Support us .Net Basics C# SQL ASP.NET ADO.NET MVC Slides C# Programs Subscribe Buy DVD

Part 19 - Unintended updates in mvc

Suggested Videos 
Part 16 - Difference between UpdateModel and TryUpdateModel
Part 17 - Editing a model in mvc
Part 18 - Updating data in mvc



In this video we will discuss, how, unintended updates can happen in mvc. Please watch Part 18, before proceeding. Let's understand this with an example.



At the moment, "Employee Edit" view can be used to change all of the following fields.
1. Name
2. Gender
3. City 
4. DateOfBirth

Let's make "Name" non-editable. To achieve this
CHANGE THE FOLLOWING CODE IN EDIT.CSHTML
@Html.EditorFor(model => model.Name)

TO
@Html.DisplayFor(model => model.Name)
@Html.HiddenFor(model => model.Name)

Run the application and edit an employee. Notice that, Name of the employee is no longer rendered using a textbox. At this point we may think, that it is impossible for the user to change the name of the employee using "Edit" view. That is not true. Because of the way we have written our code, tools like Fiddler can be used to very easily change any properties of the "Employee" object.

Fiddler can be downloaded from the following URL
http://fiddler2.com/get-fiddler

After you have downloaded and installed fiddler, run fiddler, and navigate to the following URL
http://localhost/MVCDemo/Employee/Edit/1

In fiddler, in web sessions window, select the url. Under the "Inspectors" tab you can see Request headers and response. We will discuss more about fiddler in a later video session.

Now click on "Save" button on "Edit" view. Notice that, under "Web Sessions" in fiddler, another request is captured for the same URL - http://localhost/MVCDemo/Employee/Edit/1

Now, without using the browser, let' us see how to generate a post request using fiddler.
1. Click on "Composer" tab in fiddler
2. Drag and drop the following URL from "Web Sessions" window onto Composer window.
http://localhost/MVCDemo/Employee/Edit/1
3. In "Reques Body" under "Composer" tab, change "Name" of the employee to "XYZ"
4. Finally click "Execute" button on "Fiddler"

Now either query the database table, or navigate to "Index" view and notice that the employee name is changed to "XYZ".

In our next video, we will discuss preventing these type of un-intended updates.

No comments:

Post a Comment

If you like this website, please share with your friends on facebook and Google+ and recommend us on google using the g+1 button on the top right hand corner.