Help! Website state for CMS

  • Thread starter Thread starter Izi
  • Start date Start date

Izi

Izi

Izi

Soldato
Joined
9 Dec 2007
Posts
2,718
I would like to know what would be the best way for me to manage state of a CMS I have built.

The problem I have is that there are multiple sections to a website. In each section different navigation is shown, different modules are pulled in etc.. So in order to do this I need to know which section the current user is looking at.

What would you suggest the best way of doing this is? Querystring or setting a session? I could use cookies, but isn't that bad practise if a browser doesnt support cookies?
 
ignore this.

I am going to use querystring with section as ID. I.E domain.com/sectionname

mod rewrite

Page.aspx?s=sectioname

then do a look up in site section.

unless anyone can let me know of a better way.
 
Izi said:
ignore this.

I am going to use querystring with section as ID. I.E domain.com/sectionname

mod rewrite

Page.aspx?s=sectioname

then do a look up in site section.

unless anyone can let me know of a better way.
Click to expand...

Yer kind of like how Joomla does it:

index.php?section=about&action=add&forum=ocuk
 
Izi said:
you mean for SQL injection etc?
Click to expand...

Yes.

Also to stop your app breaking if someone changed the querystring.

Could try setting up an array of allowed views (E.g. view=add, view=delete etc.) and checking that the requested view is in the array of allowed views.

Say you have a number in the querystring E.g. view=edit&articleID=120 you should check that the article ID exists (else the edit view qwould be broken) and clean the article id from the querystring too before querystring the db to check. This stops sql injection and stops your app from breaking if (for whatever reason) someone added an invalid article ID to qs.

Just assume that every user is evil and wants to break you app :)
 
suarve said:
Yes.

Also to stop your app breaking if someone changed the querystring.

Could try setting up an array of allowed views (E.g. view=add, view=delete etc.) and checking that the requested view is in the array of allowed views.

Say you have a number in the querystring E.g. view=edit&articleID=120 you should check that the article ID exists (else the edit view qwould be broken) and clean the article id from the querystring too before querystring the db to check. This stops sql injection and stops your app from breaking if (for whatever reason) someone added an invalid article ID to qs.

Just assume that every user is evil and wants to break you app :)
Click to expand...

i'm using linq 2 sql for data layer so that protects the sql injection stuff and I always do a check if my object is null (i.e wrong id/deleted id) and display a message if so.

even so, someone will always find a way to break something :)
 
You must log in or register to reply here.
Back
Top Bottom