Loading


ASP.NET MVC

  • Home
  • ASP.NET MVC
  • What is Unintended Updates in ASP.NET MVC?. The Complete ASP.NET MVC Developer Course 2023 [Videos].
ASP.NET MVC

What is Unintended Updates in ASP.NET MVC?. The Complete ASP.NET MVC Developer Course 2023 [Videos].

By admin / 28-jan-2022 / in Blog, ASP.NET MVC / 284 Comments / 28 Likes / Share This Post

In this Video, I am going to discuss Unintended Updates in the ASP.NET MVC application. Please read our previous Video before proceeding to this Video where we discussed How to Update a Model in ASP.NET MVC Application. We are also going to work with the same example that we worked on in our previous Video. As part of this Video, we are going to discuss the following pointers.

  1. What are Unintended Updates in ASP.NET MVC?
  2. Example to understand Unintended Updates in ASP.NET MVC.
  3. How to prevent Unintended Updates?
Lets understand Unintended Updates with an example. 

At the moment, within the “Employee Edit” view, we are allowing to change all of the following fields.

  1. Name
  2. Gender
  3. City
  4. Salary
  5. DateOfBirth

Lets make the “Name” field is non-editable. To achieve this change the following code in the Edit.cshtml file.

Unintended Updates in ASP.NET MVC

Run the application and edit an employee. Notice that the Name of the employee is no longer rendered using a textbox. At this point, you may think that it is impossible for the user to change the name of the employee using the “Edit view. That is not true. Because of the way we have written our code tools like Fiddler and Postman can be used very easily to change any properties of the Employee object.

Using Fiddler to Post data:

Fiddler can be downloaded from the following URL

https://www.telerik.com/download/fiddler

Once you downloaded and installed the fiddler, then run fiddler. Select the Composer Tab and then select the method as GET. Provide the URL as http://localhost:54094/Employee/Edit/1 and click on the execute button as shown below

Unintended Updates in ASP.NET MVC

In the fiddler in the web sessions window, select the URL. Under the Inspectors tab we can see Request headers and responses. We will discuss more on fiddler in a later session. To see this click on the below URL

Unintended Updates in ASP.NET MVC

Then select the web view as shown below

Unintended Updates in ASP.NET MVC

Now click on the “Save” button on the “Edit” view. Notice that under “Web Sessions” in fiddler another request is captured for the same URL – http://localhost:54094/Employee/Edit/1

Now without using the browser, let us see how to generate a post request using fiddler.

  1. Click on the Composer tab in the fiddler
  2. Drag and drop the following URL from the Web Sessions window onto the Composer window.
  3. In Request Body under the Composer tab change Name of the employee to XYZ
  4. Finally, click the “Execute button

Now either query the database table or navigate to the “Index” view and notice that the employee name is changed to “XYZ”.

How to prevent unintended updates in ASP.NET MVC?

Modify the “Edit” action method of EmployeeController that is decorated with [HttpPost] attribute as shown below.

[HttpPost]
[ActionName("Edit")]
public ActionResult Edit_Post(int id)
{
EmployeeBusinessLayer employeeBusinessLayer = new EmployeeBusinessLayer();
Employee employee = employeeBusinessLayer.GetAllEmployess().FirstOrDefault(x => x.ID == id);
UpdateModel(employee, new string[] { "ID", "Gender", "City", "Salary", "DateOfBirth" });
if (ModelState.IsValid)
{
employeeBusinessLayer.UpdateEmmployee(employee);
return RedirectToAction("Index");
}
return View(employee);
}
Code Explanation:
  1. The name of the method is changed from Edit to Edit_Post
  2. The method is decorated with [ActionName(“Edit”)] and [HttpPost] attributes. This indicates that this method is going to respond to the “Edit action when the form is posted to the server.
  3. The id of the employee that is being edited is passed as a parameter to this method.
  4. Using the id parameter we load the employee details (Id, Name, Gender, City, Salary & DateOfBirth) from the database.
  5. We then call UpdateModel() function. This should automatically update the Employee” object with data from the posted form. We are also passing a string array as the second parameter. This parameter specifies the list of model properties to update. This is also called including a list or white list. Notice that we did not include the “Name property on the list. This means even if the posted form data contains the value for the Name property it will not be used to update the Name property of the Employee object.

So, if you generated a post request using the fiddler “Name property of the “Employee” object will not be updated. Alternatively to exclude properties from binding we can specify the exclude list as shown below. 

[HttpPost]
[ActionName("Edit")]
public ActionResult Edit_Post(int id)
{
EmployeeBusinessLayer employeeBusinessLayer = new EmployeeBusinessLayer();
Employee employee = employeeBusinessLayer.GetAllEmployess().Single(x => x.ID == id);
UpdateModel(employee, null, null, new string[] { "Name" });
if (ModelState.IsValid)
{
employeeBusinessLayer.UpdateEmmployee(employee);
return RedirectToAction("Index");
}
return View(employee);
}

Notice that we are using a different overloaded version of the UpdateModel() function. We are passing “NULL” for “prefix” and the “includeProperties” parameters

UpdateModel<TModel>(TModel model, string prefix, string[] includeProperties, string[] excludeProperties) 

Read more
See All

Comments (284 Comments)

Submit Your Comment

See All Posts

Related Posts

ASP.NET MVC / Youtube

What is MVC?

MVC is an architectural software design pattern that is used for developing interactive applications where their user interaction is involved and based on the user interaction some event handling has occurred. It is not only used for web-based applications but it can also be used for Desktop or mobile-based applications where there are user interactions involved.
28-jan-2022 /28 /284

ASP.NET MVC / Youtube

How to Creat First ASP.NET MVC Application using Visual Studio?

In this article, I am going to discuss how to create the first ASP.NET MVC Application step by step from scratch using Visual Studio 2015. You can use any version as per your choice but the step will remain the same. Please read our previous article before proceeding to this article where we gave a brief introduction to ASP.NET MVC Framework.
28-jan-2022 /28 /284

ASP.NET MVC / Youtube

What is ASP.NET MVC File and Folder Structure?

In this article, I am going to discuss the auto-generated ASP.NET MVC File and File Structure when we create a new ASP.NET MVC application. Please read our previous article before proceeding to this article where we discussed how to create ASP.NET MVC 5 application step by step from scratch.
28-jan-2022 /28 /284