This week I just started some MVC tutorials which I’m really liking. And after some tutorials I found this “Performing a delete operation in response to a GET request (or for that matter, performing an edit operation, create operation, or any other operation that changes data) opens up a security hole”.
The problem is that if you create a link with the following href: www.mydomain.com/Movies/Delete/23, it will delete the movie with the passed id 23. If a hacker finds this, he can create a loop and delete all of your movies in the database.
The best solution would be to delete an item in an HTTP POST operation instead of the get, so the user must submit a form to delete an item. This is done using either buttons, or else images using the following markup:
<% using (Html.BeginForm("Delete", "Home", new { id = item.Id })) { %> <input type="image" src="Content/Delete.png" /> <% } %>This will create an image link in a form which would POST the delete operation. This will reduce the security hole in your system. I suggest you read this article by Stephen Walter. Hope this will help you in your new MVC adventures.
One Response
500 – Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.