Home/ Questions/Q 652249
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T22:15:07+00:00

In ASP.NET MVC (default routing),I’d like to use a URL like this to return

  • 0

In ASP.NET MVC (default routing),I’d like to use a URL like this to return a View with a form to edit a customer:

/Customers/Edit/5

I need to make use of CustomerId=5, but I don’t want to permit a customer to change it.Right now I make the id hidden using:

<%= Html.Hidden("CustomerId") %>

This accomplishes what I want,but I’m under the impression that hidden form variables are not secure and can be manipulated by the end user.

So, what’s the best way to allow a customer to edit their information but not their ID?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    My solution was to use the Tamper Proofing code from Steven Sanderson’s ASP.NET MVC book. The idea is that you create a hash of any hidden form field you want to tamper proof:

    <%= Html.Hidden("CustomerId") %>
<%= Html.Hidden("CustomerIdHash") %>

    When the form is submitted, Steven’s code then computes another hash of CustomerId and makes certain it equals CustomerIdHash. If it does, then no tampering has occurred. It’s great code, and worth the price of the book.

    • 0