This is in ASP.NET web forms, I have a save button on a screen. When I load the page initially, under certain conditions, the save button is not rendered.
button1.visible = false
In my button clicked event, I have this
public void button1_click(Object sender, EventArgs e)
{
SaveData();
}
The only security preventing the user being from being saved is on whether the save button is rendered.
In MVC, it would be trivial to access the save button action method just by making a HTTP POST to the server with my own modified request.
In ASP.NET Web forms, I'm a little bit confused because it relies on the encrypted ViewState being posted back. Do I still need to add this security to the button1_click event too? If so, then can you tell me how a client can fire a postback to the server that would reach the button click event without the button being visible?
Aucun commentaire:
Enregistrer un commentaire