还是会有些安全措施的，介绍牛哥一片文章==> -readonly(ReadOnly) @拉斯维加斯华人论坛:拉斯维加斯枫下论坛 The Rolia Forum of Las Vegas

工作学习 / 学科技术讨论 / 如果一个web form有N多个dropdownlist，比如要用户选择很多信息去完成一个表格，而这些dropdownlist又需要互相关联，选择了其中一个其他都要做refresh，有什么best practice又简单的方案来处理？ -mfcguy(); 2008-7-17 {233} (#4563217@0)
目前的项目实现的方法很笨，每个dropdownlist通过一个connection来bind一个database table，选择一个dropdownlist就触发SelectedChanged event来做if处理，如果dropdownlist数目比较多，这样的方法估计可以和印度人的40条if语句相媲美了。。。。。。。

有一种技术叫ajax -googlebot(bot); 2008-7-17 (#4563225@0)

ajax能干这个？how? -mfcguy(); 2008-7-17 (#4563342@0)

Just some JS functions on client side, and an entry point on server side. Ajax is not new at all. -nicetomeetyou(一针牛, N vs. N+1); 2008-7-18 (#4563619@0)

I know what ajax it is,BTW,can u give some detail how we can handle this via ajax,thanks. -mfcguy(); 2008-7-18 (#4563741@0)

I won't give coding details, because that is related to lang you are using. We used J2EE for a small ERP app. Its menu text is dynamically determined by login ID, an req is real-timely sent by ajax to server asking for text. -nicetomeetyou(一针牛, N vs. N+1); 2008-7-18 {102} (#4564536@0)
aother one is dynamic dropdown list for parts.........

without ajx, there is no fun in web app dev.

thanks.I think I got what I want now. -mfcguy(); 2008-7-18 (#4564563@0)

Just be cautious for potential security attack or spam which could be implemented on client side. JS is vulnerable to be used to attack your server, and caused it overloaded with floods of meaningless reqs. -nicetomeetyou(一针牛, N vs. N+1); 2008-7-18 (#4564584@0)

还是会有些安全措施的，介绍牛哥一片文章==> -readonly(ReadOnly); 2008-7-18 (#4564699@0)

这些不过是表面文章, 一个高手会得到存储于服务器上的living client session IDs, further more, server session id, and hack DB server using injected SQL. -nicetomeetyou(一针牛, N vs. N+1); 2008-7-18 {23} (#4565158@0)
这种文章是说给初级听的.

７，有开始唬上了，说的和JS八竿子打不着的东西。 -readonly(ReadOnly); 2008-7-18 (#4565173@0)

JS is on the top level of session. Any scripts running on client side is treated seriously as a security loophole for the entire system, especially if this script is not a compiled one, readable, and executable on client side. -nicetomeetyou(一针牛, N vs. N+1); 2008-7-18 {101} (#4565220@0)
You don't have advanced IT network security license, do you? Not everyone has this license for sure.

回你的问题都觉得掉价，你该不是要发布新标准来摒弃了JavaScript吧。 -readonly(ReadOnly); 2008-7-18 (#4565311@0)

你这个问题说明你确实没有水准。在IT领域，security issue就像吃饭一样，是个存在。不是高手，心态不好，不用回帖。 -nicetomeetyou(一针牛, 吃饱就快乐开); 2008-7-18 (#4565439@0)

明白了，芙蓉GG原来知道js也没让天塌下来，只是为了要展示一下芙蓉GG的造型。 -readonly(ReadOnly); 2008-7-18 (#4565613@0)

讨论的格调需要注意。 -nicetomeetyou(一针牛, 吃饱就开吹); 2008-7-18 (#4565704@0)

上面说的一点没错，client side script是最薄弱的环节。攻击者可以在用户机器上安装浏览器查检来动态的修改javascript，很容易的绕过诸如“if(n>10)”之类的逻辑。理论上所有跟安全相关的逻辑都应该在server端运行。 -liquid(豆泡松果之松果豆泡); 2008-7-19 (#4566536@0)

还是会有些安全措施的，介绍牛哥一片文章==> URL -readonly(ReadOnly); 7.18 14:23 (#4564699@0). 说说你的攻击手段？ -readonly(ReadOnly); 2008-7-19 (#4566685@0)

I can write an ActiveX or Firefox addon and lure user to install it. Once it is installed, I can taken over the control of client side, including modifying javascripts. -liquid(豆泡松果之松果豆泡); 2008-7-19 (#4567255@0)

都是自以为是，我给的文章里的安全措施根本就没在cleint端，换句话说，原来javascript的安全性现状还是那样，根本就没有由于Ajax而改变。 -readonly(ReadOnly); 2008-7-19 (#4567355@0)

1 只能向下吧。 2. 如你说的，一般refresh一，2个吧，犯不上都吧。3.现在我觉得印度人水平真高。4.search的时候条件语句有点学问。 -giss(rr); 2008-7-17 (#4563273@0)
考虑效率么？我用php做的一个form，内容差不多，估计没你的dropdownlist多，我用php把数据全读出来，扔给js，然后js做剩下的事情。如果你数据多，第一次load可能会久吧 -cynara(夜子); 2008-7-18 (#4563682@0)

现在数据读的时间不算长，至少没有明显感觉到延迟，用的LINQ。 -mfcguy(); 2008-7-18 (#4563839@0)

I did that once. All data required are loaded into a xml node in a hidden frame, and JS will read data from xml when dropdown changed. -liquid(豆泡松果之松果豆泡); 2008-7-18 (#4564308@0)

agree. and easy to bind to treeview to see whether more friendly -c1xwy(洪兴罩俺去战斗); 2008-7-18 (#4564841@0)

这个＝＝＞ -readonly(ReadOnly); 2008-7-18 (#4564469@0)

that's really cool, i think i will stick on asp.net ajax from now on. thanks a lot! -mfcguy(); 2008-7-18 (#4564488@0)

别把asp.net牵扯进去好不好，没asp什么事。 -bdbs(白得不识); 2008-7-18 (#4564517@0)

事大着呢，这些控件和别的asp.net控件一样，都是server端的控件，但封装了ajax的功能。 -readonly(ReadOnly); 2008-7-18 (#4564541@0)

这些控件封装了ajax实现了一些ajax本身可以实现的功能而已。没asp.net，ajax本身就能轻松实现LZ的要求。 -bdbs(白得不识); 2008-7-18 (#4564705@0)

我就是干.net的，你说我会选啥？:) -mfcguy(); 2008-7-18 (#4564811@0)

通常来讲，那些控件就是好好的路不直着走偏要绕着走。 -bdbs(白得不识); 2008-7-18 (#4565062@0)

给你个asp.net Ajax的网站看看，这生孩子是两个人的事。 -readonly(ReadOnly); 2008-7-18 (#4564818@0)

AJAX没有出来之前，我用普通Javacript就已经实现上述功能；有了AJAX后，更加灵活地实现上述功能，但从来也不用asp.net。你说这孩子非得找asp.net生么？ -bdbs(白得不识); 2008-7-18 (#4565057@0)

别这么自以为是， -readonly(ReadOnly); 2008-7-18 {249} (#4565161@0)
给你个具体的例子：国家／省（州）／城市，你不可能把全世界的数据一次加到client端，得选国家后＝＝＞到server端拿相应的省（州），拿了相应的省（州）后＝＝＞再到server端拿相应的城市。没有server的配合，你client端生啥孩子。没有１００％html+JavaScript的Ajax。

别这么自以为是， -bdbs(白得不识); 2008-7-18 {105} (#4566069@0)
Server 端就只能靠asp.net来实现吗？asp.net才多久的东西，它没生出来的时侯，互联网就只能显示一些静态html么？

这点我支持你：我很惊奇有那么多所谓的控件，libraries, etc. Ajax本身就是一个function call, a request, 完全自己可以作出一个light weight structure, 用xml dom做数据的媒介，灵活多变，自己的code. 移植也方便。 -nicetomeetyou(一针牛, 吃饱就开吹); 2008-7-18 (#4566095@0)

按芙蓉GG的观点，导弹就是一炮仗。 -readonly(ReadOnly); 2008-7-19 (#4566303@0)

讨论问题，你像个农民工那样心胸狭窄，LZ讨论的，是一种技术的request, 大家在这里讨论的ajax是一种conceptual analysis. 我提的security, 也不过是个 concern。 -nicetomeetyou(一针牛); 2008-7-19 (#4566396@0)

说你芙蓉GG一点也没冤枉你，真想讨论技术，先把我给的文章读明白，再提出你的攻击手段。“还是会有些安全措施的，介绍牛哥一片文章==> URL -readonly(ReadOnly); 7.18 14:23 (#4564699@0)” -readonly(ReadOnly); 2008-7-19 (#4566697@0)

和我讨论技术可以，我不嫌弃从芙蓉村里来的年轻人，虽然对谁都叫哥哥。不过，如果自己拣个芝麻，非得争辩是检了个西瓜，我想北大清华这样的学校，不会收他。这里的学校，也不会要他。农民工回去种地一样发财，不用同挤在一条船上。 -nicetomeetyou(一针牛); 2008-7-19 {12} (#4566873@0)
你自己玩吧。

这个是比较典型的AJAX应用, 不过除了不postback之外, 跟你们现在的方法没有本质区别, 该多少个IF还是多少个IF. 要想改进, 得从MVC结构上下功夫. -javacup(风铃); 2008-7-19 (#4567121@0)
My two cents -deep_blue(BLUE); 2008-7-20 {1123} (#4567569@0)
1. Instead of linking data source in database individually for each ddl, it’s better to load a dataset of multi-datatables in one database connection and link each ddl to corresponding datatable in the loaded dataset (You might apply data filter in application layer, if comparing to actual needed data, the total records are not too many.).

2. You can use an update panel (AJAX.NET) and put all ddls in the panel. So when any ddl’s value is selected, you reload data for these ddls, but instead of refresh whole page, it only refreshes the content in the panel.

3. Better not directly use JavaScript to load data to ddls on client-side. Otherwise you cannot use server control properties such as ddl.SelectedValue to obtain data, Instead you have to use traditional approach, Request.Form.Get(control_name) (If you are using master page, even it is complicated to get the control name.). And since these data loaded on client-side are saved in viewstate, when page is posted back, you also need rebind data for these ddls. These will mix it with your normal business logic and increase the complexity.

thanks for your input. and thanks for all above posters' suggestion. I appreciate these a lot. -mfcguy(); 2008-7-20 {276} (#4567958@0)
1.Since we are using LINQ now, i have to dig into this.
2.I already applied update panel for some pages, It doesn't make too much different though.
3.Javascript/ajax is just for UI layer, all business logical things are in cs files since our system is based on ASP.net 3.5

Is the no difference in developing environment or stress test environment? -deep_blue(BLUE); 2008-7-21 (#4569442@0)

No offense, try to achieve using JavaScript to load data to ddls on client-side, and using ddl.SelectedValue on server side. It's part of Asp.Net Ajax. -readonly(ReadOnly); 2008-7-21 (#4569557@0)

Creating an Extender Control to Associate a Client Behavior with a Web Server Control -readonly(ReadOnly); 2008-7-21 (#4569566@0)

You are right. Actually what I wanted to say was .NET is totally different from other server web frameworks. -deep_blue(BLUE); 2008-7-21 {238} (#4570738@0)
People should not simply apply some concepts to it. It needs an intergraded solution.

Another concern about client-side logic is that the business logic is scattered anywhere. I personally prefer to centralize it in server-side.

I may have different opinion of point 1 -thunderbolt(孙悟空); 2008-7-27 {769} (#4581673@0)
you said "Instead of linking data source in database individually for each ddl, it’s better to load a dataset of multi-datatables in one database connection and link each ddl to corresponding datatable in the loaded dataset"

This may not necessary, the db connection can be in connection pool, so do connection to DB multiple times is not big deal compare to use one connection to get all the data and use application logic to filter out the data.

supposed we have a client list, site list, unit list.
one client have multiple sites, one site have multiple units. when user choose one client, we need refresh the site list, when user choose a site, then we need refresh the unit list for this site. we can use ajax but seperate data binding to implement this

Any good experienced database developer should understand benefit of put multi-select statements in one query, especially in actual production environment, separated web and database servers, extensive database queries. -deep_blue(BLUE); 2008-7-27 (#4581823@0)

search google on this topic, don't find prestigious point, any body else have something to say? -thunderbolt(孙悟空); 2008-7-27 {245} (#4582532@0)
You said:
"(You might apply data filter in application layer, if comparing to actual needed data, the total records are not too many.).
"
the DB size is growing constantly, in one day, you may find your assumption might not correct any more

Comparing web server and database server, which one is more expensive? -deep_blue(BLUE); 2008-7-28 (#4582832@0)

@Las Vegas

还是会有些安全措施的，介绍牛哥一片文章==>

Replies, comments and Discussions:

More Topics