Presentation is loading. Please wait.

Presentation is loading. Please wait.

BIT 286: Web Applications Lecture 10 : Thursday, February 5, 2015 ASP.Net Form Submission.

Published byDelphia Wilkerson Modified over 8 years ago

Similar presentations

Presentation on theme: "BIT 286: Web Applications Lecture 10 : Thursday, February 5, 2015 ASP.Net Form Submission."— Presentation transcript:

1 BIT 286: Web Applications Lecture 10 : Thursday, February 5, 2015 ASP.Net Form Submission

2 Examining Edit Form submission http://www.asp.net/mvc/overview/getting- started/introduction/examining-the-edit-methods-and-edit-view 2

3 Examining Edit: First Visit: Controller  Controller method for first time (non-POST) visit:  Notice how similar this looks to the Details page // GET: Movies/Edit/5 public ActionResult Edit(int? id) { if (id == null) { return new HttpStatusCodeResult(HttpStatusCode.BadRequest); } Movie movie = db.Movies.Find(id); if (movie == null) { return HttpNotFound(); } return View(movie); } 3

4 Examining Edit: First Visit: the View  Edit.cshtml @model MVCBasics.Models.Movie @{ ViewBag.Title = "Edit"; } Edit @using (Html.BeginForm()) { @Html.AntiForgeryToken() Movie 4  The rendered HTML Edit Movie

5 XSRF/CSRF Cross-Site Request Forgery  Good explanation at ASP.Net Good explanation at ASP.Net  Essentially, you visit Web Site #1 and legitimately log in  The browser keeps the authentication info until the web browser process exits  The browser also automatically re-sends the authentication info whenever you visit that site.  This is very convenient when you’re on Web Site #1  You go to Web Site #2, which attempts to access Web Site #1  E.g., Web Site #2 creates it’s own form, whose action is to submit to Web Site #1  Your browser conveniently re-sends the authentication info along with the form  Web Site #2 can now act as you on Web Site #1  This is the ‘cross site’ part  I’ve heard that this can be done even by ads served to you on pages you trust.  I’d be surprised if Google, MS, etc, would let this happen, but you don’t control which ad- serving arrangements are used by the websites you visit. 5

6 XSRF/CSRF Cross-Site Request Forgery  We can combat this with anti-forgery tokens  Web Site #1 will generate a random number and put it into a hidden field in the form it sends to you  (This is the anti-forgery token)  Web Site #1 will check (when you post that form back) that the number in your form matches the one it sent you  This prevents Web Site #2 from making up it’s own form  Because it can’t generate the same random numbers as Web Site #1 6

7 Examining Edit: First Visit: the View  Edit.cshtml Movie @Html.ValidationSummary(true, "", new { @class = "text-danger" }) @Html.HiddenFor(model => model.ID) @Html.LabelFor(model => model.Title, htmlAttributes: new { @class = "control-label col-md-2" }) @Html.EditorFor(model => model.Title, new { htmlAttributes = new { @class = "form-control" } }) @Html.ValidationMessageFor(model => model.Title, "", new { @class = "text-danger" }) } @Html.ActionLink("Back to List", "Index") @section Scripts { @Scripts.Render("~/bundles/jqueryval") } 7  The rendered HTML Title

8 Examining Edit: POSTing the edits: Controller  Controller method for POST visit: [HttpPost] // Only used for HTTP POST requests; HTTP Get is the default [ValidateAntiForgeryToken] // checks @Html.AntiForgeryToken() from View public ActionResult Edit([Bind(Include = "ID,Title,ReleaseDate,Genre,Price")] Movie movie) { if (ModelState.IsValid) { db.Entry(movie).State = EntityState.Modified; db.SaveChanges(); return RedirectToAction("Index"); } return View(movie); } 8

9 Examining Edit: POSTing the edits  Controller method for POST visit: public ActionResult Edit( [ Bind(Include = "ID,Title,ReleaseDate,Genre,Price") ] Movie movie ) { /* Snip */  Include is the list of properties (data fields) to extract from the form  Other fields are left blank in the movie object, even if they’re present in the form  These data fields are filled in for you, automatically, on the movie object. 9

10 Security Risk: Overposting  Normally you’d never put extra properties in your form….  …but hackers might download & save a copy and add stuff.  For example, let’s say that the ‘Edit User’s Unimportant Account Info’ page normally just lets you update your firstname, last name, nickname, picture, etc, etc.  But does NOT let you change the password  You can go to that page, select ‘Save As’ in your browser, edit the form locally to also include a new password for the user, and then submit the form.  If you blindly bound the movie object to ALL fields, and saved the whole object you’d update the password  The ‘Include’ attribute allows you to only bind to some of the fields  Also a good explanation at MSDNgood explanation at MSDN 10

11 Search http://www.asp.net/mvc/overview/getting- started/introduction/adding-search 11

12 Tutorial Outline  Adding a search term  ‘Search’ Param added to controller method  LINQ query  Important details about when this actually gets executed  Goofy re-use of ‘id’ parameter for a nicer URL  Adding a form  Want to use GET, not POST (GET = retrieve, POST = change DB state)  Decorate form so that it’ll get, not post  Filtering by genre  Querying for the list of genres  Handling a GET’d search  Updating the view to support the above 12

13 Adding a parameter public ActionResult Index(string searchString) { var movies = from m in db.Movies select m; if (!String.IsNullOrEmpty(searchString)) { movies = movies.Where(s => s.Title.Contains(searchString)); } return View(movies); } 13 This is LINQ This defines, but does NOT execute the query This modifies the definition of the query LINQ actually maps to SQL (as opposed to doing a SELECT * and then filtering the results in C#

14 My opinion: using ‘id’ as the parameter  This seems goofy – it does produce a nice URL, but the controller code is kinda ugly (notice how they promptly renamed the parameter) 14

15 Adding a New Field http://www.asp.net/mvc/overview/getting- started/introduction/adding-a-new-field 15

16 Outline 16

17 Adding Validation http://www.asp.net/mvc/overview/getting- started/introduction/adding-validation 17

18 Examining the Details and Delete Methods http://www.asp.net/mvc/overview/getting- started/introduction/examining-the-details-and-delete-methods 18

19 Topics For Later  Account Management:  http://azure.microsoft.com/en-us/documentation/articles/web-sites- dotnet-deploy-aspnet-mvc-app-membership-oauth-sql-database/ http://azure.microsoft.com/en-us/documentation/articles/web-sites- dotnet-deploy-aspnet-mvc-app-membership-oauth-sql-database/  Entity Framework:  Foreign keys  How does it handle objects with references to other objects?  JavaScript/jQuery integration? 19

Download ppt "BIT 286: Web Applications Lecture 10 : Thursday, February 5, 2015 ASP.Net Form Submission."

Similar presentations

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.

JQuery MessageBoard. Lets use jQuery and AJAX in combination with a database to update and retrieve information without refreshing the page. Here we will.
Using EBSCOs Search Box Builder Tool Tutorial. Would you like to promote your EBSCOhost resources by adding an easy-to-use search box to your website?

Using EBSCOs Search Box Builder Tool Tutorial. Would you like to promote your EBSCOhost resources by adding an easy-to-use search box to your website?
ADABAS to RDBMS UsingNatQuery. The following session will provide a high-level overview of NatQuerys ability to automatically extract ADABAS data from.

ADABAS to RDBMS UsingNatQuery. The following session will provide a high-level overview of NatQuerys ability to automatically extract ADABAS data from.
The Librarian Web Page Carol Wolf CS396X. Create new controller  To create a new controller that can manage more than just books, type ruby script/generate.

The Librarian Web Page Carol Wolf CS396X. Create new controller  To create a new controller that can manage more than just books, type ruby script/generate.
Introduction to MVC 4 03. Adding a View Page NTPCUG Tom Perkins, Ph.D.

Introduction to MVC Adding a View Page NTPCUG Tom Perkins, Ph.D.
Introduction to MVC 4 06. Action Methods, Edit View, and a Search Feature NTPCUG Dr. Tom Perkins.

Introduction to MVC Action Methods, Edit View, and a Search Feature NTPCUG Dr. Tom Perkins.
OpenCMS and the MSASS Website. A Note on Terminology Locking a file for editing: No lockNOT locked You have write/edit access Someone else has write.

OpenCMS and the MSASS Website. A Note on Terminology Locking a file for editing: No lockNOT locked You have write/edit access Someone else has write.
Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.

Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.
Logging In Go to web site:

Logging In Go to web site:
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
WebDFS Budget Amendment and Personnel Processing.

WebDFS Budget Amendment and Personnel Processing.
U:/msu/course/cse/103 Day 23, Slide 1 Review of Day 22 What query did you use to search for an actor by name? –Return matches.

U:/msu/course/cse/103 Day 23, Slide 1 Review of Day 22 What query did you use to search for an actor by name? –Return matches.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Blackbaud Web Purchasing Training Session 1. Agenda What is Blackbaud Web Purchasing? How to login to Blackbaud Web Purchasing Create a purchase requisition.

Blackbaud Web Purchasing Training Session 1. Agenda What is Blackbaud Web Purchasing? How to login to Blackbaud Web Purchasing Create a purchase requisition.
Public Key Encryption An example of how a bank might accomplish encryption.

Public Key Encryption An example of how a bank might accomplish encryption.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Dataface API Essentials Steve Hannah Web Lite Solutions Corp.

Dataface API Essentials Steve Hannah Web Lite Solutions Corp.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.

Similar presentations

Ads by Google