locked
Blazor component - inject a service (without invoking an api) to add data to database - is it safe? RRS feed

  • Question

  • User-307730542 posted

    Is it safe if I inject a service (without invoking an api where I could valid my data on server side) to add data to the database? As I understand, in that way only client side validation will work, but if someone disable javascript then the whole blazor component won't work and nobody will add any data to my database so I should be safe. But maybe it is possible that someone can disable client side validation and in that way someone will add for example shorter than 5 chars todo item to the database?

    Or maybe I should protect in some way my service but validation attributes on my model don't work there.

    The model

    public class ToDoItem
    {
        public int Id { get; set; }
    
        [Required]
        [MinLength(5)]
        public string Name { get; set; }
    
        public bool IsComplete { get; set; }
    }

    The service

    public class ToDoItemsService
    {
        private readonly DatabaseContext _context;
    
        public ToDoItemsService(DatabaseContext context)
        {
            _context = context;
        }
    
        // here validation attributes on ToDoItem don't work
        public async Task CreateItemAsync(ToDoItem toDoItem)
        {
            await _context.ToDoItems.AddAsync(toDoItem);
            await _context.SaveChangesAsync();
        }
    }

    The Blazor component

    @using ToDoList.Models
    @inject ToDoList.ToDoItemsService toDoService
    
    
    <EditForm Model="@newTodo" OnValidSubmit="@HandleValidSubmit">
        <DataAnnotationsValidator />
        <ValidationSummary />
    
        <InputText id="name" @bind-Value="newTodo.Name" />
    
        <button type="submit">Submit</button>
    </EditForm>
    
    
    @code {
        private ToDoItem newTodo = new ToDoItem();
    
        private async Task HandleValidSubmit()
        {
            var item = await toDoService.CreateItemAsync(newTodo);
            newTodo = new ToDoItem();
        }
    }

    Monday, November 23, 2020 7:46 PM

Answers

  • User475983607 posted

    My code is in the first post :) I am invoking a service from a view.

    I'm guessing a Blazor Server project because Web Assembly will throw an exception with the given code.  It's confusing because you mentioned API and Blazor WASM must use Web API.  Your service will not work in WASM.

    Anyway, Blazor Server runs on the server.  The data annotation fire on the server.  If you are building a Blazor Server project then you are already using server side validations. 

    However, the recommendation still stands.  Regardless of the technology,  input data is generally validated.   

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 24, 2020 2:08 PM

All replies

  • User475983607 posted

    Blazor Server and Blazor Web Assembly will not function if JavaScript is disabled.

    Monday, November 23, 2020 10:31 PM
  • User-307730542 posted

    But should I validate the object toDoItem also in service because client validation isn't enough?

    Tuesday, November 24, 2020 6:16 AM
  • User475983607 posted

    But should I validate the object toDoItem also in service because client validation isn't enough?

    Generally, data should be validated at each layer regarless of the technology.

    Are you building a Blazor Server application or Blazor Web assembly application?  Can you share the code that you question?  

    Tuesday, November 24, 2020 12:20 PM
  • User-307730542 posted

    My code is in the first post :) I am invoking a service from a view.

    Tuesday, November 24, 2020 1:49 PM
  • User475983607 posted

    My code is in the first post :) I am invoking a service from a view.

    I'm guessing a Blazor Server project because Web Assembly will throw an exception with the given code.  It's confusing because you mentioned API and Blazor WASM must use Web API.  Your service will not work in WASM.

    Anyway, Blazor Server runs on the server.  The data annotation fire on the server.  If you are building a Blazor Server project then you are already using server side validations. 

    However, the recommendation still stands.  Regardless of the technology,  input data is generally validated.   

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 24, 2020 2:08 PM