FreeKB - MVC Exclude database columns from being updated
MVC - Exclude database columns from being updated

Let's use an example where you have a SQL table with Date_Created and Date_Updated columns. You also have a file in your MVC application at /Views/App/Edit, which produces a web page such as www.example.com/App/Edit/1. When submitting an update, only the Date_Updated column should be updated. One way to accomplish this is to use the HiddenFor HTML helper.

@Html.HiddenFor(model => model.Date_Created)

 

Because the Date_Created field is hidden, we cannot view or update the data in Date_Created when navigating to www.example.com/App/Edit/1. If we view the source of the web page, we should see something like this:

<input id="Date_Created" name="Date_Created" type="hidden" value="2016-01-01" />

 

However, using Fiddler, we will be able to update the Date_Created data in the database. You can download and install Fiddler from https://www.telerik.com/download/fiddler.

  1. Launch Fiddler.
  2. In your MVC application, edit and save a record at your www.example.com/App/Edit/1 page.
  3. In the left panel of Fiddler, highlight the capture that has www.example.com/App/Edit/1.
  4. In the right panel of Fiddler, select the Composer tab.
  5. Drag the www.example.com/App/Edit/1 capture onto the right panel.
  6. In the Request Body area, replace Date_Created=2016-01-01 with Date_Created=1999-01-01.
  7. Select Execute.

Now, if we return to www.example.com/App/Details/1, Date_Created will display 1999-01-01. While kind of an innocent example when thinking about Date Created, this at least demonstrates a vulnerability when using the HiddenFor HTML helper. This vulnerability can be mitigated by excluding Bind properties.

In the /Controllers/ExampleController file in your MVC application, locate the public ActionResult Edit section, and modify this section to exclude the Date_Created column, replacing table_name with the name of your SQL table.

public ActionResult Edit([Bind(Exclude = "Date_Created")] Table_name table_name)

 

Now, if we view the page source, there is no markup for the Date_Created column. Also, Fiddler is unable to modify the Date Created data.

 

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 11cc1 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |