In my applications I was leaving the entity ID inside HTML being a hidden object. Example:
@Html.HiddenFor(m => m.EntidadeID)
But, I have identified that I can edit the HTML easily and in POST I can receive an invalid value.
Before Action of controller was like this:
[HttpPost]
[Authorize]
public ActionResult Detalhar(Entidade model)
using (var db = new Conexao())
{
var registro = db.Entidade.Find(id);
// continuação do código
If I get the ID by the URL, I have identified that even changed before POST the value sent was not the changed but the original.
I changed the Action to look like this:
[HttpPost]
[Authorize]
public ActionResult Detalhar(int id, Entidade model)
{
using (var db = new Conexao())
{
var registro = db.Entidade.Find(id);
// continuação do código
But I have identified another situation, which when using @using (Html.BeginForm()) , is set to <form action="/Entidade/Detalhar/5" method="post"> and the user can change the value of 5 to whatever value he wants, thus generating an invalid data change.
Doubt
Is taking the entity ID by "URL" safer? Or what would be the alternatives to slow attempts at data fraud.
Updated question
If the user asks for ID 5, it will be http://site/Registro/Detalhar/5 , if he changes ID to 10 before doing POST , I saw that controller understands ID is 5 , but is there any way to circumvent the number and try to change from 5 to 10, and controller get 10? Similar we could do with HTML.