1

So MVC5 has brought in that new Bind attribute, to my knowledge it is used to specify which properties of the parameter object that should be bound to. Also, this is a security measure to help prevent XSS and Model Binding attacks. Most tutorials show it in action against a model.

public async Task<ActionResult> Create ([Bind(Include="Id,Description,IsDone")] ToDo todo)

In my applications I only ever pass view models to and from controllers and views:

[HttpPost]
public ActionResult Create(UserViewModel vm)
{

}

Should I also use this technique here?

[HttpPost]
public ActionResult Create([Bind(Include="property, property2")]UserViewModel vm)
{

}

In all honesty there are very few times where I don't want to bind to every property in the view model.

Firstly, is my understanding of the Bind attribute accurate?

Secondly, is my understanding of when to use the Bind attribute accurate?

Callum Linington
  • 14,213
  • 12
  • 75
  • 154
  • *"In my applications I only ever pass view models to and from controllers and views."* I know it's been a while since you posted this question, but your statement here intrigues me. Are you still following this rule? If so, do you have a small sample snippet you could supply (perhaps in an edit)? FYI I'm just getting started with MVC after years with the WebForms monkey on my back. I like maxims such as this, and I'd like to better understand how to implement what you're proposing. I'm interested in seeing how you go about actually putting it into practice—if you have a moment. – InteXX Aug 30 '20 at 01:07
  • I found what I needed [here](https://stackoverflow.com/q/11064316). Thanks for the push! – InteXX Aug 31 '20 at 19:46

1 Answers1

2
  1. You're spot on!
  2. You're also spot on!

You've got a good understanding of what the attribute is intended for. Only you can prevent forest fires know if you should use the attribute. If you're building a data-sensitive application you absolutely want to protect yourself from over posting. If you're building an internal low-risk application, perhaps you can skip the magic strings, trust your users, and not deem it worth your time.

The ASP.NET website has more information about over posting.

Justin Helgerson
  • 24,900
  • 17
  • 97
  • 124