How to handle hidden fields in MVC forms?

I have a FormViewModel that handle开发者_Go百科s different fields. Many of them have not to be presented to the user (such as modified_date, current_user_id) so I am using hidden fields to respect the FormViewModel structure. When submitted they are passed to the controller's action and correctly saved to the DB but I'm asking: is it the best way to do in ASPNET MVC? I would have preferred to define them in FormViewModel and using only the fields to be modified instead of showing also the non-modifiable as hidden fields. Is there a better way to do it?

If these fields are not being touched by the user than I would do this;

Create a FormViewModel with only the fields that are relevant. Also the primary key.

The primary key still needs to be on the page me thinks.

Then in the controller you accept the FormViewModel as the argument, you then load the actual model and update, validate fields as required and save the model.

The above is simplistic and you'll have more layers but you should get the idea

I think you can do a few things to make your life a little easier:

• Let the URL (and the routing mechanism) give you the id (the primary key of whatever you are trying to edit)

  You can have a URL like '/Student/Edit/1' Routing will ensure that your Action method gets the id value directly.

• Have 2 action methods to handle your request. One decorated with [HttpGet] to render the initial form to the user (where you just retrieve your object from the repository and pass it on to your View) and a [HttpPost] one to actually handle the post back from the user.

  The second method could look something like:

  [HttpPost] [ActionName("Edit")] public ActionResult EditPost(int id) { ...your code here... }

• Retrieve the actual record from the repository/store based on the id passed in.

• Use the UpdateModel function to apply the changes to the database record and pass on the record back to your repository layer to store it back in the database.

However, in a real world application, you will probably want separation of concerns and decoupling between your repository and your view layer (ASP.NET MVC.)

If they are part of the model, the method you are using is perfectly fine. You even have a helper method in HtmlHelper.HiddenFor to output the hidden field for you. However, if the values are something like modified date or current user, you'd might be better suited passing those along from your controller to a DTO for your data layer. I'm making some assumptions about what you're doing for data access, though.

The risk with storing data which shouldn't be modified in hidden fields is that it can be modified using a browsers built in/extension developer tools. Upon post these changes will be saved to your database (if that's how you're handling the action).

To protect hidden fields you can use the MVC Security Extensions project https://mvcsecurity.codeplex.com.

Say the field you want to protect is Id...

On you controller post method add:

[ValidateAntiModelInjection("Id")]

Within your view add:

@Html.AntiModelInjectionFor(m => m.Id)
@Html.HiddenFor(m => m.Id)

On post your Id field will be validated.

Create a FormViewModel with only the fields that are relevant. Also the primary key.

The primary key still needs to be on the page me thinks.

Then in the controller you accept the FormViewModel as the argument, you then load the actual model and update, validate fields as required and save the model.

The above is simplistic and you'll have more layers but you should get the idea