|
|||||||||
|
|||||||||
|
|||||||||
 |
|||||||||
| |
||
|
|
|
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
| |
||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
ASP Free Forums Sponsor:
|
|
Ajax Application Generator Generate database and reporting .NET Web apps in minutes. Quickly create visually stunning, feature-rich apps that are easy to customize and ready to deploy. Download Now!
|
|
#1
May 11th, 2008, 04:47 PM
|
|||
|
|||
|
General - Question - Hid an ID in the URL
I have come across a small anomoly that I am unsure how to approach.
Basically I have a logged in user that can update an record. Works great but the url shows the id of the record in the address. i.e. update_form.asp?ID=47. I have, as an experiment, logged in as a second user that does not have this record associated to them which is good, but, it is possible to click to update a record associated to this second and then manipulate the url to show any ID number, meaning that a user can guess at any ID in the entire database and update the record, therefore screwing up records assocaited to another user if one was feeling vindictive. Does anyone know how I can assure that the session name will only show all ids associated to that user. This is the session code im using to recognise a user, Code:
'Check if user is logged in
if Session("name") = "" then
'If not, go to login page
Response.Redirect("login.asp")
else
'If, build page
"name" looks for the username associated with the user and all records associated with that user obviously have their own ID. Im guessing that I need to add somewhere to the SQl to only look for ids associted with logged in user and if a page is hit with an unassociated user then it redirects to an error of some kind. This is a generaL sql statement im using: [code]rs.Open "SELECT * FROM tblTrainingData WHERE username = '"& session("name") &"'order by fDate desc"[code] Thanks
|
|
#2
May 11th, 2008, 04:56 PM
|
||||
|
||||
|
have you tried using post method rather than get?
__________________
Please give respect to those that helped solve an issue by clicking on the reputation icon 
|
|
#3
May 11th, 2008, 05:25 PM
|
|||
|
|||
|
Quote:
I have just worked out the syntax to add another WHERE to the statement Code:
strSQL = "SELECT * FROM tblTrainingData WHERE ID=" & lngRecordNo & "AND username = '"& session("name") &"'"
This seems to have done the trick. Once I thought about it it seemed fairly obvious. I am however getting the "Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record. " error, but i assume this is because the sql has done its job and I guess i need to implement an error mesasge. That's the next step.
|
|
#4
May 11th, 2008, 05:31 PM
|
||||
|
||||
|
Quote:
hmmm...i figured posting the id would have been the obvious ...anyhoot... not sure why you would get that error ...because if your code is displaying the record on the "edit" page...then in theory....there is a record to be deleted
|
|
| Viewing: ASP Free Forums > Programming > ASP Development > General - Question - Hid an ID in the URL |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
