Solved

Alternative to QueryString

Posted on 2009-04-09
7
731 Views
Last Modified: 2013-11-26
I'm building a web store.  When a visitor clicks on a product category link, such as "Furniture" or "Clothing", I would pass the a variable that represented their selection via a querystring.  This variable would be used in my SQL code to retrive the products from my database and load them onto the page.

Is there a better more secure way of doing this?  Any suggestions would be appriciated.  Thanks!
0
Comment
Question by:cdemott33
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 9

Expert Comment

by:Sreedhar Vengala
ID: 24111569
0
 
LVL 37

Expert Comment

by:samtran0331
ID: 24111573
Well, you could use a session...but I would continue using the querystring.
It would let your users bookmark a link directly to a category...like:
http://www.mysite.com/products.aspx?cat=furniture
I've got tons of links to different ebay, amazon, and carmax searches and products that wouldn't work if they didn't use querystrings!

If your concern is security...just make sure you pass the querystring to your SQL with a parameter and/or to a stored procedure and I don't think you need to be overly concerned about security...
Alternately, you could implement some basic encryption on your querystring variables if you're really concerned...but..again...I don't think you need to be...
0
 
LVL 9

Expert Comment

by:Sreedhar Vengala
ID: 24111610
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Expert Comment

by:bedanand
ID: 24113335
The most important thing here is why do u want to secure the querystring. If you dont want you users to able to see categoryid actually used, you can use some function on your app to encrypt and decrypt the category id so that the acutall id will be hidden from the users point of view.

Regards
Bedanand
http://www.dot4pro.com

0
 

Author Comment

by:cdemott33
ID: 24115127
I guess my main concern is that the querystring value, such as...

products.aspx?category=furntiure

...is used in my sql statement.  So on button click I assign the value of the querystring to a string variable that's pumped into my SELECT statement.  (ie SELECT * FROM catalog WHERE productTpye = ** my request.querystring value** )

I've been told to use sql parameters to help with sql injection attackes but do you all believe that secure enough?

0
 
LVL 37

Accepted Solution

by:
samtran0331 earned 500 total points
ID: 24115496
>>I've been told to use sql parameters to help with sql injection attackes but do you all believe that secure enough?

Yes.
Sql injections works by trying to concatentate additional sql statements into yours...if you use parameters, the concatenation fails because it is a parameter to your sql...it can't be bypassed by the injection.
0
 

Author Closing Comment

by:cdemott33
ID: 31568747
Thanks for all your help!
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have ever used Microsoft Word then you know that it has a good spell checker and it may have occurred to you that the ability to check spelling might be a nice piece of functionality to add to certain applications of yours. Well the code that…
You can of course define an array to hold data that is of a particular type like an array of Strings to hold customer names or an array of Doubles to hold customer sales, but what do you do if you want to coordinate that data? This article describes…
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
Get people started with the process of using Access VBA to control Excel using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Excel. Using automation, an Access application can laun…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question