I’m reading everywhere that I should be using [Bind(Exclude=”ID”)] when creating forms that will allow modifications to my model.
I understand why and how this should help… but I don’t understand why it even works.
When creating an Edit view using the built in MVC templates… it still uses a Html-Hidden to store the ID variable. During the Post, I need to use the ID variable to know which database record needs to be updated.
But, I can’t trust the ID variable since it can be hijacked during the post.
So, I’m using Bind-exclude on the ID. In addition, I can’t trust the hidden variable… so how is my POST supposed to pass the ID of which record is being edited on the form?
The only solution I can think of… is to use a Session variable that keeps track (on the server-side) of what record is being edited.
How come people aren’t scared of this? Is there something extra that MVC is doing during binding to make sure that the ID wasn’t changed?
Can someone explain what i’m not understanding about MVC security?
You’re putting up a record for editing. Then it cannot be a security issue when somebody edits a record. Whether that record is from a previous GET or not shouldn’t matter.
If you have any business rules about who can edit what records then you should (always) re-validate those rules on a Post.