santosh asp.net tutorial

ASP.Net MVC provides powerful features that simplify the process of handling user input by automatically mapping the input to model properties based on naming convention. This leads to another attack like attackers can populate the model properties which is not placed in input forms.

Solution:

This can be avoided by using “[Bind]” attribute, which is used to control which are the properties need to populated from the user input.

Below example allows only “Name,Age,email” properties are received from the user input

    
[Bind(Include = "Name,Age,email")]
publicclassEmployeeModel
    {
        publicstring ID { get; set; }
        publicstring Name { get; set; }
        publicint Age { get; set; }
        publicstring email { get; set; }
        publicstring Designation { get; set; }
        publicdecimal Salary { get; set; }
        publicstring Password { get; set; }
    }