can I prevent client side setAttribute

8 posts, 0 answers
  1. moegal
    moegal avatar
    278 posts
    Member since:
    Jul 2007

    Posted 21 Oct 2012 Link to this post

    I am adding custom attributes server side and then using them for some basic client side logic. 

    I am then accessing them on post-back on the server as well. Is there a way to prevent client side setAttribute? Attributes be accessed via setAttribute and be over written, right? Can I prevent this?

    Thanks, Marty
  2. Nencho
    Admin
    Nencho avatar
    1874 posts

    Posted 24 Oct 2012 Link to this post

    Hello Marty,

    Could you elaborate a bit more about the scenario you attempt to achieve? In addition, the setAttribute() client-side method is used when you need to add a certain attribute to the Attributes collection. You could access a certain attribute with the help of the getAttribute() client-side method. Here you could find our help article, describing those and other helpful client-side methods.


    Greetings,
    Nencho
    the Telerik team
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
  3. moegal
    moegal avatar
    278 posts
    Member since:
    Jul 2007

    Posted 25 Oct 2012 Link to this post

    I am using attributes to help with calculations for pricing and turnaround of products, I just wanted to know if I should use the custom attributes on postback or can they be altered by the client.  If so can I prevent this.

    I have been reading the docs and I am not clear.  It appears that the original custom attributes are not actually changed client side. Can you confirm this?

    Marty

  4. Nencho
    Admin
    Nencho avatar
    1874 posts

    Posted 26 Oct 2012 Link to this post

    Hello Marty,

    Could you clarify, if your concerns are originated from a security point of view?
    If so, you could store the attribute in a hidden field and when a PostBack is fired you could check if the set values are the same.
    Please correct me if I had misunderstood your scenario.

    Greetings,
    Nencho
    the Telerik team
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
  5. moegal
    moegal avatar
    278 posts
    Member since:
    Jul 2007

    Posted 26 Oct 2012 Link to this post

    Nencho,

    yes a security issue.

    I would like to use custom attributes to calculate values for my clients and then use the custom attributes again to enter data into my database. I am only using the attribute and not the calculations.

    Marty
  6. Nencho
    Admin
    Nencho avatar
    1874 posts

    Posted 31 Oct 2012 Link to this post

    Hi Marty,

    In order to demonstrate the approach that I have suggested you - I prepared a sample page. 
    Please find it attached.

    In case your scenario is different - please modify the sample to illustrate it and send the page back to us within a support ticket. With more detailed information on our side we will be able to provide you more precise solution.

    Regards,
    Nencho
    the Telerik team
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
  7. moegal
    moegal avatar
    278 posts
    Member since:
    Jul 2007

    Posted 02 Nov 2012 Link to this post

    Nencho,

    thanks for the sample. I am still unclear though. So a client can change the attributes that I would use on post back.  but they can change the hidden value as well, right? 

    but I think I am ok. while I do some client side calculations, i do a recalculation on postback when I recreate each control and that is where I check the attributes, so I think those are secure. I am really only looking at the client selection and then the server version of the attribute.

    so I recreate the control and then I do something like:

    RadComboBox quantityId = (RadComboBox)Calc.FindControlRecursive(page, "quantityId");
               RadComboBoxItem quantityIditem = quantityId.FindItemByValue(quantityId.SelectedValue);
               RadNumericTextBox lblquantityId = (RadNumericTextBox)Calc.FindControlRecursive(page, "lblquantityId");
               lblquantityId.Text = quantityIditem.Attributes["P"];
               subtotal += Convert.ToInt64(quantityIditem.Attributes["P"]);
               turn += Convert.ToInt32(quantityIditem.Attributes["T"]);
               qty = Convert.ToDecimal(quantityIditem.Attributes["Q"]);


    Marty
  8. Kalina
    Admin
    Kalina avatar
    918 posts

    Posted 12 Nov 2012 Link to this post

    Hello moegal,

    Indeed, usage of the HiddenField is not the best option in your scenario.
    However you can perform as much validation or calculation work as you can on the server, so you are on the right way.

    Greetings,
    Kalina
    the Telerik team
    If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
Back to Top