Asp.Net MVC 5 bind parameter exclusively from body

Question

I want to prevent posting sensitive data via url query string to a MVC 5 application.

In MVC there is a DefaultModelBinder. The DefaultModelBinder

Answer 1

By default, the binder looks for data in four places: form data, route data, the query string, and any uploaded files.

It is possible to restrict the binding to a single source of data. To do so you should call the UpdateModel method passing, as the second parameter, a FormValueProvider object( an implementation of IValueProvider).

public ActionResult Products()
{
    IList products = new List();
    UpdateModel(products, new FormValueProvider(ControllerContext));
    return View(products);
}

The complete list of objects is (they all receive the ControllerContext as the contructor parameter):

• FormValueProvider: search for data in the body (Request.Form)
• RouteDataValueProvider: search for data in the route (RouteData.Value)
• QueryStringValueProvider: search for data in the query string (Request.QueryString)
• HttpFileCollectionValueProvider: search for uploaded files (Request.Files)