In this Video, I am going to discuss Unintended Updates in the ASP.NET MVC application. Please read our previous Video before proceeding to this Video where we discussed How to Update a Model in ASP.NET MVC Application. We are also going to work with the same example that we worked on in our previous Video. As part of this Video, we are going to discuss the following pointers.
What is Unintended Updates in ASP.NET MVC?. The Complete ASP.NET MVC Developer Course 2023 [Videos].
- What are Unintended Updates in ASP.NET MVC?
- Example to understand Unintended Updates in ASP.NET MVC.
- How to prevent Unintended Updates?
Lets understand Unintended Updates with an example.
At the moment, within the “Employee Edit” view, we are allowing to change all of the following fields.
Lets make the “Name” field is non-editable. To achieve this change the following code in the Edit.cshtml file.
Run the application and edit an employee. Notice that the Name of the employee is no longer rendered using a textbox. At this point, you may think that it is impossible for the user to change the name of the employee using the “Edit“ view. That is not true. Because of the way we have written our code tools like Fiddler and Postman can be used very easily to change any properties of the “Employee“ object.
Using Fiddler to Post data:
Fiddler can be downloaded from the following URL
Once you downloaded and installed the fiddler, then run fiddler. Select the Composer Tab and then select the method as GET. Provide the URL as http://localhost:54094/Employee/Edit/1 and click on the execute button as shown below
In the fiddler in the web sessions window, select the URL. Under the “Inspectors“ tab we can see Request headers and responses. We will discuss more on fiddler in a later session. To see this click on the below URL
Then select the web view as shown below
Now click on the “Save” button on the “Edit” view. Notice that under “Web Sessions” in fiddler another request is captured for the same URL – http://localhost:54094/Employee/Edit/1
Now without using the browser, let us see how to generate a post request using fiddler.
- Click on the “Composer“ tab in the fiddler
- Drag and drop the following URL from the “Web Sessions“ window onto the Composer window.
- In “Request Body“ under the “Composer“ tab change “Name“ of the employee to “XYZ“
- Finally, click the “Execute“ button
Now either query the database table or navigate to the “Index” view and notice that the employee name is changed to “XYZ”.
How to prevent unintended updates in ASP.NET MVC?
Modify the “Edit” action method of EmployeeController that is decorated with [HttpPost] attribute as shown below.
- The name of the method is changed from “Edit“ to “Edit_Post“
- The method is decorated with [ActionName(“Edit”)] and [HttpPost] attributes. This indicates that this method is going to respond to the “Edit“ action when the form is posted to the server.
- The “id“ of the employee that is being edited is passed as a parameter to this method.
- Using the “id“ parameter we load the employee details (Id, Name, Gender, City, Salary & DateOfBirth) from the database.
- We then call UpdateModel() function. This should automatically update the “Employee” object with data from the posted form. We are also passing a string array as the second parameter. This parameter specifies the list of model properties to update. This is also called including a list or white list. Notice that we did not include the “Name“ property on the list. This means even if the posted form data contains the value for the “Name“ property it will not be used to update the “Name“ property of the “Employee“ object.
So, if you generated a post request using the fiddler “Name“ property of the “Employee” object will not be updated. Alternatively to exclude properties from binding we can specify the exclude list as shown below.
Notice that we are using a different overloaded version of the UpdateModel() function. We are passing “NULL” for “prefix” and the “includeProperties” parameters
UpdateModel<TModel>(TModel model, string prefix, string includeProperties, string excludeProperties)