Delete Operation in MVC

This week I just started some MVC tutorials which I’m really liking. And after some tutorials I found this “Performing a delete operation in response to a GET request (or  for that matter, performing an edit operation, create operation, or any other  operation that changes data) opens up a security hole”.

The problem is that if you create a link with the following href: www.mydomain.com/Movies/Delete/23, it will delete the movie with the passed id 23. If a hacker finds this, he can create a loop and delete all of your movies in the database.

The best solution would be to delete an item in an HTTP POST operation instead of the get, so the user must submit a form to delete an item. This is done using either buttons, or else images using the following markup:

                <% using (Html.BeginForm("Delete", "Home", new { id = item.Id }))
                   { %>
                    <input type="image" src="Content/Delete.png" />
                <% } %>

This will create an image link in a form which would POST the delete operation. This will reduce the security hole in your system. I suggest you read this article by Stephen Walter. Hope this will help you in your new MVC adventures.

 

 

Hello, nice to meet you

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

1 Comments

Leave a Reply