Uninted Updates In Asp.Net MVC

In this article we will understand if we don’t want to update certain fields means Uninted Updates how we acheive that in Asp.Net MVC By Sagar Jaybhay.

Uninted Updates

In the previous article, we know how to Edit the details but here as you see all fields are editable and you will able to change that all. but we don’t want to change that ID and Name field and want to mark this as read-only to do this we change the Html helper method from EditFor to DisplayFor.

By doing this we have below UI when we click on the Save button.

To overcome this we need to use HiddenField for code for this is below

@Html.ValidationSummary(true, "", new { @class = "text-danger" })
        <div class="form-group">
            @Html.LabelFor(model => model.EmpID, htmlAttributes: new { @class = "control-label col-md-2" })
            <div class="col-md-10">
                @Html.DisplayFor(model => model.EmpID, new { htmlAttributes = new { @class = "form-control" } })
                @Html.HiddenFor(mode=>mode.EmpID)
                @Html.ValidationMessageFor(model => model.EmpID, "", new { @class = "text-danger" })
            </div>
        </div>

        <div class="form-group">
            @Html.LabelFor(model => model.EmpName, htmlAttributes: new { @class = "control-label col-md-2" })
            <div class="col-md-10">
                @Html.DisplayFor(model => model.EmpName, new { htmlAttributes = new { @class = "form-control" } })
                @Html.HiddenFor(mode => mode.EmpName)
                @Html.ValidationMessageFor(model => model.EmpName, "", new { @class = "text-danger" })
            </div>
        </div>

We able to save values and ID and Name is Uneditable our functionality is achieved but anyone can easily hack our application by using tools like fiddler and Postman.

How they can post requests from these tools as shown below. When you click F12 keys in chrome inspector window is open under this you need to click on network tab by doing so you will able to see calls which are generated by our site and simply copy request URL and parameters from their

See this image you can copy URL and Formsdata to the postman and you able to hack our application.

To Overcome this we need to UpdateModel overloaded method which allows us to define only that property that needs to update. Code for this is shown below

         [HttpPost]
        public ActionResult Edit(Employee employee)
        {
            var emp = new BusinessLogic.Business().GetEmployee(employee.EmpID.ToString());



            UpdateModel(emp, new string[] { "EmpSalary", "EmpGender", "EmpCity", "EmpEmail", "DepartmentID" });
            if (ModelState.IsValid)
            {
                new BusinessLogic.Business().UpdateEmployee(emp);
                return RedirectToAction("DisplayCompleteEmployee");
            }
            return View(employee);

        }

In above code, we get Employee for that id which is present in database after that use UpdateModel method which has one overloaded version in which we can pass the what property we need to update give name array of that property in this we exclude EmpID and EmpName property.

It will use this from database which we retrieve and newly changed values from our edit view or PostMan request and UpdateEmployee method of Business class we pass an object which we created not which we took as a parameter so the only information we required that’s updated in the database.

Overloaded method of UpdateModel method which we can use is shown below

IncludeList or WhiteList

UpdateModel(Our_Model(in our case Employee),string[] includedProperties);

Excluded Propeties or BlackList

UpdateModel(Our_Model(in our case Employee),string prefix,string[] includedProperties,string [] excludedProperties);

Now our method becomes for this shown below

UpdateModel(Our_Model(in our case Employee),null,null,string [] {“EmpName”,”EmpID”});

GitHub :- https://github.com/Sagar-Jaybhay/MVC5

Sagar Jaybhay, from Maharashtra, India, is currently a Senior Software Developer at Software Company. He has continuously grown in the roles that he has held in the more than seven years he has been with this company. Sagar Jaybhay is an excellent team member and prides himself on his work contributions to his team and company as a whole.

Sagar Jaybhay

Sagar Jaybhay, from Maharashtra, India, is currently a Senior Software Developer at Software Company. He has continuously grown in the roles that he has held in the more than seven years he has been with this company. Sagar Jaybhay is an excellent team member and prides himself on his work contributions to his team and company as a whole.

You may also like...