Asp.net mvc 4 使用ViewBag从控制器进行排序和搜索是否安全?
这就是我的观点Asp.net mvc 4 使用ViewBag从控制器进行排序和搜索是否安全?,asp.net-mvc-4,Asp.net Mvc 4,这就是我的观点 public ActionResult _ReservationSearch(string sortOrder,string currentFilter, string currentPhoneFilter, string searchString, string searchPhoneString, int? page,int? psize, DateTime date) { ViewBag.currentSort } public Actio
public ActionResult _ReservationSearch(string sortOrder,string currentFilter, string currentPhoneFilter, string searchString, string searchPhoneString, int? page,int? psize, DateTime date)
{
ViewBag.currentSort
}
public ActionResult _RoomSearch(string sortOrder, string currentFilter, string searchString, string currentFloorFilter, string searchFloorString, int? page, int? psize, DateTime startDate, DateTime endDate)
{
ViewBag.CurrentSort = sortOrder;
ViewBag.NameSortParm = String.IsNullOrEmpty(sortOrder) ? "roomName DESC" : "";
sortOrder = (sortOrder ?? "roomName ASC");
var pageIndex = page ?? 1; //MembershipProvider expects a 0 for the first page
var pageSize = psize ?? 10;
ViewBag.psize = pageSize;
var SearchRow = "categoryName";
var SearchRowFloor = "FloorName";
int totalCount = 0;
DateTime datef = startDate;
DateTime datet = endDate;
ViewData["startDate"] = datef;
ViewData["endDate"] = datet;
try
{
if (searchString != null || searchFloorString != null)
{
pageIndex = 1;
ViewBag.currentFilter = searchString;
ViewBag.currentFloorFilter = searchFloorString;
}
else
{
searchString = currentFilter;
searchFloorString = currentFloorFilter;
ViewBag.currentFilter = searchString;
ViewBag.currentFloorFilter = searchFloorString;
}
int userId = Convert.ToInt32(Session["userId"]);
String Query = "select * from FGetRooms_session('" + startDate.ToShortDateString() + "'," + userId + ") r where r.room_id not in(select f.room_id from FGetRooms('" + startDate.ToShortDateString() + "') f inner join FGetBookings() b on f.room_id=b.room_id where ('" + datef + "' between b.start_date and b.end_date) OR ('" + datet + "' between b.start_date and b.end_date)) and " + SearchRow + " like '" + searchString + "%' and " + SearchRowFloor + " like '" + searchFloorString + "%'";
var dt = PageHelp.GetPagedList(pageIndex, pageSize, ref totalCount, Query, sortOrder);
List<RoomDto.Rooms> data = new List<RoomDto.Rooms>();
if (dt.Rows.Count > 0)
{
foreach (DataRow dr in dt.Rows)
{
data.Add(new RoomDto.Rooms { rId = Convert.ToInt32(dr["room_id"]), rName = dr["roomName"].ToString(), Rate = Convert.ToDouble(dr["Rate"]), extraBed = Convert.ToDouble(dr["ExtraBed"]), status = Convert.ToBoolean(dr["status"]), cName = dr["categoryName"].ToString(), fName = dr["floorName"].ToString(), bName = dr["blockName"].ToString() });
}
}
var dataAsIPagedList = new StaticPagedList<RoomDto.Rooms>(data, pageIndex, pageSize, totalCount);
return PartialView("_RoomSearch", dataAsIPagedList);
}
catch (Exception ex)
{
TempData["d_err"] = ex.Message;
return PartialView("_Error");
}
}
ViewBag只是一个在视图和控制器之间传输数据的容器。您的代码肯定是保存的,因为这只是一个服务器端代码。为什么您认为此代码可能不安全?通过同样的成功程度,我可以向您展示控制台应用程序源代码的示例,并提出同样的问题。如果我说的不对,请有人在评论中纠正我。希望,这将为您增加一点清晰度。这不是代码,您只是将模型中必须包含的代码与控制器代码混合在一起。您了解MVC的基本原理了吗?您可能会在_ReservationSearch中出错,因为它不会返回任何内容。你在帖子里的代码完整吗?我的代码运行得很好。。。我只是想知道像这样使用查看包安全吗this@Anish,我的意思是这个理论很清楚。这些事情比你们想象的要简单。首先,若要遵循健康的意义,控制器中的逻辑只会生成一些常量,这些常量作为参数传递给动作链接。逻辑不能从任何地方被截获,因为这是服务器端代码,若你们指的是这方面的安全性。第二,作为被动的证明,你真的认为MVP Tom Dykstra会在其中编写不安全的代码吗?
<div class="th-inner">
@Ajax.ActionLink("Room Name", "_RoomSearch", new { sortOrder = ViewBag.NameSortParm, currentFilter = ViewBag.CurrentFilter, currentFloorFilter = ViewBag.currentFloorFilter@*, startDate = @ViewData["startDate"], endDate = @ViewData["endDate"]*@ }, new AjaxOptions
{
HttpMethod = "POST",
InsertionMode = InsertionMode.Replace,
UpdateTargetId = "ListBox"
})
</div>