Clever Geek Handbook

How to check if a page is rendered as a result of form submission or by other means

I have a list page (Index) displaying a list of items in a grid. The page consists of a small form at the top and a grid (list) at the bottom. The form serves to filter the elements specified in the list.

I need to check if a page is displayed as a result of submitting a form (clicking either of the two buttons) or by clicking a link from another page or by entering a URL directly into the browser's address bar.

View:

@model MyNameSpace.ViewModels.FooFilterViewModel

@{
    ViewBag.Title = "Foo Listing";
    Layout = "~/Views/Shared/_Layout.cshtml";
}

<h2>@ViewBag.Title</h2>

@using (Html.BeginForm("Index", "Home", FormMethod.Get))
{
    @Html.ValidationSummary(true)

    <!-- Field controls used for filtering go here -->

    <input id="ClearFilter" type="button" value="Clear Filter" />
    <input id="ApplyFilter" type="submit" value="Apply Filter" />
}

<!-- Grid displaying the list of foos goes here -->

Controller action:

public ActionResult Index(FooFilterViewModel fooFilterViewModel)
{
    // Retrieve all records
    IQueryable<Foo> foos = _DBContext.Foos;

    if (ModelState.IsValid)
    {
        if (/* check if coming from form submission */){
            // Do something
        }
        else
        {
            // Do something else
        }

        // Code to filter records go here
        foos = foss.Where(f => f...........)
    }

    fooFilterViewModel.Foos = foos;

    return View(fooFilterViewModel);
}
+3


source to share


1 answer


Since you are submitting your form as GET, all of these methods (submitting the form by reference, entering the URL in the address bar) are functionally equivalent from the server's point of view. They are just GET requests for the same url.

If you just need to differentiate between a form submission, you can either add a hidden field, or just name the submit button. Anyway, you can check the object Request

for that name, and if it exists, you can assume the form was submitted.

<button type="submit" name="FormSubmitted">Submit</button>

Then:



if (Request["FormSubmitted"] != null)
{
    // form was submitted
}

However, this can be easily faked. For example, someone might just type in a URL http://foo.com/?FormSubmitted

and you have no way of knowing. I'm not sure how dangerous malicious users are in this scenario, but you can mitigate this a bit by making what you're looking for more obscure, so it's not as obvious as "FormSubmitted". Or, you can use JavaScript to set something on the form, and then perhaps bury that in a minified external file. However, security through obscurity is still not security.

In short, there is nothing to say. Again, all of these methods look the same on the server. To differentiate the method, the actual request must be something different, like changing the query string, sending as POST rather than GET, etc. Otherwise, if this is the exact same request, the server does not know or how it happened.

+2


source






More articles:


All Articles