• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 981
  • Last Modified:

Alternative to QueryString

I'm building a web store.  When a visitor clicks on a product category link, such as "Furniture" or "Clothing", I would pass the a variable that represented their selection via a querystring.  This variable would be used in my SQL code to retrive the products from my database and load them onto the page.

Is there a better more secure way of doing this?  Any suggestions would be appriciated.  Thanks!
0
cdemott33
Asked:
cdemott33
  • 2
  • 2
  • 2
  • +1
1 Solution
 
Sreedhar VengalaSr. Consultant - Business IntelligenceCommented:
0
 
samtran0331Commented:
Well, you could use a session...but I would continue using the querystring.
It would let your users bookmark a link directly to a category...like:
http://www.mysite.com/products.aspx?cat=furniture
I've got tons of links to different ebay, amazon, and carmax searches and products that wouldn't work if they didn't use querystrings!

If your concern is security...just make sure you pass the querystring to your SQL with a parameter and/or to a stored procedure and I don't think you need to be overly concerned about security...
Alternately, you could implement some basic encryption on your querystring variables if you're really concerned...but..again...I don't think you need to be...
0
 
Sreedhar VengalaSr. Consultant - Business IntelligenceCommented:
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
bedanandCommented:
The most important thing here is why do u want to secure the querystring. If you dont want you users to able to see categoryid actually used, you can use some function on your app to encrypt and decrypt the category id so that the acutall id will be hidden from the users point of view.

Regards
Bedanand
http://www.dot4pro.com

0
 
cdemott33Author Commented:
I guess my main concern is that the querystring value, such as...

products.aspx?category=furntiure

...is used in my sql statement.  So on button click I assign the value of the querystring to a string variable that's pumped into my SELECT statement.  (ie SELECT * FROM catalog WHERE productTpye = ** my request.querystring value** )

I've been told to use sql parameters to help with sql injection attackes but do you all believe that secure enough?

0
 
samtran0331Commented:
>>I've been told to use sql parameters to help with sql injection attackes but do you all believe that secure enough?

Yes.
Sql injections works by trying to concatentate additional sql statements into yours...if you use parameters, the concatenation fails because it is a parameter to your sql...it can't be bypassed by the injection.
0
 
cdemott33Author Commented:
Thanks for all your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now