当我们使用button.Enabled = false
禁用asp:按钮时,它只是
aspNetDisabled
,disabled='disabled'
添加到控件中,然后__doPostBack('button', '');
但是如果用户通过控制台手动键入代码,他可以触发事件。
最安全的方法是什么?我应该用所有事件封装我的所有事件
if (sender.Enabled) { do things }
?这似乎很容易忘记,有更好的方法,还是更安全的方式?
编辑:我没有停用EventValidation
,您可以在此处看到:prnt.sc/en7oeh
什么可能导致请求有效?
我的按钮在UserControl中。
编辑2 :我刚尝试使用带有禁用按钮的普通页面(没有masterpages和usercontrols),我仍然设法通过在控制台中键入__doPostBack('button', '')
来调用button_Click方法。 EventValidation似乎根本不起作用。我还检查了我的web.config文件,没有任何禁用EventValidation。
答案 0 :(得分:0)
I tried your suggestion by setting the button button.Enabled = false
and then executing the code manually. Aspnet immediately threw the error Invalid postback or callback argument
, as it's supposed to. That probably means you turned off EventValidation
. That is not something you should do, it makes your site much more vulnerable to malicious intent.
That said you can still disable the code by checking the state of the button in the click method.
protected void LinkButton1_Click(object sender, EventArgs e)
{
if (LinkButton1.Enabled == true)
{
//execute actual code only when the correct button is enabled
}
}