Home/ Questions/Q 8036901
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T02:46:00+00:00

Not a major question but definitely one that would be a nice one to

  • 0

Not a major question but definitely one that would be a nice one to see fixed.

I have, for example, a model that looks like this (not I cut out some to save reading time, i do have confirm fields etc 🙂 ):

public class NewUser
{
    [Required]
    public string Username{ get; set; }
    [Required]
    public string Password{ get; set; }

    public string Salt{ get; set; }
}

In my code after post (after validation) I create a salt that is used to one way encrypt the password, and it is very useful to have it in the model (I know I can leave it out but I would rather not).

If, on post, the user adds to their querystring &salt=blahblahblah, as soon as the page is posted back and MVC matches up the model, it assigns the value blahblahblah to my model as expected, I haven’t got a problem with this as I can always override this.

Is there any way that I can have an attribute that will make MVC not assign a value in a model to what was sent from the postback as there are some values in other models that I do not want it to have the possibility to set (I have my workarounds to reset them to what they should have been, but missing this could cause problems if someone wanted to attempt to hack in some values).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can use the BindAttribute to white/blacklist properties during the modelbinding:

    You can apply it on the Model level globally:

    [Bind(Exclude="Salt")]
public class NewUser
{
    [Required]
    public string Username{ get; set; }
    [Required]
    public string Password{ get; set; }

    public string Salt{ get; set; }
}

    Or on the individual controller action level:

    public ActionResult MyAction([Bind(Exclude="Salt")] NewUser user)
{
    //...
}
    • 0