Justin Etheredge is a Senior Consultant for Dominion Digital in Richmond, Virginia - United States. He likes to blog quite a bit at http://www.codethinked.com with hopes that someone out there might read it. When he isn't writing software or working on his computer... wait, he is always doing that. Anyways, Justin likes programming, a lot. Justin has posted 24 posts at DZone. View Full User Profile

ASP.NET MVC - Think Before You Bind

01.09.2009
| 12717 views |
  • submit to reddit

I don't know about most of you out there, but I know that I am extremely excited about the impending release of ASP.NET MVC. I'm even more curious though about what kind of adoption we are going to start seeing out of the gate, especially being that companies have invested so much money in developers learning ASP.NET Web Forms. There is one thing that could stand in the way of adoption, and that is horror stories coming from early adopters about security issues or flaws in production web applications that were overlooked because developers didn't have to think as much about these kinds of issues in ASP.NET Web Forms.

Most of these issues revolve around escaping output that is going into the HTML and dealing with post data manually. Something that I have been looking at recently is the model binding abilities that ASP.NET MVC provides us. In case you aren't familiar with what I am talking about, it is now possible to tell ASP.NET to bind a class on an action method using a default model binder.

Read the rest of this post at CodeThinked.com

References
Published at DZone with permission of its author, Justin Etheredge. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Comments

Matthew Zalewski replied on Sun, 2009/03/29 - 2:47pm

How about this idea:

Add a hidden input field to your form containing a MD5 hash generated from the concatenated names of the input fields - we could also append some global private key for added security (people can't generate the correct hash without knowing the key).

The model binder is required to perform the same hash generation when the form is submitted, and if they don't match then an exception is thrown.

 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.