Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Integrity of Hidden Fields: Asp.NET mvc

Tags:

asp.net-mvc

asp.net-mvc-3

hidden-field

asp.net-mvc-2

We have been using asp.net mvc for development. Sometimes, we need to put some hidden fields on form that are shoved in the model by modelbinder (as expected). Nowadays, users can easily temper the form using firebug or other utilities. The purpose of hidden field is mostly to provide some information back to server on as is basis and they are not meant to be changed.

For example in my edit employee form I can put EmployeeID in hidden field but if user changes the employeeID in hidden field, wrong employee will be updated in the database. in this scenario how can we keep the integrity of hidden fields.

like image 429
Muhammad Adeel Zahid Avatar asked Dec 28 '22 23:12

Muhammad Adeel Zahid

2 Answers

You need to enforce security to ensure that the person doing the modification has permission to do so. I'd also put the id in the URL typically rather than a hidden field, relying on the security to ensure that people don't modify things that they shouldn't be able to. If they do have permission to modify the item when changing the id manually, it shouldn't be a problem. The important thing is to make sure that a person can't change the id manually and get access to something they shouldn't. Enforcing server side permissions solves this problem. You can easily do this using Roles in conjunction with the AuthorizeAttribute.

like image 112
tvanfosson Avatar answered Jan 04 '23 09:01

tvanfosson

if user changes the employeeID in hidden field, wrong employee will be updated in the database

This is a major security hole in your website. In everything you do with web development, no matter how clever someone's code might be or how much you think you'll be ok as long as users don't do something, remember one golden rule: Never implicitly trust data received from the client.

In order to modify anything in your website, the user must be logged in. (Right?) So in any attempt a user makes to post a form to the website (especially one which can modify data), double-check that the user submitting the form has permission perform the action being requested on the data being specified.

Ideally, every action which isn't completely public and unsecured should have a server-side permissions check. Never, ever trust what the client sends you.

like image 22
David Avatar answered Jan 04 '23 11:01

David
Sign in to Comment

Related questions

MVC partial page update
Controller Action Methods with different signatures
INSERT stored procedure does not work?
How to approach unit testing in a large project
Is this code business logic or presentation logic?
How to clear textboxes defined with MVC HTML helpers
How would I open an MVC View in a new browser window
building MVC CMS
Default Build Action in App_Code directory?
Any issues with always using ASP.NET MVC AsyncController instead of Controller?
asp.net mvc data annotation for default value
ASP.NET MVC3 TryValidateModel validates entire model collection, not just single instance
T4 namespace and type resolving
How to do a partial post in Asp.Net MVC?
Paperclip for asp.net mvc
Returning an ActionResult from another ActionResult
DB design when data is unknown about an entity?
redirect from Application_Error
Very slow loading time with Visual Studio and ASP.NET MVC?
MVC3 Type exists in two different assemblies

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!