Protecting variable inside of markup for asp:Hyperlink Navigation property

I have an asp.net repeater control with a series of asp:hyperlink's

<asp:HyperLink runat="server" ID="name" NavigationUrl="~/Pages/display.aspx?fileid={0}&user={1}" />

and then on the OnItemDataBound method:

fullname.NavigationUrl=string.Format(name.NavigationUrl, user.fileid, user.userid);

So that gives me a series of URLs in the repeater

http://www.abc.com/users.aspx?fileid=1&userid=10

http://www.abc.com/users.aspx?fileid=2&userid=20

http://www.abc.com/users.aspx?fileid=3&userid=30

OK, so with a simple proxy tool someone can replace either of the parameters with some OTHER number to get access to what they 开发者_运维问答shouldn't see. server-side validation and authentication aside, is there a better method other than passing parameters when trying to create a dynamic URL within a repeater?

thanks.

Yes, create a LinkButton, have it post back to the server, then get the information you need (which may need to be loaded from the db) and do a Response.Redirect instead.

If you expose the querystring, it can always be changed. Other approach I seen used is encrypt the querystring params, and decrypt on the other page. If decrypt fails, it was tinkered with.

HTH.

You can encrypt parameters as already mentioned by Brian. The other thing you could look into is Cross Page Postback . The other alternative is to set the parameters in the session cookie, do a redirect on code behind and pick up the params on the target page.