I have a message database that stores the private messages from users to users. I have a column called MessageID, which is a unique number. In my application, I have a message inbox (using gridview) page that shows the user who messaged you, the subject, and the create date. Next to it I have a button you can click to view the message. I am wondering if there is some way I can extract the MessageID of the message so I can use a SELECT FROM with a WHERE query to get the body of the message.
Maybe I could store the MessageID on the .aspx page somewhere but keep it hidden?
Nevermind, I got a working solution! I just added a column for the MessageID on the gridview and I turned the visibility of it to be false so the user can't see it. But this way the MessageID is there and I can use it as a query parameter
Related
Sorry if this is too basic for this site, but app maker help directed me here. I am creating a data entry screen that includes basic info for a user - name, email, phone, etc. I am using the user picker to select the individual from our Directory. How do I pass all of the needed Directory field values of the selected user to my insert record screen. I am checking the valueisRecord box on the user picker, but can't figure out how to assign the selected user's info to the form's value fields. Thanks for the help.
Ok, your last comment makes sense. But please, to avoid going back and forth, I encourage you to formultae your question properly by including all the information that could be required. Now, moving on to your problem...
The reason you are getting that error is because you are binding the UserPicker widget value to the datasource email field. Remember, the UserPicker value is an object, not a string.
To fix your problem, remove the binding of the value from the UserPicker. Then for the onValueChange change event of the UserPicker please add the following:
var fullName = newValue.FullName;
var email = newValue.PrimaryEmail;
widget.datasource.item.Name = fullName
widget.datasource.item.email = email;
That way, you don't assing an object to the email field but instead a plain string.
I'm building a simple web form which allows user to edit there data like email, emergency contact etc.
The edit form is rendered using Asp.NET MVC 5. Proper html fields are rendered for Id, email, emergency contact etc.
Lets say the request to save the data is received by the following controller method.
SaveData(recordId, email, emergencyContact)
{
;
}
Question: How do I make sure that recordId was indeed the id that was rendered as part of the edit form? We don't want this user to update another user's record.
I have the following options in mind
1. Create a hash of the record id and send the hash as well.
2. Ensure user is authorized to modify the record indicated in given record id.
Is there any other way? Does MVC 5 provide any features so that I don't have to put this sort of logic in my application logic?
Typical approaches are:
Store the ID of the record as a hidden field. If you are concerned with hijacking, encrypt the value and decrypt on the server.
Store the ID of the record in session; this way, you always pull back the record and keep the value on the server. But when session dies, so does the link to the record.
Yes I'd highly recommend check permissions to the record if you store the ID in the URL.
I've built a number sites using classic ASP type security and have continued using the same methods in ASP.NET. However, I now am looking for recommendations for a better or best practice way of doing it. I've read a few resource online but have not seen anything comprehensive enough that's applicable to what I'm trying to do. What I'm trying to do is apply user specific security that determines that user's access to specific pages, sections on that page, and fields in each section. It also needs to restrict access to various records as well and determine whether it's read or write privileges.
For those interested, here's how I've done it so far:
Because I lacked the know-how, here's how I did it using the old ASP classic way...
First, on the database side I have 4 relevant tables: tblUsers, tblRoles, tblPages, tblRecords (haven't gotten to sections and fields yet). Each user can belong to a "role" and the role then determines what pages they can access as well as what records they can access in various tables (there are a number of other tables in the db as well e.g. tblCustomers, tblSales, etc...). Each table includes these fields:
tblUsers: UserID, UserName, UserPwd
tblRoles: RoleID, RoleName, UserID
tblPages: PageID, PageName, RoleID
tblRecords: RecordID, RecordTable, RoleID
Now on the application side here's what I've done:
First, my login page is based on 1) looking up the user name and password in the tblUsers table and 2) if found, setting a session variable named "UserLoggedIn" = true. Then on every page load event I check if the UserLoggedIn session is set to true, if so, continue... if not clear all session variables (log out) and send the user back to the login page. The old classic ASP way of doing it.
Second, with the login set up, to control page access, when the user is logged in I created another session variable that holds a pipe delimited string of all the pages that user can access (e.g. Session("PageAccess") = "{1|3|10|8}"). Then in each page's load event I've explicitly added a variable/constant that uniquely identifies that page (e.g. pageone.aspx has Dim PageID As String = 1). Then I check to see if the PageID matches an ID stored in the PageAccess session. If it does, continue... If it doesn't I send them to the home page.
Third/Last, for the records access, I did the same thing. When the user is logged in I created a session variable that hold a pipe delimited string of all the records the user could access along with the table it's related to (e.g. Session("RecordAccess") = "{tblCustomrs||1|5|7}" and checked it and applied it basically the same way as the page session variable.
My Solution is :(it worked for my projects)
tables : tblUser , tblRole ,
tblUserInRole : userid,roleid,username,password (this design help you can assign more than one role to a user)
tblrole, tbrules(your Access Controls for example pages)
tblRulesInRole : roleid , ruleid,Editable,Viewable,printable,Deletable
For Implement Access Control in every request and response ,you should Create HttpModule......
I've got an old framework 1.1 project with the following problem: if user submits a page then in database duplicated records might appear. This error repeats often but is not consistent: in most cases there are no duplicated entries but in some cases there can be upto 4 of them. We disable submit button with JavaScript after first submission.
May be this would be helpful: there is a session object used to store user inputs (which are submitted).
Any scenarios you can think of why duplicated records can happen?
Many thanks
Finally I found that some mobile browsers ignored JavaScript that disabled submission button and users managed to resubmit form multiple times.
The easiest (?) solution to this is the following:
Create a table "SubmissionTokens" in database with two fields: Token (uniqueidentifier), DateCreated (DateTime). Then, when page with submission form loads, add a token to database and save "id" value in a hidden field on the same page. When user submits the form then read token from the hidden field and see if token exists in table SubmissionTokens. If it does exist then insert a new record with form data in the database and delete the token from SubmissionTokens. You can also use DateCreate field to expire tokens.
At work I implemented a bit different solution and just look for duplicated records in the database before inserting a new record. But this is because there is a specific requirement that user must be able to resubmit form if he clicks "back" in browser. In this case the SubmissionToken is already deleted and the first solution wouldn't work.
I have a web application which has a Sql Server database on the backend. As the site will be rolled out to different clients (or different virtual directories in IIS), each client derivative of the site will use the same backend.
There is an admin page where text on the site can be changed (enter text in a listview, and choose the page to select where that text will show up, and also you can see company-specific details in the other listviews. As this is a shared database, that means a client can see each other's data.
What I am trying to do is store the accountId (a guid returned from the database from login_authenticate), and stick this into session. I then retrieve this on the admin page, and I want to use this value (But it's always 0000-0000 etc), to limit the records returned in the listview.
Is there an example of this? Also, how can I set the default value (this is in the where clause of SqlDataSource), to programatically what the account id is (so I can give me all records = what the current accountid is, or perhaps, what the login is - this is stored in the account table).
Thanks
This is what I tried.
What I am confused about, though, is whether the where clause, when using a session object, is getting an object that I have written the code to retrieve from the session, or an object I have only added but not retrieved. I get the accountID when logging in (verified via stepping in - obviously - or the login will fail).
I will try again with storing the object in session # the login page when I have just retrieved the accountid variable, and then retrieve it on another page.
For some reason I keep getting 0s so I will look at this in my application.
It sounds like your method should be working. I would follow a debugging process:
Check that you are getting the accountID value from the database. Print it on screen immediately after retrieving the value for the first time.
If this is working, store the value in the Session and immediately retrieve it, and check that you are getting the value back.
Create 2 test pages, one where you set the Session variable and another where you retrieve it.
I know this seems really basic, but the failure is being introduced somewhere in the above 3 places. If you can find which step fails, you will be able to fix it.