Asp.Net Core中的[FromForm]和[FromBody]有什么区别 [英] What the difference between [FromForm] and [FromBody] in Asp.Net Core
问题描述
Asp.Net Core中[FromForm]和[FromBody]之间有什么区别.我将使用其中一种进行后期处理.如果我使用FromForm,会发生安全问题吗?
What the difference between [FromForm] and [FromBody] in Asp.Net Core. I will use one of them for post method. If I use FromForm, can it occur be a security problem?
推荐答案
FromForm
属性用于接收内容类型为 application/x-www-url的提交表单中的传入数据-formencoded
,而 FromBody
将以默认方式解析模型,默认情况下,默认方式是通过请求主体中的内容类型 application/json
发送的.
The FromForm
attribute is for incoming data from a submitted form sent by the content type application/x-www-url-formencoded
while the FromBody
will parse the model the default way, which in most cases are sent by the content type application/json
, from the request body.
出于安全性问题,您可以对post方法使用 ValidateAntiForgeryToken
属性,该属性指定应用此属性的类或方法验证防伪令牌.如果防伪令牌不可用,或者令牌无效,则验证将失败并且操作方法将不会执行.
For security problem , you could use ValidateAntiForgeryToken
Attribute for post method which specifies that the class or method that this attribute is applied validates the anti-forgery token. If the anti-forgery token is not available, or if the token is invalid, the validation will fail and the action method will not execute.
在MVC中找到的反伪造令牌是一种防止跨站点请求伪造(CSRF)攻击的方法.无需赘述,当用户访问不受信任的站点并输入一些信息,然后将这些信息发布回用户已对其进行身份验证的站点时,就会发生CSRF攻击.
The anti-forgery token found in MVC is a way to prevent cross site request forgery (CSRF) attacks. Without going into too much detail, a CSRF attack occurs when a user visits an untrusted site and enters some information that is then posted back to a site to which the user has already authenticated.
您可以参考以下有关AntiForgeryToken()实际工作方式的链接:
You could refer to the following link on how AntiForgeryToken() actually works: