<< ASP.NET MVC 6 Hosting - HostForLIFE.eu :: Check Username Availability in ASP.NET MVC with Ajax and jQuery | ASP.NET MVC 6 Hosting Frankfurt - HostForLIFE.eu :: How to Refresh PartialView Automatically? >>

European ASP.NET MVC Hosting - UK :: Tips Using BindAttribute in ASP.NET MVC

March 3, 2015 06:21 by author

Scott

The Bind attribute is used to protect against over-posting. Represents an attribute that is used to provide details about how model binding to a parameter should occur.

Let’s take an example of Employee Controller which creates the records for employee basic information.

This code adds the Employee entity created by the ASP.NET MVC model binder to the Employees entity set and then saves the changes to the database.

The ValidateAntiForgeryToken attribute helps prevent cross-site request forgery attacks.

EmployeeController.cs –> Create

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Create(
   [Bind(Include = "FirstName, LastName, JoiningDate")]
   Employee employee)
{
   try
   {
      if (ModelState.IsValid)
      {
         db.Employees.Add(employee);
         db.SaveChanges();
         return RedirectToAction("Index");
      }
}
   catch (DataException ex)
   {
      //Log the error
      ModelState.AddModelError("", "Unable to save. Try again.");
   }
   return View(employee);
}

Employee.cs

public class Employee
   {
    public int ID { get; set; }
      public string LastName { get; set; }
      public string FirstName { get; set; }
      public DateTime JoiningDate { get; set; }
      public string City { get; set; }

    }

For example, suppose the Employee entity includes a City property that you don’t want this web page to update. Even if you don’t have a City field on the web page, a hacker could use a tool such as fiddler, or write some JavaScript, to post a City form value. Without the Bind attribute limiting the fields that the model binder uses when it creates an Employee instance, the model binder would pick up that City form value and use it to update the Employee entity instance. Then whatever value the hacker specified for the City form field would be updated in your database.

It’s a security best practice to use the Include parameter with the Bind attribute to whitelist fields. It’s also possible to use the Exclude parameter to blacklist fields you want to exclude. The reason Include is more secure is that when you add a new property to the entity, the new field is not automatically protected by an Exclude list.

Another alternative approach, and one preferred by many, is to use only view models with model binding. The view model contains only the properties you want to bind. Once the MVC model binder has finished, you copy the view model properties to the entity instance.

Comments (0) | RSS comment feed

Comment RSS

European ASP.NET MVC 4 Hosting - Amsterdam :: How to Upgrade ASP.NET MVC 3 Project to ASP.NET MVC 4 ProjectHow to Upgrade ASP.NET MVC 3 Project to ASP.NET MVC 4 ProjectEurope FREE ASP.NET MVC 5 Hosting - UK :: ASP.NET MVC 5 Hosting with HostForLIFE.euASP.NET MVC 5 Hosting with HostForLIFE.euASP NET MVC European Hosting :: What's New in ASP.NET MVC 2.0What's New in ASP.NET MVC 2.0

European ASP.NET MVC 4 and MVC 5 Hosting

European ASP.NET MVC Hosting - UK :: Tips Using BindAttribute in ASP.NET MVC

About HostForLIFE.eu

Other Important BLOGs

Featured on

Month List

European ASP.NET MVC 4 and MVC 5 Hosting

European ASP.NET MVC Hosting - UK :: Tips Using BindAttribute in ASP.NET MVC

About HostForLIFE.eu

Other Important BLOGs

Featured on

Month List

Tag cloud