Unintended Updates in ASP.NET MVC

Unintended Updates in ASP.NET MVC Application

In this article, I am going to discuss Unintended Updates in ASP.NET MVC application. Please read our previous article before proceeding to this article where we discussed how to update a model in MVC. We are also going to work with the same example that we worked in our previous article. As part of this article, we are going to discuss the following pointers.

  1. What are Unintended Updates in ASP.NET MVC?
  2. Example to understand Unintended Updates in ASP.NET MVC.
  3. How to prevent Unintended Updates?
Let’s understand Unintended Updates with an example. 

At the moment, within the “Employee Edit” view, we are allowing to change all of the following fields.

  1. Name
  2. Gender
  3. City
  4. Salary
  5. DateOfBirth

Let’s make the “Name” field is non-editable. To achieve this change the following code in Edit.cshtml file.

Unintended Updates in ASP.NET MVC

Run the application and edit an employee. Notice that the Name of the employee is no longer rendered using a textbox. At this point, we may think that it is impossible for the user to change the name of the employee using the “Edit view. That is not true. Because of the way we have written our code tools like Fiddler and Postman can be used very easily to change any properties of the Employee object.

Using Fiddler to Post data:

Fiddler can be downloaded from the following URL

https://www.telerik.com/download/fiddler

After you have downloaded and installed the fiddler, then run fiddler. Select the Composer Tab and then select the method as GET. Provide the URL as http://localhost:54094/Employee/Edit/1 and click on the execute button as shown below

Unintended Updates in ASP.NET MVC

In fiddler in web sessions window, select the URL. Under the Inspectors tab we can see Request headers and response. We will discuss more on fiddler in a later session. To see this click on the below URL

Unintended Updates in ASP.NET MVC

Then select the web view as shown below

Unintended Updates in ASP.NET MVC

Now click on the “Save” button on the “Edit” view. Notice that under “Web Sessions” in fiddler another request is captured for the same URL – http://localhost:54094/Employee/Edit/1

Now without using the browser, let’ us see how to generate a post request using fiddler.

  1. Click on Composer tab in fiddler
  2. Drag and drop the following URL from the Web Sessions window onto the Composer window.
  3. In Request Body under Composer tab change Name of the employee to XYZ
  4. Finally, click the “Execute button

Now either query the database table or navigate to the “Index” view and notice that the employee name is changed to “XYZ”.

How to prevent unintended updates in ASP.NET MVC?

Modify the “Edit” action method of EmployeeController that is decorated with [HttpPost] attribute as shown below.

[HttpPost]
[ActionName("Edit")]
public ActionResult Edit_Post(int id)
{
    EmployeeBusinessLayer employeeBusinessLayer = new EmployeeBusinessLayer();

    Employee employee = employeeBusinessLayer.GetAllEmployess().Single(x => x.ID == id);
    UpdateModel(employee, new string[] { "ID", "Gender", "City", "Salary", "DateOfBirth" });
    if (ModelState.IsValid)
    {
        employeeBusinessLayer.UpdateEmmployee(employee);
        return RedirectToAction("Index");
    }
    return View(employee);
}
Code Explanation:
  1. The name of the method is changed from Edit to Edit_Post
  2. The method is decorated with [ActionName(“Edit”)] and [HttpPost] attributes. This indicates that this method is going to respond to the “Edit action when the form is posted to the server.
  3. The id of the employee that is being edited is passed as a parameter to this method.
  4. Using the id parameter we load the employee details (Id, Name, Gender, City, Salary & DateOfBirth) from the database.
  5. We then call UpdateModel() function. This should automatically update the Employee” object with data from the posted form. We are also passing a string array as the second parameter. This parameter specifies the list of model properties to update. This is also called as including a list or white list. Notice that we did not include the “Name property on the list. This means even if the posted form data contains the value for Name property it will not be used to update the Name property of the Employee object.

So, if you generated a post request using fiddler “Name property of the “Employee” object will not be updated. Alternatively to exclude properties from binding we can specify the exclude list as shown below. 

[HttpPost]
[ActionName("Edit")]
public ActionResult Edit_Post(int id)
{
    EmployeeBusinessLayer employeeBusinessLayer = new EmployeeBusinessLayer();

    Employee employee = employeeBusinessLayer.GetAllEmployess().Single(x => x.ID == id);
    UpdateModel(employee, null, null, new string[] { "Name" });
    if (ModelState.IsValid)
    {
        employeeBusinessLayer.UpdateEmmployee(employee);
        return RedirectToAction("Index");
    }
    return View(employee);
}

Notice that we are using a different overloaded version of the UpdateModel() function. We are passing “NULL” for “prefix” and the “includeProperties” parameters

UpdateModel<TModel>(TModel model, string prefix, string[] includeProperties, string[] excludeProperties) 

In the next article, I will discuss how to use the Bind parameter to include and exclude properties from model binding in ASP.NET MVC application. Here, In this article, I try to explain how unintended updates can happen in ASP.NET MVC application and how to prevent unintended updates in ASP.NET MVC application step by step with a simple example. I would like to have your feedback. Please post your feedback, question, or comments about this article.

Leave a Reply

Your email address will not be published. Required fields are marked *