i have the folloiwng edit post action method in my asp.net mvc 3:-
[HttpPost]
public ActionResult Edit(Album album)
{
if (ModelState.IsValid)
{
db.Entry(album).State = EntityState.Modified;
db.SaveChanges();
return RedirectToAction(“Index”);
}
but is there a way to make sure that the original object ID (which is auto generated by the Database) was not modified by an attacker , some thing like using [ValidateAntiForgeryToken] attribute. i found some project that implements similar functionality
but all of them were out of date .
I blog at http://rajeshpillai.net and have a community startup http://ownabook.org/
(Don't forget to click "Mark as Answer" on the post(s) that helped you.)
but if i specify to exclude the ID from my model-binding post edit action method ,, then how i can retrive the original ID for the object to be edited ,, in other words how can i update an object if i am not passing the ID to my post action method and if
i am excluding it from the Bind list ..
You should use a view model which contains only the properties that you want to be edited. Then you should map between the view model and the model to perform the update.
AutoMapper is a really great tool for this job.
Hope this helpful
Regards
Young Yang
Please mark the replies as answers if they help or unmark if not.
Feedback to us
johnjohn1231...
Participant
929 Points
885 Posts
How can i make sure that the Object ID or other properties has not been modified by an attacker a...
Mar 21, 2012 12:43 AM|LINK
i have the folloiwng edit post action method in my asp.net mvc 3:-
[HttpPost] public ActionResult Edit(Album album) { if (ModelState.IsValid) { db.Entry(album).State = EntityState.Modified; db.SaveChanges(); return RedirectToAction(“Index”); }but is there a way to make sure that the original object ID (which is auto generated by the Database) was not modified by an attacker , some thing like using [ValidateAntiForgeryToken] attribute. i found some project that implements similar functionality but all of them were out of date .
BR
thinkrajesh
Participant
1356 Points
232 Posts
Re: How can i make sure that the Object ID or other properties has not been modified by an attack...
Mar 21, 2012 01:06 AM|LINK
You can specifically include/exclude fields for binding...
or include:
(Don't forget to click "Mark as Answer" on the post(s) that helped you.)
johnjohn1231...
Participant
929 Points
885 Posts
Re: How can i make sure that the Object ID or other properties has not been modified by an attack...
Mar 21, 2012 04:25 PM|LINK
but if i specify to exclude the ID from my model-binding post edit action method ,, then how i can retrive the original ID for the object to be edited ,, in other words how can i update an object if i am not passing the ID to my post action method and if i am excluding it from the Bind list ..
BR
Young Yang -...
All-Star
21742 Points
1825 Posts
Microsoft
Re: How can i make sure that the Object ID or other properties has not been modified by an attack...
Mar 26, 2012 09:43 AM|LINK
Hi
You should use a view model which contains only the properties that you want to be edited. Then you should map between the view model and the model to perform the update. AutoMapper is a really great tool for this job.
Hope this helpful
Regards
Young Yang
Feedback to us
Develop and promote your apps in Windows Store