daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update live with current master (#4741) 

* Tabbifying script examples per OS (#4735)

* Command line deployment

* typo fix

* edits per review

* increased visibility of 'pub to azure' scenarios

* removed copy/paste debris

* Tabbified the local code segments

* fixed merge whoops

* attempting to fix TOC

* Fixed toc xref

* Update implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application.md (#4745)

* Update adding-controller1.md (#4747)

* Update adding-controller1.md

* Update adding-controller1.md

* Update publish-to-azure-webapp-using-vs.md (#4746)
pull/4758/head^2
Rick Anderson 2017-11-08 10:37:06 -10:00 committed by GitHub
parent 68a60d1132
commit 5dada9eb2b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 77 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
aspnet/mvc/overview/getting-started/getting-started-with-ef-using-mvc/implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application.md
View File

@ -46,29 +46,27 @@ The scaffolded code for the Students `Index` page left out the `Enrollments` pro
The key value is passed to the method as the `id` parameter and comes from *route data* in the **Details** hyperlink on the Index page.
> [!TIP]
>
> **Route data**
>
> Route data is data that the model binder found in a URL segment specified in the routing table. For example, the default route specifies `controller`, `action`, and `id` segments:
>
> [!code-csharp[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample2.cs?highlight=3)]
>
> In the following URL, the default route maps `Instructor` as the `controller`, `Index` as the `action` and 1 as the `id`; these are route data values.
>
> `http://localhost:1230/Instructor/Index/1?courseID=2021`
>
> "?courseID=2021" is a query string value. The model binder will also work if you pass the `id` as a query string value:
>
> `http://localhost:1230/Instructor/Index?id=1&CourseID=2021`
>
> The URLs are created by `ActionLink` statements in the Razor view. In the following code, the `id` parameter matches the default route, so `id` is added to the route data.
>
> [!code-cshtml[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample3.cshtml)]
>
> In the following code, `courseID` doesn't match a parameter in the default route, so it's added as a query string.
>
> [!code-cshtml[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample4.cshtml)]
### Tip: **Route data**
Route data is data that the model binder found in a URL segment specified in the routing table. For example, the default route specifies `controller`, `action`, and `id` segments:
[!code-csharp[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample2.cs?highlight=3)]
In the following URL, the default route maps `Instructor` as the `controller`, `Index` as the `action` and 1 as the `id`; these are route data values.
`http://localhost:1230/Instructor/Index/1?courseID=2021`
"?courseID=2021" is a query string value. The model binder will also work if you pass the `id` as a query string value:
`http://localhost:1230/Instructor/Index?id=1&CourseID=2021`
The URLs are created by `ActionLink` statements in the Razor view. In the following code, the `id` parameter matches the default route, so `id` is added to the route data.
[!code-cshtml[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample3.cshtml)]
In the following code, `courseID` doesn't match a parameter in the default route, so it's added as a query string.
[!code-cshtml[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample4.cshtml)]
1. Open *Views\Student\Details.cshtml*. Each field is displayed using a `DisplayFor` helper, as shown in the following example:
@ -99,24 +97,23 @@ The key value is passed to the method as the `id` parameter and comes from *rout
<a id="overpost"></a>
> [!WARNING]
> Security - The `ValidateAntiForgeryToken` attribute helps prevent [cross-site request forgery](../../security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages.md) attacks. It requires a corresponding `Html.AntiForgeryToken()` statement in the view, which you'll see later.
>
> The `Bind` attribute is one way to protect against *over-posting* in create scenarios. For example, suppose the `Student` entity includes a `Secret` property that you don't want this web page to set.
>
> [!code-csharp[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample8.cs?highlight=7)]
>
> Even if you don't have a `Secret` field on the web page, a hacker could use a tool such as [fiddler](http://fiddler2.com/home), or write some JavaScript, to post a `Secret` form value. Without the [Bind](https://msdn.microsoft.com/en-us/library/system.web.mvc.bindattribute(v=vs.108).aspx) attribute limiting the fields that the model binder uses when it creates a `Student` instance*,* the model binder would pick up that `Secret` form value and use it to create the `Student` entity instance. Then whatever value the hacker specified for the `Secret` form field would be updated in your database. The following image shows the fiddler tool adding the `Secret` field (with the value "OverPost") to the posted form values.
>
> ![](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/_static/image5.png)
>
> The value "OverPost" would then be successfully added to the `Secret` property of the inserted row, although you never intended that the web page be able to set that property.
>
> It's a security best practice to use the `Include` parameter with the `Bind` attribute to *whitelist* fields. It's also possible to use the `Exclude` parameter to *blacklist* fields you want to exclude. The reason `Include` is more secure is that when you add a new property to the entity, the new field is not automatically protected by an `Exclude` list.
>
> You can prevent overposting in edit scenarios is by reading the entity from the database first and then calling `TryUpdateModel`, passing in an explicit allowed properties list. That is the method used in these tutorials.
>
> An alternative way to prevent overposting that is preferred by many developers is to use view models rather than entity classes with model binding. Include only the properties you want to update in the view model. Once the MVC model binder has finished, copy the view model properties to the entity instance, optionally using a tool such as [AutoMapper](http://automapper.org/). Use db.Entry on the entity instance to set its state to Unchanged, and then set Property("PropertyName").IsModified to true on each entity property that is included in the view model. This method works in both edit and create scenarios.
### Security warning - The `ValidateAntiForgeryToken` attribute helps prevent [cross-site request forgery](../../security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages.md) attacks. It requires a corresponding `Html.AntiForgeryToken()` statement in the view, which you'll see later.
The `Bind` attribute is one way to protect against *over-posting* in create scenarios. For example, suppose the `Student` entity includes a `Secret` property that you don't want this web page to set.
[!code-csharp[Main](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/samples/sample8.cs?highlight=7)]
Even if you don't have a `Secret` field on the web page, a hacker could use a tool such as [fiddler](http://fiddler2.com/home), or write some JavaScript, to post a `Secret` form value. Without the [Bind](https://msdn.microsoft.com/en-us/library/system.web.mvc.bindattribute(v=vs.108).aspx) attribute limiting the fields that the model binder uses when it creates a `Student` instance*,* the model binder would pick up that `Secret` form value and use it to create the `Student` entity instance. Then whatever value the hacker specified for the `Secret` form field would be updated in your database. The following image shows the fiddler tool adding the `Secret` field (with the value "OverPost") to the posted form values.
![](implementing-basic-crud-functionality-with-the-entity-framework-in-asp-net-mvc-application/_static/image5.png)
The value "OverPost" would then be successfully added to the `Secret` property of the inserted row, although you never intended that the web page be able to set that property.
It's a security best practice to use the `Include` parameter with the `Bind` attribute to *whitelist* fields. It's also possible to use the `Exclude` parameter to *blacklist* fields you want to exclude. The reason `Include` is more secure is that when you add a new property to the entity, the new field is not automatically protected by an `Exclude` list.
You can prevent overposting in edit scenarios is by reading the entity from the database first and then calling `TryUpdateModel`, passing in an explicit allowed properties list. That is the method used in these tutorials.
An alternative way to prevent overposting that is preferred by many developers is to use view models rather than entity classes with model binding. Include only the properties you want to update in the view model. Once the MVC model binder has finished, copy the view model properties to the entity instance, optionally using a tool such as [AutoMapper](http://automapper.org/). Use db.Entry on the entity instance to set its state to Unchanged, and then set Property("PropertyName").IsModified to true on each entity property that is included in the view model. This method works in both edit and create scenarios.
Other than the `Bind` attribute, the `try-catch` block is the only change you've made to the scaffolded code. If an exception that derives from [DataException](https://msdn.microsoft.com/en-us/library/system.data.dataexception.aspx) is caught while the changes are being saved, a generic error message is displayed. [DataException](https://msdn.microsoft.com/en-us/library/system.data.dataexception.aspx) exceptions are sometimes caused by something external to the application rather than a programming error, so the user is advised to try again. Although not implemented in this sample, a production quality application would log the exception. For more information, see the **Log for insight** section in [Monitoring and Telemetry (Building Real-World Cloud Apps with Azure)](../../../../aspnet/overview/developing-apps-with-windows-azure/building-real-world-cloud-apps-with-windows-azure/monitoring-and-telemetry.md#log).

3
aspnetcore/includes/mvc-intro/adding-controller1.md
View File

@ -8,5 +8,4 @@ The Model-View-Controller (MVC) architectural pattern separates an app into thre
The MVC pattern helps you create apps that separate the different aspects of the app (input logic, business logic, and UI logic), while providing a loose coupling between these elements. The pattern specifies where each kind of logic should be located in the app. The UI logic belongs in the view. Input logic belongs in the controller. Business logic belongs in the model. This separation helps you manage complexity when you build an app, because it enables you to work on one aspect of the implementation at a time without impacting the code of another. For example, you can work on the view code without depending on the business logic code.
We cover these concepts in this tutorial series and show you how to use them to build a movie app. The MVC project contains folders for the *Controllers* and *Views*. A *Models* folder will be added in a later step.
We cover these concepts in this tutorial series and show you how to use them to build a movie app. The MVC project contains folders for the *Controllers* and *Views*.

35
aspnetcore/tutorials/publish-to-azure-webapp-using-cli.md
View File

@ -12,6 +12,7 @@ ms.prod: asp.net-core
ms.technology: aspnet
ms.custom: mvc
ms.devlang: dotnet
uid: tutorials/publish-to-azure-webapp-using-cli
---
# Deploy an ASP.NET Core application to Azure App Service from the command line
@ -38,6 +39,7 @@ To complete this tutorial, you'll need:
Create a new directory for the web application, create a new ASP.NET Core MVC application, and then run the website locally.
# [Windows](#tab/windows)
```cmd
REM Create a new ASP.NET Core MVC application
dotnet new razor -o MyApplication
@ -49,6 +51,19 @@ REM Run the application
dotnet run
```
# [Other](#tab/other)
```bash
# Create a new ASP.NET Core MVC application
dotnet new razor -o MyApplication
# Change to the new directory that was just created
cd MyApplication
# Run the application
dotnet run
```
---
![Command line output](publish-to-azure-webapp-using-cli/_static/new_prj.png)
Test the application by browsing to http://localhost:5000.
@ -94,6 +109,7 @@ You're ready to deploy from your local machine using Git.
> [!NOTE] It's safe to ignore any warnings from Git about line endings.
# [Windows](#tab/windows)
```cmd
REM Initialize the local Git repository
git init
@ -111,6 +127,25 @@ REM Push the local repository to the remote
git push azure master
```
# [Other](#tab/other)
```bash
# Initialize the local Git repository
git init
# Add the contents of the working directory to the repo
git add --all
# Commit the changes to the local repo
git commit -a -m "Initial commit"
# Add the URL as a Git remote repository
git remote add azure <THE GIT URL YOU NOTED EARLIER>
# Push the local repository to the remote
git push azure master
```
---
Git will prompt for the deployment credentials that were set earlier. After authenticating, the application will be pushed to the remote location, built, and deployed.
![Git deployment output](publish-to-azure-webapp-using-cli/_static/post_deploy.png)

4
aspnetcore/tutorials/publish-to-azure-webapp-using-vs.md
View File

@ -16,6 +16,8 @@ uid: tutorials/publish-to-azure-webapp-using-vs
By [Rick Anderson](https://twitter.com/RickAndMSFT), [Cesar Blum Silveira](https://github.com/cesarbs), and [Rachel Appel](https://twitter.com/rachelappel)
See [Publish to Azure from Visual Studio for Mac](https://blog.xamarin.com/publish-azure-visual-studio-mac/) if you are working on a Mac.
## Set up
* Open a [free Azure account](https://aka.ms/K5y5yh) if you do not have one.
@ -179,4 +181,4 @@ When you have finished testing the app, go to the [Azure portal](https://portal.
### Next steps
* [Continuous Deployment to Azure with Visual Studio and Git](../publishing/azure-continuous-deployment.md)
* [Continuous Deployment to Azure with Visual Studio and Git](../publishing/azure-continuous-deployment.md)