[Bind(Exclude = "OrderId")]

Sep 26, 2012 at 7:10 PM

I have a question. I hope it can be answered here.

In step 9, what happens if I don't write the line:

[Bind(Exclude = "OrderId")]

I did it and still works. I'm not sure what this does.

 

Thank you!

Coordinator
Sep 26, 2012 at 7:28 PM
Great question!

Since model binding sets our model properties from form post and querystring values, it's important to exclude fields that we don't want users to be able to change. Otherwise, a malicious user could modify someone else's order by posting to /Checkout/AddressAndPayment?OrderID=1234

You can read more about this issue on Brad Wilson's book:

I wrote about this in detail in the security chapter of Wrox Professional ASP.NET MVC 4.

- Jon

From: JCPuerto
Sent: Wednesday, September 26, 2012 11:10 AM
To: Jon Galloway
Subject: [Bind(Exclude = "OrderId")] [mvcmusicstore:397026]

From: JCPuerto

I have a question. I hope it can be answered here.

In step 9, what happens if I don't write the line:

[Bind(Exclude = "OrderId")]

I did it and still works. I'm not sure what this does.

Thank you!

Sep 27, 2012 at 12:52 AM

Thanks for the quick answer!

 

Have a great day!