54

I was going through a action method code and i saw one attribute was used there but i really did not understand the use. here is the code

public ActionResult User([Bind(Include = "Username,FullName,Email")]User user)
{
   if (!ModelState.IsValid()) return View(user);

   try
   {
     user.save()
     // return the view again or redirect the user to another page
   }
   catch(Exception e)
   {
     ViewData["Message"] = e.Message;
     return View(user)
   }
}

([Bind(Include = "Username,FullName,Email")]User user)

i just do not understand the above line Bind include etc

so please help me to understand this kind of attribute used & when people write this kind of code in mvc. it will be really good help if some one make me understand with sample small code where they will use this Bind attribute.

Update: Suppose i have form from where user can enter only FirstName,LastName & Gender then my action method looks like 

public ActionResult Edit(string FirstName,string LastName,string Gender)
{
    // ...
}

this will work i think. then why i should use a Bind Attribute because my above action method will works fine.

4

3 回答 3

97

Bind属性允许您“微调”某些参数类型的模型绑定过程,而无需注册ModelBinder特定于该类型的自定义。

例如,假设您的 Action 需要一个Person定义如下的参数:

public class Person
{
    public Person(string firstName, string lastName, Gender gender)
    {
        this.FirstName = firstName;
        this.LastName = lastName;

        if (gender == Gender.Male)
            this.FullName = "Mr. " + this.FirstName + " " + this.LastName;
        else
            this.FullName = "Mrs. " + this.FirstName + " " + this.LastName;
    }

    public string FirstName { get; set; }
    public string LastName { get; set; }
    public Gender Gender { get; set; }

    // 'FullName' is a computed column:
    public string FullName { get; set; }
}

和行动:

public ActionResult Edit(Person person)
{
    ...
}

现在,如果有人发布以下 JSON:

{
    "FirstName":"John",
    "LastName":"Smith",
    "Gender":"Male",
    "FullName":"Mrs. John Smith"
}

你的 Action 现在会有一个person错误FullName('Mrs' 而不是 'Mr')。

为避免此类行为,您可以使用该Bind属性并从绑定过程中显式排除该FullName属性(“黑名单”):

public ActionResult Edit([Bind(Exclude="FullName")] Person person)
{
    ...
}

或者,您可以使用Include忽略 ('Black-list') 所有属性并仅包含 ('White-list') 指定属性:

public ActionResult Edit([Bind(Include="FirstName,LastName,Gender")] Person person)
{
    ...
}

有关MSDN的更多信息。

于 2013-10-21T09:26:21.407 回答
16

当执行此操作时,MVC 模型绑定器将使用请求参数来填充user参数的属性,您可能已经知道了。但是,该Bind属性告诉模型绑定器填充具有指定名称的属性。

所以在这种情况下,只会填充Username,FullNameEmail属性。所有其他将被忽略。

有关更多详细信息,请参见此处:http: //ittecture.wordpress.com/2009/05/01/tip-of-the-day-199-asp-net-mvc-defining-model-binding-explicitly/

于 2013-10-21T09:20:07.417 回答
4

Bind 属性是在创建场景中防止过度发布的一种方法。例如,假设 Student 实体包含您不希望此网页设置的 Secret 属性。

public class Student
{
  public int ID { get; set; }
  public string LastName { get; set; }
  public string FirstMidName { get; set; }
  public DateTime EnrollmentDate { get; set; }
  public string Secret { get; set; }

  public virtual ICollection<Enrollment> Enrollments { get; set; }
}

即使网页上没有 Secret 字段,黑客也可以使用 fiddler 等工具或编写一些 JavaScript 来发布 Secret 表单值。如果没有 Bind 属性限制模型绑定器在创建 Student 实例时使用的字段,模型绑定器将获取该 Secret 表单值并使用它来创建 Student 实体实例。然后,黑客为 Secret 表单字段指定的任何值都将在您的数据库中更新。下图显示了将 Secret 字段(值为“OverPost”)添加到已发布的表单值的提琴手工具。然后,“OverPost”值将成功添加到插入行的 Secret 属性,尽管您从未打算让网页能够设置该属性。

将 Include 参数与 Bind 属性一起使用以将字段列入白名单是一种安全最佳做法。也可以使用 Exclude 参数将要排除的字段列入黑名单。Include 更安全的原因是当您向实体添加新属性时,新字段不会自动受到 Exclude 列表的保护。

于 2016-02-29T16:02:16.157 回答