Attribute [Bind(Exclude=“”)] fails to prevent over-posting

Question

What is the best way to prevent MVC 4 over-posting?

According to MS sources, the [Bind] attribute is supposed to be the easiest way to prevent over-posting by preven

Answer 1

I think you may have mislead by the Wrox book on this occasion. What you describe is the intended behaviour of the Bind/Exclude property. See http://msdn.microsoft.com/en-us/library/system.web.mvc.bindattribute.exclude(v=vs.108).aspx.

If you do not want to bind values to every property on your model, I believe that ViewModels are they way to go, even though as you rightly point out they are something of an overhead. Nevertheless, the advantages of using them are significant, and IMO in this sort of context, justify the extra development work. For example:

• Allowing partial entity updates
• presenting data from multiple entities
• decoupling the UI from the domain model, allowing you to vary labels, validation rules, error messages

Automapper is one option for doing the mapping from the entity to view models, but if you are using Lazy Loading, beware. I discovered Automapper doesn't handle updates to EF Proxy classes in the way I hoped. In the end I removed AM and rolled my own mapping mechanism based on an IMappable interface and a generic utility class. In many cases it's not much more code to type to do that than to configure Automapper.