locked
Should I use binding model or view model when using data from forms to avoid mass assigment attack? RRS feed

  • Question

  • User-81839486 posted

    I heard that I should have separate view model and binding model but which one use when taking data from forms?

    Sunday, August 9, 2020 8:03 PM

Answers

  • User-821857111 posted

    In Razor Pages, you should only add the [BindProperty] attribute to properties that you want to include in two-way binding. If you do that, you effectively declare a binding model as part of your view model (the PageModel). That will prevent an overposting attack.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, August 10, 2020 7:28 AM

All replies

  • User-821857111 posted

    In Razor Pages, you should only add the [BindProperty] attribute to properties that you want to include in two-way binding. If you do that, you effectively declare a binding model as part of your view model (the PageModel). That will prevent an overposting attack.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, August 10, 2020 7:28 AM
  • User711641945 posted

    Hi karol wolonciej,

    I heard that I should have separate view model and binding model but which one use when taking data from forms?

    As far as I know,you need use view model.In this approach you'll never bind against business objects or entities, and you'll only have properties available for the input you expect. Once the model is validated you can move values from the input model to the object you use in the next layer of software.

    Best Regards,

    Rena

    Monday, August 10, 2020 8:35 AM