locked
Single click update of 1 field in predetermined record using REST API / WCF ? RRS feed

  • Question

  • User-843090597 posted

    Hi

    Hopefully this is the the most accurate area to post my question. I have developed a VB.NET wen forms application with an SQL database. It is for a membership system for a fitness class. Pretty much all of this is working and 99% of this is just for internal administration use.

    I want to expose a minute part of this to end users (clients). In the existing client table there is a one Boolean field that indicates whether they want to book on to the next term of classes. Each client has a unique identifier field generated when they join i a stand format such as 117313b1-c222-47d4-a035-9947d49e922b for example.

    I have some code which sends out an email to all clients asking them if they want to re-book,  i want to embed in that email a link with something like the following :-

    (https://samplefitnessco.com/rebook/117313b1-c222-47d4-a035-9947d49e922b/a link to some API, REST / WCF or other solution). Once clicked it will automatically hit an endpoint that will update the Boolean re-book field in the client table to 1 and just return a thanks you message.

    I can do all the coding to send and embed the links, what I am struggling with (probably only being vb.net guy) is which technology to use for this. Almost all the examples seem to use C# and or MVC4 / 5. This whole existing web application is not written in MVC and I really don't want to learn and rewrite it just yet.

    Is it possible to use WCF to create an endpoint to update a field without opening a client side form? Should I use a WebAPI or is the a simpler method that I have overlooked. As this seems such a simple request (just alter one Boolean value for the given UUID of the client I hope there would be a simple solution that is doable in VB>NET.

    So looking forward to a little direction on this please...

    Silenttalk

    Sunday, September 30, 2018 1:56 PM

Answers

  • User283571144 posted

    Hi silenttalk,

    Do you mean you want to update the database's record when user click the link?

    As far as I know, the browser will send the get request to the server when user click the link.

    Since the browser send the get request, we could only pass the paramester in the url without using form.

    If you don't want to use WCF or web api, you could directly write a ashx or a page to receive the parameter and update the record.

    The url format  as below:

    http://localhost:56986/ReceivewParameter.aspx?MerchantId=test&MerchantValue=yes

    Page's pageload event:

    Public Class ReceivewParameter
        Inherits System.Web.UI.Page
        Protected strMerchantId As String
        Protected strMerchantvalue As String
        Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
            strMerchantId = Request.QueryString("MerchantId")
            strMerchantvalue = Request.QueryString("MerchantValue")
            Response.Write("receive parameter: " + strMerchantId & strMerchantvalue)
    'here you could write the logic to update the sql database End Sub End Class

    Result:

    Best Regards,

    Brando

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 1, 2018 6:16 AM

All replies

  • User283571144 posted

    Hi silenttalk,

    Do you mean you want to update the database's record when user click the link?

    As far as I know, the browser will send the get request to the server when user click the link.

    Since the browser send the get request, we could only pass the paramester in the url without using form.

    If you don't want to use WCF or web api, you could directly write a ashx or a page to receive the parameter and update the record.

    The url format  as below:

    http://localhost:56986/ReceivewParameter.aspx?MerchantId=test&MerchantValue=yes

    Page's pageload event:

    Public Class ReceivewParameter
        Inherits System.Web.UI.Page
        Protected strMerchantId As String
        Protected strMerchantvalue As String
        Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
            strMerchantId = Request.QueryString("MerchantId")
            strMerchantvalue = Request.QueryString("MerchantValue")
            Response.Write("receive parameter: " + strMerchantId & strMerchantvalue)
    'here you could write the logic to update the sql database End Sub End Class

    Result:

    Best Regards,

    Brando

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 1, 2018 6:16 AM
  • User-843090597 posted

    Brando

    Thanks for your response, In answer to your first point yes I would like if possible to use the link embedded in the email to update the particular Boolean field in the database just by clicking on the link.

    You have certainly given me something to experiment with there.

    I also stumbled upon this whilst trying to resolve a different issue today. Ignoring the JavaScript bit, I am guessing I could use a similar method as detailed.

    https://www.aspforums.net/Threads/428896/Save-bootstrap-Modal-Popup-value-in-database-using-jQuery-Ajax-in-ASPNet/  

    Monday, October 1, 2018 5:19 PM
  • User-843090597 posted

    OK so this certainly works in my scenario and updates the field with a single click :-)

    Just thinking about security on this, what would be your comments on the below.

    1. Obviously use parameterized query for the insert command
    2. The fact we are using a uniqueidentifier type no majorly sensitive data is in the URL construct
    3. The uniqueidentifier will avoid any speculative guessing of other uniqueidentifier's 
    4. The insert command in code behind limits the exposure of the only that one field (Boolean Yes= 1 or No = 0) and no other fields.
    5. I hear on various forums to always use POST rather than GET as GET can be cached, but with the limited exposure (as I see it) not sure its a big deal.

    Any comments you have would be great to hear, and thank you so much for posting this solution ...

    the insert operation.

    Monday, October 1, 2018 7:50 PM
  • User283571144 posted

    Hi silenttalk,

    silenttalk

    • Obviously use parameterized query for the insert command
    • The fact we are using a uniqueidentifier type no majorly sensitive data is in the URL construct
    • The uniqueidentifier will avoid any speculative guessing of other uniqueidentifier's 
    • The insert command in code behind limits the exposure of the only that one field (Boolean Yes= 1 or No = 0) and no other fields.
    • I hear on various forums to always use POST rather than GET as GET can be cached, but with the limited exposure (as I see it) not sure its a big deal.

    In my opinion, if the data is not important, you could choose this way.

    But I suggest you could write a logic to encrtypt the query string and add an security check logic.

    You could generate a used once password and add it in the url.

    If the url send to the server, the server will check the password firstly, if this password is not exists, directly return un-auth error message.

    Best Regards,

    Brando

    Tuesday, October 2, 2018 5:58 AM
  • User-843090597 posted
    Sound advice, thanks 😀
    Wednesday, October 3, 2018 4:44 AM