0

Possible Duplicate:
Get query string values in JavaScript

I have a calendar web page. When user opens event, it opens the page with url like: "http://localhost/Event.aspx?eventid=4" Then I use jQuery to call a page method to show some extra data. Data parameters, that I am sending through $.ajax function, also include "eventID" (to show data for correct event). If user would manually (let's say through firebug console) execute jQuery call to page method with faked "eventID", he would get false data. I would like to prevent that,... in a way to not send eventid with jQuery data parameters, but somehow get eventid on server-side codebehind. The thing is, that I can't use sessions (because user can open more than one event and each one would have it's own eventID) and I also can't use cookies, cause they can be hacked also. So I was trying to get correct eventid directly inside page method, using

HttpContext.Current.Request.QueryString

but with no luck. On Page_Load I get my eventid with:

EventID = Page.Request.QueryString("eventid")

but I can't find a way to get this eventid value into my page method.

So, I am asking for an advice of how to get a page method parameter value from url or public variable defined on Page_Load.

thanks.

EDIT: Currently I am using POST to send parameters like:

var myEventId = $("#hiddenField").val();

$.ajax({
url: "Event.aspx/getEventData",
type: "POST",
data: "{'eventid':myEventId}"
...
});

But I would like to avoid sending eventid parameter with POST, to prevent hacking.

Community
  • 1
  • 1
Daniel
  • 63
  • 1
  • 10
  • How about using a POST rather than a GET? In this case you can have a hidden field on the page which can be posted to the server to call your method... – Sunny Apr 30 '12 at 16:19
  • This question may help you: http://stackoverflow.com/questions/901115/get-query-string-values-in-javascript – Fiona - myaccessible.website Apr 30 '12 at 16:19
  • FYI, a POST request is no more secure from a malicious user than a GET request, and vice versa. – Jeff Apr 30 '12 at 18:04

1 Answers1

0

The root question here seems to contradict itself.

You're saying you need to get the eventId from the user, but you don't actually want to get anything from the user because they could hack/change it.

The bottom line is that you shouldn't trust any input from the user, period. If the user has access to read event "foo", but not event "bar", then you'll need to verify this on the server side.

You can't really do anything to prevent them from sending you "bar", but you can deny them from viewing "bar" after they have sent it.

As far as what is wrong with your code, the data parameter needs to be JSON itself, not a string of JSON (remove your quotes):

$.ajax({
url: "Event.aspx/getEventData",
type: "POST",
data: { eventid : myEventId}
...
});
Aaron Daniels
  • 9,563
  • 6
  • 45
  • 58