Today I came across an issue with querystrings. If someone opens a url that has link to a form on my site. The form in turn saves some information in a table(update a row). what will happen if i used rowid in the querystring. Then anyuser can change the rowid in the querystring and update any other record tampering the DB.
This case occurs when you are sending URL to someone in an automated mail.
Solution to this:
Use GUID, Create a new GUID store that in the table with another id and then update the Mailtext with the GUID you just created and then mail url with guid as the key to the row not the row id.
in C# you can use:
System.Guid.NewGuid()
Advertisement
