Bind(Exclude = "ReviewerName") is deleting my ReviewerName data from table while I am want to protect Mass Assignment or overposting

Question

I am working with ASP.Net MVC 4 and entity framework. I have a table for inserting and updating reviews against restaurant by it's customer. While updating customer can't change their name. they can change only only change Rating and Comment. So, I have delete the input code for reviewerName(Customername) FROM MY VIEW PAGE OF THE mvc. But hacker can change the name or reviews_id by "Mass Assignment" / "Over posting". Means they can send ReviewerName by posting it in url as query string.

~/Reviews/Edit?ReviewerName=Hacker

To prevent it I have use Bind model binding with exclude parameter. Yes it prevent hacker to inject ReviewerName. But also deleting reviewer name from database table. Is there any way to solve this rather using "include".My controller code is below.

 public ActionResult Edit([Bind(Exclude = "ReviewerName")] RestaurantReview review) 
    {
        if (ModelState.IsValid)
        {
            _db.Entry(review).State = System.Data.EntityState.Modified;
            _db.SaveChanges();
            return RedirectToAction("Index", new   { id = review.RestaurantId });
        }

        return View(review);
    }

As always, create a view model which only the properties you need in the view (i.e. excluding the `ReviewerName` property). Then in the POST method, get the data model and map the view model properties to the data model, then save. [What is ViewModel in MVC?](http://stackoverflow.com/questions/11064316/what-is-viewmodel-in-mvc) — , Aug 19 '15 at 07:33
@StephenMuecke thanks. But is it that the filed names used in exclude will be updated to null? I am not sure also doesn't get this type of info. about exclude to prevent was described. But to update to null wasn't describe. — Muhammad Ashikuzzaman, Aug 19 '15 at 07:46
Yes, anything that's excluded from binding is `null` (or the default value for the type). Use a view model! — , Aug 19 '15 at 07:49

score 2 · Answer 1 · answered Aug 19 '15 at 15:24

In Edit Page, make the field read only which you don't want to be changed by customer.

 <div class="form-group">
        @Html.LabelFor(model => model.Fname, new { @class = "control-label col-md-2" })
        <div class="col-md-10">
            @Html.TextBoxFor(model => model.Fname, new {  @readonly = "readonly" })
            @Html.ValidationMessageFor(model => model.Fname)
        </div>
    </div>

No need to exclude anything from Model in Controller .Hope this will help :)

Bind(Exclude = "ReviewerName") is deleting my ReviewerName data from table while I am want to protect Mass Assignment or overposting

1 Answers1