17

Why might a developer use the Bind attribute on a ViewModel object in an ASP.NET MVC project and can this have a detrimental effect an application?

[Bind(Include = "Id,Name")]
[MetadataType(typeof (MyViewModelValidation))]
public class MyViewModel
{
    public string CustomerProductUserName { get; set; }

    [Display(Name = "Name")]
    public string Name { get; set; }

}

public class MyViewModelValidation
{
    [HiddenInput(DisplayValue = false)]
    public int Id { get; set; }

    [Required]
    public string Name{ get; set; }
}
Improve this question

4 Answers 4

Reset to default
21

First of all, you don't need to create a MetadataType class for a ViewModel. You can use data annotation attributes directly in your ViewModel. MetadataType classes are used for Models automatically generated by EF or other ORMs, so that you can use data annotation attributes without touching the auto-generated code.

The Bind attribute does not have to be used either - unless you want to use Include or Exclude properties of the Bind attribute, to include or exclude properties in your Model in or from binding, respectively.

For example, in the code in your question, only the Id and Name properties will be bound when submitting your Model from your View. Even if you have an input in your View for CustomerProductUserName, when you submit your form, the property will always be null. This can be useful in cases like where you don't want an auto-generated ID field to be included in binding.

Properties excluded from binding are also excluded from validation, because validation is done as part of model binding. Also, you may use the Bind attribute for security reasons; for instance, when you want to make sure nothing but the properties in your model are being posted to the controller.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Are those properties also excluded from unobtrusive client validation ?
@astian, I've never tried that, but most likely they are not. They are excluded from server validation because they are excluded from Model Binding.
@ataravati for security reason stackoverflow.com/questions/29164776/… ?
15

The purpose of using bind attribute is to prevent attacker from assigning property value while posting of request or control what properties you want to bind.

Let us suppose, you have a class called Member and a create method that saves member. But you do not want user to send a value for MemberType property. 

Class Member  
{  
    public int MemberId { get; set; }  
    public string FirstName { get; set; }  
    public string LastName { get; set; }  
    public string MemberType { get; set; }  
}  

[HttpPost]  
Public ActionResult Create(Member member)  
{  
    Save(member);  
}

Let's say for now, you are only offering Regular member type which is the default value. You might think that you can prevent the user to send a value for MemberType property by not allowing input for MemberType Property. But when a user posts the member object, an attacker may intercept the request and send the MemberType value in request, as MemberId=1&FirstName=Chandra&LastName=Malla&MemberType=Premium and save the member as a Premium member. To prevent this, you can decorate Member class with Bind attribute. 

[Bind(Include="MemberId,FirstName,LastName")]  
Class Member  
{
    ...

or 

[Bind(Exclude="MemberType")]  
Class Member  
{  
    ...

Now if Member object is posted, MemberType property value will not be posted.

If you are using ViewModel, you might not necessarily have to use bind attribute because you can omit MemberType properties in your ViewModel. 

Class Member  
{  
    public int MemberId { get; set; }  
    public string FirstName { get; set; }  
    public string LastName { get; set; }  
    public string MemberType { get; set; } 
}  

Class MemberViewModel  
{       
    public int MemberId { get; set; }   
    public string FirstName { get; set; }  
    public string LastName { get; set; }  
}  

[HttpPost]  
Public ActionResult Create(MemberViewModel memberviewmodel)  
{  
    Save(memberviewmodel);  
}

If you do not nicely design your model and/or ViewModel and do not use bind attribute to avoid posting of property you do not want, that might have detrimental effect.

Improve this answer

5 Comments

so is it mandatory to use bind for security reasons ? answer stackoverflow.com/questions/29164776/…
Yes but if you are passing viewmodel instead of model, you can include only necessary properties in the viewmodel so you do not need to bind.
what is viewmodel ? the model which am passing it to a view or the one which am receiving in Post as a parameter ?
In my understanding, Viewmodel is model itself . You can have viewmodel in addition to model. you can create a viewmodel with property that is essential to interact with view.As in above example MemberViewModel does not have MemberID, because without MemberId, it is good enough to interact with view. So it is custom model that can interact with view.
Can we say that if a Class is used as input for multiple Controller functions (every time with different properties), it is better to use Bind Include rather than creating multiple View models?
5

In addition, if you want to prevent refactoring issues when renaming properties from your model you could do something like:

public async Task<ActionResult> Create([Bind(Include = nameof(Foo.Bar1)+","+nameof(Foo.Bar2)+","+nameof(Foo.Bar3))] Foo fooObj)

If you now e.g. rename "Bar1" your Include Bindings will still work.

Improve this answer

Comments

4

You can use the Bind attribute to control how a model binder converts a request into an object. The most common way that you use the Bind attribute is when you exclude an Id property from binding. For example, the Persons database table includes a column named Id that is an Identity column. Because the value of an Identity column is generated by the database automatically, you don’t want to bind a form field to this property.

On the other hand, imagine that a property of a model is especially sensitive, which a malicious user could simply append it in a URL when submitting a form. If this were done, the model binder would happily discover and use the data value in the binding process. By Bind attribute you can protect your application from this kind of attack.

Using the Bind attribute could make problem(s) when you, for example, are going to update an entity and the ID is important for you.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.