[Bind(Exclude = "OrderId")]

Wiki Link: [discussion:397026]
JCPuerto
Sep 26, 2012 at 6:10 PM

I have a question. I hope it can be answered here.

In step 9, what happens if I don't write the line:

[Bind(Exclude = "OrderId")]

I did it and still works. I'm not sure what this does.

 

Thank you!
jongalloway
Coordinator
Sep 26, 2012 at 6:28 PM
Great question!

Since model binding sets our model properties from form post and querystring values, it's important to exclude fields that we don't want users to be able to change. Otherwise, a malicious user could modify someone else's order by posting to /Checkout/AddressAndPayment?OrderID=1234

You can read more about this issue on Brad Wilson's book:

I wrote about this in detail in the security chapter of Wrox Professional ASP.NET MVC 4.

- Jon
From: JCPuerto
Sent: Wednesday, September 26, 2012 11:10 AM
To: Jon Galloway
Subject: [Bind(Exclude = "OrderId")] [mvcmusicstore:397026]

From: JCPuerto

I have a question. I hope it can be answered here.

In step 9, what happens if I don't write the line:

[Bind(Exclude = "OrderId")]

I did it and still works. I'm not sure what this does.

Thank you!
JCPuerto
Sep 26, 2012 at 11:52 PM

Thanks for the quick answer!

 

Have a great day!
Sign in to post message or set email notifications