So what is the problem? What are you worried about?
What does the badguy have to gain by formulating his own query string?
pkunal wrote:
All,
The situation is this.
On my web page "products.asp" I am displaying all the products from my database and allow the user to select the quantity he wants to buy.
So to make it short:
"$itemCode" comes after a query to the database for each item in database. The form looks like this:
<form action="/asp/verify.asp"> <select name="Qty_<%=$itemCode%>"> <option selected>0</option> <option>1</option> <option>2</option> <option>3</option> </select> <input type="submit" name="SUBMIT"> </form>
So the quantity is passed to "verify.asp" through the querystring and looks like this:
http://....../verify.asp?Qty_1=1&Qty_2=3....
The query string gets long depending on the number of products I have. Then I again retrieve the "itemcode" and its selected "quantity" on the "verify.asp" page using "$Request-
QueryString()" object.
I am not happy with this solution. As it makes the website vulnerable as a user can input anything in the querystring "http://....../verify.asp?Qty_1=1&Qty_2=3....";.
Please suggest a good way to do this.
Thanks, Kunal Parekh.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
