?
The reason i want to do this because when user come from one controller to another and then if user click update or just click enter in browser address bar, page will break.
Should i use session for that reason?
A RedirectToAction will always perform a GET, never a POST (it returns a HTTP 302 to the browser, which will then issue a GET request).
To persist data across the redirect, if it is data that can be easily represented as a string and stored in the query string, then you can just add it to the route values of the redirect.
e.g.
return RedirectToAction("Search", new { searchString = "whatever" });
If it is a complex type, then you will need to store it in TempData. A number of other questions on StackOverflow (such as this one) give details on how.
If repeatedly storing to and reading from TempData across your application offends your code-sense, then you can encapsulate this by using the PassParametersDuringRedirect attribute and generic RedirectToAction available in the MvcContrib project. Some details on this technique are available here.
only way of doing post is by having a form and doing submit on that form, either with a submit button or with javascript, any info you want passed to that action must be in that form and you will find everything posted in FormCollection(hope I spelled it right).