Is CommandArgument attribute validation required (used with ASP.NET Relay)?

Question

Is CommandArgument attribute validation required (used with ASP.NET Relay)?

Can a CommandArgument file sent to the ItemCommand event via RepeaterCommandEventArgs faked by the client?

In the code base I'm working on, this contains the identifier of the deleted record, which may or may not belong to the registered user. I am wondering if this value needs to be checked before performing the deletion.

+4

asp.net webforms

Roman starkov May 30 '13 at 22:04

source share

1 answer

Willem · Accepted Answer · 2013-05-30T22:31:36+0000

CommandArgument was not found in html or sent as plain text because there are input values, but it is part of the ViewState (which is stored in a hidden field). If you do not encrypt the ViewState, or if someone can decrypt it, this can be manipulated.

See one of these links for more information on forcing ViewState encryption:

Is CommandArgument attribute validation required (used with ASP.NET Relay)?

More articles: