I am just starting to explore MVC3 and working on a way to have users enable/disable an image from appearing from their account...updating the active开发者_如何学Go to true or false via a link and id being passed via HttpPost
var image1 = new BigImage();
image1.id = id;
db.BigImage.Attach(image1);
image1.active = 0;
db.SaveChanges();
Question: How do I avoid security holes or situations where someone can navigate to /home/user/image/deactivate/5 for example. What is the proper approach?
I read a post about not using delete links. Same issues with update? I am confused.
HTTP GET should not be used to make changes to the underlying data. The main reason being that webcrawlers and search engines can and will modify or delete things unintentionally by following links.
This isn't really as big of a deal if the requests are authenticated as @Will mentioned, but it isn't a good habit to pick up.
If you want to use links and follow best practices with respect to using POST for data changes, you can use a form with a button which appears to be a link. Here is a snippet of code like what I use in MVC2:
<% using (Html.BeginForm("Delete", "Item", new { id = item.Id }, FormMethod.Post, new { onsubmit = "return confirm('Are you sure you want to delete " + item.DisplayString + "?');" }))
{ %>
<input class="link-button" type="submit" value="Delete" />
<% } %>
And my button's CSS:
.link-button {
border: 0;
padding: 0;
background: inherit;
font: inherit;
cursor: pointer;
text-decoration: underline;
color: #034af3;
overflow: visible;
}
Then, of course, put the [HttpPost] attribute on a controller method which actually deletes the item.
You will need to use authentication to establish privileges and also verify users. A good place to start is the ASP website: http://www.asp.net/mvc/tutorials/authenticating-users-with-forms-authentication-cs
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论