-2

In an existing code, I already had this in my view:

<p class="label">@Html.ActionLink("Update Your Email", "UpdateEmail", "Settings")<br/>

And I added a simple text box there so they can type their password. Please note that I DO NOT want a submit button or anything more, just a text box to type their password.

<input type="password" name="userpassword"/>

And in the controller for the action in that ActionLink I currently from old code I have this:

public ActionResult UpdateEmail()
{
    // I just want to have the password they typed in here to use it. 
    // some pre-existing stuff
}

How can I do this? When I come to UpdateEmail() I want to know what did they type in the textbox? Sorry I am noob and stupid question.

Bohn
  • 26,091
  • 61
  • 167
  • 254
  • @StephenMuecke This is how manager and designer wanted it. am not arguing that. Sorry. – Bohn Mar 09 '16 at 23:31
  • @StephenMuecke OMG Why are you arguing so much with me, maybe in real code it is not a password and it is their dog name! I can't post exact code of company here! so simpliied it to what you see . – Bohn Mar 09 '16 at 23:33
  • @Stephen Muecke, my understanding is that HTTPS as opposed to HTTP is the relevant factor, not whether it's POST body or GET querystring. If it's HTTPS, everything else other than the domain is encrypted. – David Mar 09 '16 at 23:39
  • I'm not arguing. I'm trying to understand what you want to do! If you want to redirect to a GET method, use a form with `method="get"` and submit the value(s) to a method which has parameters for the values your posting. Other wise use javascript to update the `href` parameter of the link. But the normal approach is to submit a form to a POST method –  Mar 09 '16 at 23:42
  • 2
    @David you said to Stephen " ... my understanding is that HTTPS as opposed to HTTP is the relevant factor, not whether it's POST body or GET querystring. If it's HTTPS, everything else other than the domain is encrypted." Here is a [good read](http://stackoverflow.com/a/2629241) ... in particular the 2 obvious places where the data is *not* encrypted – Drew Mar 10 '16 at 17:15
  • And whatever was deleted in comments above from @StephenMuecke might have been an attempt to look out for your best interest. But it is now gone. Remember, we work for free here. – Drew Mar 10 '16 at 17:19
  • @Drew Thanks for the link! I didn't consider the issue of server logs, and that SO post led me to this: http://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/ – David Mar 10 '16 at 17:45
  • @David what is potentially more troubling is the possibility of, say, a co-worker replaying or running off with your browser cache (or shell cache). No one is talking shell here, but the same concept applies. – Drew Mar 10 '16 at 17:47

1 Answers1

1

You cannot determine what they typed in the box, until the information is POSTed to an action of some sort. You already have one Action method defined:

public ActionResult UpdateEmail() {}

You need another method defined:

[HttpPost]
public ActionResult UpdateEmail([FromBody] ViewModelType viewModel) {}

where ViewModelType is defined as having a public property with a public userpassword field. You should also consider adding an [HttpGet] annotation to your existing UpdateEmail() method.

David
  • 2,782
  • 4
  • 31
  • 47
  • well the scenario is they type something in that textbox, then they click on that update email link that used to be there from before. So now does your solution work? I need a little more explanation to understand it. Thanks – Bohn Mar 09 '16 at 23:36
  • In that case, yes, but you definitely need a click event handler on the link, to read the textbox and trigger the POST to UpdateEmail(viewmodel). (And it should be a POST instead of a GET, because you're making a change.) – David Mar 09 '16 at 23:43