form security issue in razor web pages

Question

I have a hidden form field to delete an item in my razor web pages application

<input type="hidden" value="137" name="id">

user can easily alter the item value and delete other user's product, how do we secure this ?

It would help if you posted part of your code where you retrieve form values and update your database. — johna, Oct 02 '12 at 08:45

Daniel A. White · Accepted Answer · 2012-09-27T13:25:44.040

1

You should do server-side validation to ensure that that user has the appropriate authorization to edit/delete (or any other action) that entity.

As an example, in your Controller

[HttpPost]
public ActionResult Delete(int? id)
{
   if (CanUserDeleted(id))
   {
      Delete(id);
      // more magic
   }
   else
   {
      // Give the user an error
   }
}

edited Sep 27 '12 at 13:25

answered Sep 27 '12 at 12:56

Daniel A. White

187,200
47
362
445

could you pls provide me an example ? – ktm Sep 27 '12 at 13:21
i am not using mvc, i am using web pages – ktm Sep 27 '12 at 14:43

form security issue in razor web pages

1 Answers1