-1

In an Asp.Net MVC application, the MVVM is often used to carry out the communication with the Views. With the appearance of Web API and especially with Code First, does the MVVM still have to exist?

Many people say that it is not useful to use the MVVM since we do not have views.

My suggestion is that you should always use the MVVM because you must not export the Model of the application outside in order to avoid the possibility of hacking as the model reflects the structure of the database and therefore if we export it directly to the outside in a web api, we have exported the structure of our database and we increased the probability of hacking as the fields and tables are known to the outside.

This is why we must use the MVVM and not the Model which reflects the structure of the database.

Indeed, should we use the MVVM or the Model during the communication between the views and the controller in a web api?

AND how can it be hacked if we know the structure of the database?

thank you for your reply

rdnti softs
  • 39
  • 4

2 Answers2

2

in web api we use some thing called dto instead viewModel, DTO is similar to view model but it has not any logic about view it just for transfer data read this article and you will get the idea
Create Data Transfer Objects (DTOs)

Ahmed Zakaria
  • 77
  • 7
  • Thanks @Ahmed Zakaria for you answer, do you an idea about the validation of DTO, should i add the same DataAnnotation for my Model ? – rdnti softs Oct 31 '20 at 16:20
  • yes i use data annotations in dtos ,it is like view model but the difference is that viewmodel may have some logic about views .. if my answer helped you ,you may accept it – Ahmed Zakaria Nov 02 '20 at 16:44
1

Don't rely on Security by obscurity. Just because you are trying to obscure your database models by sending them in a different form as ViewModel DOES NOT make your system secure.

That is a bad practice and has been widely rejected. If someone wants to hack your website he/she can usually do that without knowledge of the underlying database (Take tools like SQLMap for example). Yes it makes life a little easier if I already know that you have a Users table containing a hashed password but usually such things are convention based and a hacker can guess that easily.

Use other safety mechanisms like an ORM and input/output sanitization (note: don't rely on only one of them. Security and safety are achieved by a combination of multiple measures.)

Back to MVVM. Usually a View shows aggregated information from multiple tables of a database so the need for a ViewModel still exists as you can not fullfill a View with a single Databasemodel. Take for example a View where you want to see all your customers, their orders and delivery addresses. If your database is normalized this will most likely not be stored all in one table.

But this is all very opinionated and use case specific. There are plenty of articles on this topic over the internet, SO Is MVVM pointless? or on Softwareengineering SE.

Pio
  • 513
  • 4
  • 19
  • In fact I mean DTO as he mentioned @Ahmed Zakaria , It's true, hiding the structure of the database is not enough to secure an IT solution but there is more risk if the structure is known to the outside. For the case of yahoo for example, which exposes services for the weather , I don't think that it will expose json objects which reflect the structure of the database used behind, indeed we use DTO in this regard. that's what I'm talking about – rdnti softs Oct 31 '20 at 15:03
  • Another reason I think it is necessary to decouple the Data Access layer and the Front End layer layer, indeed it is important to use DTO. – rdnti softs Oct 31 '20 at 15:30
  • DTO and ViewModel are similiar in theory but different concepts. Your original question was targeted at ViewModels. Ofc it is very important to decouple db and frontend. I don't think you are getting my point: "Don't rely on obscurity to secure your system" does not mean that i promote to use db models in frontend because it doesnt matter. I just want to point out the dangers you put yourself into if only rely on obscurity. – Pio Nov 02 '20 at 12:38