How to ignore model binding from querystring in MVC

Question

I have form submission doing a post back. The controller action accepts the values as parameters. For ex: EditProduct(int productid, string productname).

productid is supplied from the form in a hidden field. How can I ensure that that a user will not invoke this action and pass this productid and name as queystring and the model binding will bind the vales and product is saved in database?

Answer 1

You should implement proper access controls in the EditProducts action so that attempting to edit a different product will generate an error.

Trying to prevent users from modifying the querystring won't help.

Answer 2

I've found that the most secure approach would be to check that the user has permission to edit the product. Check this before you do any database updates in the action and you won't need to worry about users that modify the hidden values.

If you want to force users to go to your webpage to execute the post, you can use Html.AntiForgeryToekn(). However, a user can still visit the website, see the anti forgery token and pass it in with their request.

Answer 3

I would suggest you add a rowversion (timestamp) column to your model. That is a lot easier (if you can make changes to the model) than signing or hashing.

Answer 4

You can sign the product ID with a secret key on your server (using HMACSHA512), then verify the signature in the postback.

You might want to include the current date and/or the user or session ID when signing to prevent replay attacks.