Protect against overpost
Closed this issue · 2 comments
See me when we are both in the office. My taking a MyCustomer object from the form and sending that directly to the database, all fields are updated. If someone uses fiddler, they can write to fields you didn't intend them to. We don't have any "protected" fields (not displayed or editable by client) on this model now, but we might later, and it's a good habit to always protect against this.
Instead create a variiable:
MyCustomers newCustomer = new MyCustomers();
and then set each field from the passed in object. E.g.:
newCustomer.Name = myCustomer.Name;
newCustomer.Phone = myCustomer.Phone;
etc for each field you showed on the form. It's a little painful, but I like this better than the other methods of preventing overposting (for edit, you can provide a list of fields to map, other fields passed are ignored). There is no equivalent for Create, so you have to do it this way anyways.
I updated the Create POST method. I created a new MyCustomer class and populated it using the MyCustomerViewModel from the Create page. Then, I put the new MyCustomer class into the database.
You should check it first.