Securing database entry access - webmatrix

StackOverflow https://stackoverflow.com/questions/18593230

Question

I have a page on my site where a user can update property informtation in a database. Currently, the property details are pulled using a query string like this:

http://somedomain.com/account/PropertyRooms.cshtml?propertyid=18

The problem i have, is that i only want users to be able to update their own property, not others. Currently, any user can manually change the querystring and edit another property.

I am trying to lock this down using a variation of the "AutheticatedUser" value, and matching that to the "ownerID" column in the table. If they don't match, i want to redirect to an error or a login page? Here's my current config, which partly works.

@{
Layout = "~/_SiteLayout.cshtml";

WebSecurity.RequireAuthenticatedUser();

var CurrentUser = WebSecurity.CurrentUserId; 

var db = Database.Open("StayInFlorida");

var rPropertyId = Request.QueryString["PropertyID"];

var Propertyinfo = "SELECT * FROM PropertyInfo WHERE PropertyID=@0 AND OwnerID=@1";
var qPropertyinfo = db.QuerySingle(Propertyinfo, rPropertyId, CurrentUser);
}

<h2>Property Information</h2>
   <form method="post" action="">
      <fieldset>
         <label>Property ID</label>
         <input class="input-mini" id="disabledInput" type="text" value="@qPropertyinfo.PropertyID" placeholder="Disabled input here..." disabled>
      </fieldset>
   </form>

i need to know if this is the best way to secure my site, or should i run a seperate SQL query to check first? If i'm doing it right, what code do i need to add if the page fails because the OwnerID and PropertyID don't match up?

Thanks, Gavin

Was it helpful?

Solution

That is the way I would approach it. You should generally aim to minimise calls to a database as much as is practical. In other words, if you can solve the problem with one call, you should not be looking for alternative solutions that require more.

If no rows match both the user id and propertyid, the qPropertyInfo variable will be null, so you can test for that:

@if(qPropertyInfo != null){
    //let them update their details
}
else{
    //display a no results found message
}

You can read more about how to check if a query returns data in ASP.NET Web Pages in my article on the subject: http://www.mikesdotnetting.com/Article/214/How-To-Check-If-A-Query-Returns-Data-In-ASP.NET-Web-Pages

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top