[RESOLVED]Whether to validate the POST request parameters?

Hi. Sorry for my english.

There is such a method. It
checked
the parameters get request

[Route("Organization/{organizationId:int}/Category/{categoryId:int}/Calendar/Delete/{calendarId:int}")]
        public ActionResult Delete(int? calendarId, int? organizationId)
        {
            if (calendarId == null || organizationId == null)
            {
                return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
            }
            Calendar calendar = db.Calendars.Find(calendarId);
            if (calendar == null || calendar.Category.OrganizationId != organizationId)
            {
                return HttpNotFound();
            }
            return View(calendar);
        }
[HttpPost, ActionName("Delete")]
        [ValidateAntiForgeryToken]
        [Route("Organization/{organizationId:int}/Category/{categoryId:int}/Calendar/Delete/{calendarId:int}")]
        public ActionResult DeleteConfirmed(int id)
        {
            Calendar calendar = db.Calendars.Find(id);
            db.Calendars.Remove(calendar);
            db.SaveChanges();
            return RedirectToAction("Index");
        }

Whether it is necessary for safety purposes
check the parameters
POST
request
?

Hello,

It will be good practice to check all parameters on client and server side.

Regards

Thanks for the answer.

I meant, Do I need
to do this check in the query HttpGet and HttpPost?

if (calendar == null || calendar.Category.OrganizationId != organizationId)
            {
                return HttpNotFound();
            }

Hi DSerg,

DSerg

[Route("Organization/{organizationId:int}/Category/{categoryId:int}/Calendar/Delete/{calendarId:int}")]
        public ActionResult Delete(int? calendarId, int? organizationId)
        {
            if (calendarId == null || organizationId == null)
            {
                return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
            }
            Calendar calendar = db.Calendars.Find(calendarId);
            if (calendar == null || calendar.Category.OrganizationId != organizationId)
            {
                return HttpNotFound();
            }
            return View(calendar);
        }

For this code, since you have specify the parameters’ type, so you don’t need to check parameters’ value. For example, if the type of organizationId is string (e.g. orgId), then that route won’t be matched.


DSerg

Hi. Sorry for my english.

There is such a method. It checked the parameters get request

[Route("Organization/{organizationId:int}/Category/{categoryId:int}/Calendar/Delete/{calendarId:int}")]
        public ActionResult Delete(int? calendarId, int? organizationId)
        {
            if (calendarId == null || organizationId == null)
            {
                return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
            }
            Calendar calendar = db.Calendars.Find(calendarId);
            if (calendar == null || calendar.Category.OrganizationId != organizationId)
            {
                return HttpNotFound();
            }
            return View(calendar);
        }
[HttpPost, ActionName("Delete")]
        [ValidateAntiForgeryToken]
        [Route("Organization/{organizationId:int}/Category/{categoryId:int}/Calendar/Delete/{calendarId:int}")]
        public ActionResult DeleteConfirmed(int id)
        {
            Calendar calendar = db.Calendars.Find(id);
            db.Calendars.Remove(calendar);
            db.SaveChanges();
            return RedirectToAction("Index");
        }

Whether it is necessary for safety purposes
check the parameters
POST
request
?

For this code, you need check whether calendar is null or not.

Best Regards

Starain

Leave a Reply