0

I have the following code in a partial view:

<li>@Html.ActionLink("Text", "ViewName", "ViewFolder", new { param = 0 }, null)</li>

When I hover over the link, I can see in the browser the parameter being used

http://localhost:49781/ViewFolder/ViewName?param=0

Is there a way to hide this information from users? I wouldn't want them to copy and paste the url and start typing in there own values for the parameter.

The reason I am using a parameter is because my Model needs to know which stored procedure to execute. There are 5 links that will all use the same stored procedure, the only difference is the parameter being passed.

There is a possibility that, in the future, certain users shouldn't see certain things... but if all they have to do is change the param number to see what should be hidden, that can be a problem.

Also, I wouldn't want params being sent that could potentially "crash" anything

Thanks in advance for your help!

tereško
  • 58,060
  • 25
  • 98
  • 150
blacksaibot
  • 265
  • 2
  • 12
  • you can encrypt the parameter value while passing it to the @HTML.ActionLink and on the receiving action you can decrypt it back . so the users will only see unreadable values, this might help http://stackoverflow.com/questions/165808/simple-two-way-encryption-for-c-sharp – Emil Oct 19 '16 at 14:22
  • Look at this: http://stackoverflow.com/questions/11488442/asp-net-mvc-3-how-to-force-an-actionlink-to-do-a-httppost-instead-of-an-httpge – Bene Oct 19 '16 at 14:29
  • 5
    Please do not take this approach. The solution here isn't to obfuscate the URL, it's to include proper authorization that stops people from executing things they shouldn't. Just "hiding" the parameter is not going to stop people from using that URL. – Ant P Oct 19 '16 at 14:31

1 Answers1

1

URL parameters are good to use if a user wants to bookmark a page or for users to be able to press the Back button to return to the page after they navigated away.

You can pass data in other ways (via a POST or cookies or something), but if it's a link to a page, there is no need to.

If they happen to mess with your URL (either intentionally or by not copy pasting the entire URL) and the system breaks (gracefully I hope, so your 404 page is styled, has a link back to the home page etc) - if it's not messing with your database - that's absolutely fine! They should not be surprised that things break when they mess with the URL, and if they are smart enough to understand how to edit the URL correctly, power to them!

Instead I would simply aim to make sure that the param's a value you expect and if it isn't, either break accordingly or redirect to a valid page.

Here's an example that checks if the parameter is valid. If it is not, it returns a 404, else it does some stuff. 

public ActionResult ViewName(int param) {
    if (!CheckIfParamIsValid(Id)) {
        // Do the thing you want to do, if the value is not valid, e.g. throw a page not found/404.
        return new HttpNotFoundResult("No data found for param " + param);
    }
    var model = /*Go get your data using the param, knowing that it's now safe */
    return View(model);
}

/// <summary>
/// Function to check if your param is a value you expect to receive or not
/// </summary>
/// <param name="param">the value you are testing, hopefully called something more descriptive than 'param')</param>
private bool CheckIfParamIsValid(int param) { 
    //Example logic for checking if the param's between 1-5
    return Enumerable.Range(1,5).Contains(param);
}
ntimofeev
  • 51
  • 4