0

At first I was creating Delete links with just the Html.ActionLinkmethod. But then I ran across an article that said that that is wrong. And shouldn't be used that way. Then suggested the Master -> Detail way. But that seems silly. There should be a way for me to have a Delete link (with an "Are You Sure" prompt) and still not be a security hole. Right?

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
dotnetN00b
  • 5,021
  • 13
  • 62
  • 95
  • possible duplicate of [ASP.NET MVC Delete ActionLink with confirm](http://stackoverflow.com/questions/4682107/asp-net-mvc-delete-actionlink-with-confirm) – McGarnagle Sep 20 '12 at 01:15

3 Answers3

1

Yes, use GET method to delete data is bad practice. You need to use POST method, it can be done, for example with form or jquery/javascript. But note that if you use simple link with attached promt, user can click center button and delete data or javascript could be disabled. Also it's a security problem also, someone could give link to you and you remove some data from server.

Example:

<a href="/controller/delete/1" onclick="$.post(this.href); return false;">Delete</a>

If the server gets a GET to /controller/delete/x then serve up a confirmation page with a POST form (on this form we put two buttons Yes and No, first button submit form with hidden fields). If the server gets a POST (or maybe a DELETE) request then do the deletion.

webdeveloper
  • 17,174
  • 3
  • 48
  • 47
  • You'll want to ensure you include the RequestVerificationToken in the request and [ValidateAntiForgeryToken] on your controllers method. http://stackoverflow.com/questions/2906754/how-can-i-supply-an-antiforgerytoken-when-posting-json-data-using-ajax – Adam Tuliper Sep 20 '12 at 04:17
1

The issue has nothing to do with links or ActionLink or anything like that. The issue is that you shouldn't have action methods that Delete on an HttpGet requests.

As for why you shouldn't do this. Imagine that your boss has entered a reprimand into your online Employee profile. If you happen to know that this application deletes records with a Get request, then you need only create a specially crafted page in which an img tag contains the URL to delete your reprimand, then put it on the companies home page. Eventually, someone with access to delete these entries goes to the web page and poof.. You have a clear record.

That might not seem so bad. You just improved your standing. But imagine your co-worker is mad at you, and he knows of a similar trick that would allow him to trick your boss into lowering your salary.

Not so funny anymore.

It's insecure to allow these kinds of or actions because they can be triggered without a user even knowing what they're doing.

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
0

In the following article they describe a nice way of doing what you're looking for: Simple jQuery Delete Link For ASP.NET MVC.

But I think what you actually looking for as an alternative is this posting: ASP.NET MVC Delete ActionLink with confirm.

So you have two options and I hope it is of help to you.

Community
  • 1
  • 1
Display Name
  • 4,672
  • 1
  • 33
  • 43
  • Good links, but it's better to provide and excerpt and/or explanation in your answer (in other words, if the links ever break, your answer should be able to stand on its own). – McGarnagle Sep 20 '12 at 01:17
  • You're right, but articles are self contained and they provide theoretical basis and practical implementation, while if I excerpt it, it will give some idea, but rob asking person from fundamental knowledge. The guy is asking not very specific question, hence the entire article will do better. At least in my mind it is so. When the question is very specific - the answer will be very specific (read concrete excerpt or just laid out personal experience). Thanks for noting it though. – Display Name Sep 20 '12 at 01:54