tags:

views:

57

answers:

3
+2  Q: 

MVC Model best practice - How to handle non-user-input data

So, my question is that I have a model. My model has some data that is populated based on the id passed in through the url and set into a cookie, and the rest is user input, which is validated using data annotations.

The "problem" I've come across is how to handle this non user input data. Do I put it in hidden controls and thus inflate (albeit only slightly) my page size, or do I "rebuild" that part of the model on each post back, which adds another trip to the database and back.

I understand this is subjective, but I'm curious as to what the standard practice is. Putting the data in a hidden field is the simplest way, but it doesn't feel right to have done away with viewstate only to bring it back, even if in small chunks. Plus that exposes your data to the user - not that they couldn't tweak the url. And no one likes unnecessary trips to the database.

Oh, and I can't use session. This app runs in a load balanced environment.

+2  A: 

Just leave the id in the url. A url is supposed to identify a resource anyway, so taking the parameter out of the url and storing it in any other way is just doing extra work and making your url not identify the resource you are accessing.

If you have other data you need to send, it is very common practice to send an identifier along in a hidden field, validating it just like any other field. If you can deduce the information server side, it comes down to weighing the costs of rebuilding that data vs a larger request. You have to measure which is better for your application during testing, but both are common in practice. Don't forget about security concerns when you make your decision however, its not all performance.

Also, if data comes from the client, no matter how clever you think you are in hiding it, it is still user input. That means even if you don't put a control for them to edit the value on the screen, an half savvy user will know how to change it.

NickLarsen  2010-10-25 21:12:43
That is primarily my concern with putting the data in the view in hidden fields. The request can be "fabricated", even when using an antiforgery token. My issue with using the url only is that my id's are simple int values - very easy to doctor.
Josh  2010-10-26 13:24:57
Considering this app needs all the security it can get, I am not putting any data in the form. I am rebuilding the sensitive pieces of the model each time the action is hit. Also, I'm verifying the user is linked to the id passed in through the qs just in case they try to get sneaky. Thanks for your suggestion.
Josh  2010-10-27 18:30:56
+1  A: 

I don't think the viewstate is the way to go, as it exposes internal data to the browser and it also increases your traffic unnecessarily.

If I had to solve this problem, I'd go for using the session for storing such session-related data. If it is a load-balanced environment, you will need distributed session handling, tho. The simplest way to solve it is simply starting an ASP.NET State Service and start using it for handling the sessions.

If you don't like Microsoft tech, you can also use MemCached for storing session data in memcached servers. There are providers for it, for example this, unfortunately it does not seem to be in development any more.

CodeTwice  2010-10-25 21:15:02
+1  A: 

it is going to be better if you will get it from your DAL on each,
it's not good to put unneeded stuff in your html

imagine you get a user and put his password in a hidden input, just because you don't want to get it each time.

or you put some stuff in hidden inputs and using firebug somebody changes the values of those inputs.

Omu  2010-10-26 06:38:20
That's really my concern with putting the data in the view using hidden fields. It's very easy to change the fields.
Josh  2010-10-26 13:20:23
@Josh you could also encrypt your ids, or anything else you need, and don't put unneeded stuff in html
Omu  2010-10-26 14:03:41

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data