MVC 5与所有参数绑定机具 [英] MVC 5 Bind Implement with all Parameters
问题描述
因此,据我所知,MVC5引入了新的Bind属性,该属性用于指定应绑定到参数对象的哪些属性.另外,这是一种安全措施,有助于防止XSS和模型绑定攻击.大多数教程都针对模型展示了它的作用.
So MVC5 has brought in that new Bind attribute, to my knowledge it is used to specify which properties of the parameter object that should be bound to. Also, this is a security measure to help prevent XSS and Model Binding attacks. Most tutorials show it in action against a model.
public async Task<ActionResult> Create ([Bind(Include="Id,Description,IsDone")] ToDo todo)
在我的应用程序中,我只将视图模型传递到控制器和视图之间:
In my applications I only ever pass view models to and from controllers and views:
[HttpPost]
public ActionResult Create(UserViewModel vm)
{
}
我也应该在这里使用这种技术吗?
Should I also use this technique here?
[HttpPost]
public ActionResult Create([Bind(Include="property, property2")]UserViewModel vm)
{
}
老实说,我很少有机会不想绑定到视图模型中的每个属性.
In all honesty there are very few times where I don't want to bind to every property in the view model.
首先,我对Bind属性的理解准确吗?
Firstly, is my understanding of the Bind attribute accurate?
第二,我对何时使用Bind属性的理解是否正确?
Secondly, is my understanding of when to use the Bind attribute accurate?
推荐答案
- 您发现了!
- 您也很特别!
您已经对该属性的用途有了很好的了解.只有您可以防止森林大火知道是否应使用该属性.如果要构建对数据敏感的应用程序,则绝对要保护自己免受过度发布的侵害.如果您要构建内部低风险应用程序,则可以跳过魔术字符串,信任用户,而不认为它值得您花费时间.
You've got a good understanding of what the attribute is intended for. Only you can prevent forest fires know if you should use the attribute. If you're building a data-sensitive application you absolutely want to protect yourself from over posting. If you're building an internal low-risk application, perhaps you can skip the magic strings, trust your users, and not deem it worth your time.
The ASP.NET website has more information about over posting.
这篇关于MVC 5与所有参数绑定机具的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
