I have an maintenance controller in my app for editing the database. I have restricted the control with authorization attribute, but should i be doing more t开发者_Go百科han this? What are the risks here? For example should I create a separate assembly for this or a new application or a remote application?
The authorization is pretty secure... I wouldnt go with classified government secrets on it... but I havent seen any good ways to bypass it, excepting for cookie stealing and MIIM attacks but those are going to be present in all non ssl sites regardless of hosted technology.
One thing I'd do is to white/black list properties on the views model so that you can't have someone calling your Controller Delete Action with an object that has say an id.
So your controller code may look like;
public ActionResult Create( [Bind(Exclude="ID")] MyModel model)
{
}
So you are excluding the ID field in the MyModel object.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论