0

All online info states to make changes to web.config file, but, as I understand, web.config file doesn't exist in the newer versions of .net mvc. What to do to allow httpDelete method then?

(I've created delete method in my controller that calls MySQL 'delete from table' method)

code: 

[HttpDelete]
        public ActionResult Delete() //string id
        {
            connectionString();
            conn.Open();
            com.Connection = conn;

            var userId = HttpContext.Session.GetString("userId");

            var stm = "Delete from lex_reminders where reminder_id=@id"; //" + id + ";
            var cmd = new MySqlCommand(stm, conn);
            cmd.Parameters.AddWithValue("@id", 25);
            int res = cmd.ExecuteNonQuery();

            if (res>0)
            {
                conn.Close();
                Create(userId);
                return View("Create");
            }
            else
            {
                conn.Close();
                return View("Error");
            }
        }
user13505347
  • 1
  • How do you invoke that controller? Is there a DELETE Verb in the http request? – rene May 09 '20 at 12:35
  • With a html actionlink: @Html.ActionLink("Delete", "Delete") Delete is the name of my method in controller and the textual link I want to present in the html – user13505347 May 09 '20 at 12:57
  • https://stackoverflow.com/questions/38976260/passing-body-content-when-calling-a-delete-web-api-method-using-system-net-http This post might help you – Axy a May 09 '20 at 13:12
  • 1
    An actionlink will not send an Http DELETE verb. at best it does send a plain Http GET verb, so I expect replacing the `[HttpDelete]` with `[HttpGet]` should work. – rene May 09 '20 at 13:53
  • You're right, it works with HttpGet, however as @jayesh mentioned below, it's a security concern to use it like that. Thank you for your answer, it helped! – user13505347 May 09 '20 at 19:13

1 Answers1

0

Note that the HTTP Get``Delete method doesn't delete the specified record, it should return a view of that entity where you can submit (HttpPost) the deletion.. Performing a delete operation in response to a GET request (or for that matter, performing an edit operation, create operation, or any other operation that changes data) opens up a security hole. read this document for security hole: http://stephenwalther.com/archive/2009/01/21/asp-net-mvc-tip-46-ndash-donrsquot-use-delete-links-because See below example for Delete method with HtpPost:

// GET: /Movies/Delete/5
public ActionResult Delete(int? id)
{
    if (id == null)
    {
        return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
    }
    Movie movie = db.Movies.Find(id);
    if (movie == null)
    {
        return HttpNotFound();
    }
    return View(movie);
}

// POST: /Movies/Delete/5
[HttpPost, ActionName("Delete")]
[ValidateAntiForgeryToken]
public ActionResult DeleteConfirmed(int id)
{
    Movie movie = db.Movies.Find(id);
    db.Movies.Remove(movie);
    db.SaveChanges();
    return RedirectToAction("Index");
}
Jayesh Tanna
  • 398
  • 5
  • 17