无法prevent在发布使用客户ID [英] Unable to prevent over posting using customer id

问题描述

我有简单的MVC应用程序。

在编辑操作

  [HttpPost]
[ValidateAntiForgeryToken]
公众的ActionResult编辑（字符串客户ID，[绑定（包括= \"CustomerId,CompanyId,CompanyName,ContactName,ContactTitle,Address,City,Region,Postal$c$c,Country,Phone,Fax\")]客户的客户）
{
    VAR用户= db.Users.Find（客户ID）;
如果（用户！= NULL）
TryUpdateModel（用户）;
其他
返回HttpNotFound（）;
如果（ModelState.IsValid）
{
db.SaveChanges（）;
返回RedirectToAction（「指数」）;
    }
}
 

  

但是当我做F12和更改客户ID 它正在改变的隐藏字段值客户ID 不应该做了什么？

我要prevent这种过度发帖客户ID 的。

1.如果<​​code>客户ID 使用F12然后抛出异常改变。
2.如果客户ID 是正确的乱动，然后简单地更新所有值

我得到异常：

 'System.InvalidOperationException'类型的异常出现在EntityFramework.dll但在用户code没有处理其他信息：连接类型MVCDemo.Models.Customer的实体失败，因为同类型的另一实体已经有相同的主键值。这可以用'附加'方法或设置实体'不变'或'修改'，如果图中的任何实体有冲突的关键值的状态时发生。这可能是因为一些实体是新的，但尚未收到数据库生成的键值。在这种情况下使用添加方法或添加实体状态跟踪图，然后设置非新的实体，以不变或修改适当的状态。
 

解决方案

我觉得有很多方法可以做到这一点，最简单的，来了在我的脑海看起来是这样的。

1. 生成一个 randomKey （可GUID或别的东西）存储客户ID 在会话[randomKey] =客户ID ，该渲染包含表单视图前发生的事情。




2. 在隐藏字段存储 randomKey 键，当你在服务器端起飞后客户ID 从会话，客户ID =会话[randomKey] 。

本办法客户ID 将永远在客户端并不能改变它张贴在服务器上。

注：

1. 用户可以修改客户ID 与F12，请记住，在用户拥有HTML ，他可以做任何改变，他想。




2. 也许你可以赶上与JavaScript这种变化，但如果他禁用JavaScript和更改值会发生什么？




3. 由于该 randomKey 存储在会话，关键有一个有限的时间生活和用户不能复制钥匙的使用后者。

I have simple MVC application .

In Edit operation

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(string CustomerId, [Bind(Include = "CustomerId,CompanyId,CompanyName,ContactName,ContactTitle,Address,City,Region,PostalCode,Country,Phone,Fax")] Customer customer)
{
    var user = db.Users.Find(CustomerId);
    if (user != null)
        TryUpdateModel(user);
    else
        return HttpNotFound();
    if (ModelState.IsValid)
    {
        db.SaveChanges();
        return RedirectToAction("Index");
    }
}

But When I do F12 and change hidden field value of CustomerId it is taking changed CustomerId that should not be done ?

I want to prevent this over-posting of CustomerId.

1.If CustomerId is changed using F12 then throw an error. 2.If CustomerId is correct not tamper then simply update all values

I'm getting exception :

An exception of type 'System.InvalidOperationException' occurred in EntityFramework.dll but was not handled in user code

Additional information: Attaching an entity of type 'MVCDemo.Models.Customer' failed because another entity of the same type already has the same primary key value. This can happen when using the 'Attach' method or setting the state of an entity to 'Unchanged' or 'Modified' if any entities in the graph have conflicting key values. This may be because some entities are new and have not yet received database-generated key values. In this case use the 'Add' method or the 'Added' entity state to track the graph and then set the state of non-new entities to 'Unchanged' or 'Modified' as appropriate.

解决方案

I think there are many ways to do this, the most simple that comes up in my mind will look like this.

1. Generate a randomKey (can be Guid or something else) store the customerId in Session[randomKey] = customerId, this is happening before you render the View containing the form.

2. In hidden field store randomKey and when you make a post on server side take customerId from Session, customerId = Session[randomKey].

This way customerId will never be on client side and cannot be changed to post it on server.

Notes:

1. The user can change the customerId with F12, remember that the user own the HTML and he can make any change he want.

2. Maybe you can catch this change with javascript, but what happens if he disable the javascript and change the value?

3. Because the randomKey is stored in Session, the key has a limited time life and user cannot copy the key for a latter usage.

这篇关于无法prevent在发布使用客户ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！