Unintended Updates in ASP.NET MVC

Back to: ASP.NET MVC Tutorial

Unintended Updates in ASP.NET MVC Application

In this article, I am going to discuss Unintended Updates in the ASP.NET MVC application. Please read our previous article before proceeding to this article where we discussed How to Update a Model in ASP.NET MVC Application. We are also going to work with the same example that we worked on in our previous article. As part of this article, we are going to discuss the following pointers.

1. What are Unintended Updates in ASP.NET MVC?
2. Example to understand Unintended Updates in ASP.NET MVC.
3. How to prevent Unintended Updates?

Let’s understand Unintended Updates with an example. 

At the moment, within the “Employee Edit” view, we are allowing to change all of the following fields.

1. Name
2. Gender
3. City
4. Salary
5. DateOfBirth

Let’s make the “Name” field is non-editable. To achieve this change the following code in the Edit.cshtml file.

Run the application and edit an employee. Notice that the Name of the employee is no longer rendered using a textbox. At this point, you may think that it is impossible for the user to change the name of the employee using the “Edit“ view. That is not true. Because of the way we have written our code tools like Fiddler and Postman can be used very easily to change any properties of the “Employee“ object.

Using Fiddler to Post data:

Fiddler can be downloaded from the following URL

https://www.telerik.com/download/fiddler

Once you downloaded and installed the fiddler, then run fiddler. Select the Composer Tab and then select the method as GET. Provide the URL as http://localhost:54094/Employee/Edit/1 and click on the execute button as shown below

In the fiddler in the web sessions window, select the URL. Under the “Inspectors“ tab we can see Request headers and responses. We will discuss more on fiddler in a later session. To see this click on the below URL

Then select the web view as shown below

Now click on the “Save” button on the “Edit” view. Notice that under “Web Sessions” in fiddler another request is captured for the same URL – http://localhost:54094/Employee/Edit/1

Now without using the browser, let’ us see how to generate a post request using fiddler.

1. Click on the “Composer“ tab in the fiddler
2. Drag and drop the following URL from the “Web Sessions“ window onto the Composer window.
3. In “Request Body“ under the “Composer“ tab change “Name“ of the employee to “XYZ“
4. Finally, click the “Execute“ button

Now either query the database table or navigate to the “Index” view and notice that the employee name is changed to “XYZ”.

How to prevent unintended updates in ASP.NET MVC?

Modify the “Edit” action method of EmployeeController that is decorated with [HttpPost] attribute as shown below.

[HttpPost]
[ActionName("Edit")]
public ActionResult Edit_Post(int id)
{
    EmployeeBusinessLayer employeeBusinessLayer = new EmployeeBusinessLayer();

    Employee employee = employeeBusinessLayer.GetAllEmployess().FirstOrDefault(x => x.ID == id);
    UpdateModel(employee, new string[] { "ID", "Gender", "City", "Salary", "DateOfBirth" });
    if (ModelState.IsValid)
    {
        employeeBusinessLayer.UpdateEmmployee(employee);
        return RedirectToAction("Index");
    }
    return View(employee);
}

Code Explanation:

1. The name of the method is changed from “Edit“ to “Edit_Post“
2. The method is decorated with [ActionName(“Edit”)] and [HttpPost] attributes. This indicates that this method is going to respond to the “Edit“ action when the form is posted to the server.
3. The “id“ of the employee that is being edited is passed as a parameter to this method.
4. Using the “id“ parameter we load the employee details (Id, Name, Gender, City, Salary & DateOfBirth) from the database.
5. We then call UpdateModel() function. This should automatically update the “Employee” object with data from the posted form. We are also passing a string array as the second parameter. This parameter specifies the list of model properties to update. This is also called including a list or white list. Notice that we did not include the “Name“ property on the list. This means even if the posted form data contains the value for the “Name“ property it will not be used to update the “Name“ property of the “Employee“ object.

So, if you generated a post request using the fiddler “Name“ property of the “Employee” object will not be updated. Alternatively to exclude properties from binding we can specify the exclude list as shown below.

[HttpPost]
[ActionName("Edit")]
public ActionResult Edit_Post(int id)
{
    EmployeeBusinessLayer employeeBusinessLayer = new EmployeeBusinessLayer();

    Employee employee = employeeBusinessLayer.GetAllEmployess().Single(x => x.ID == id);
    UpdateModel(employee, null, null, new string[] { "Name" });
    if (ModelState.IsValid)
    {
        employeeBusinessLayer.UpdateEmmployee(employee);
        return RedirectToAction("Index");
    }
    return View(employee);
}

Notice that we are using a different overloaded version of the UpdateModel() function. We are passing “NULL” for “prefix” and the “includeProperties” parameters

UpdateModel<TModel>(TModel model, string prefix, string[] includeProperties, string[] excludeProperties) 

In the next article, I am going to discuss how to use the Bind Parameter to include and exclude properties from model binding in the ASP.NET MVC application. Here, In this article, I try to explain how unintended updates can happen in ASP.NET MVC applications and how to prevent unintended updates in ASP.NET MVC applications with examples. I would like to have your feedback. Please post your feedback, question, or comments about this article.