When we have a ASP.NET MVC View that accepts user input and posts those inputs to a server we have the option to use the built-in Model-binding features from ASP.NET MVC by either receiving an instance of the ModelView type as parameter on the action method that handles the post or by invoking the UpdateModel method.
It is an automatic and useful bind model but to provide more control and security we can restrict the properties that are allowed to be bound automatically. Let’s check how we can perform that.
Option 1 – The Bind attribute
The Bind attribute is an easy way to define the properties that may be updated. Since it is an attribute it’s just a matter to define it on the action method that handles the post operation.
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create( [Bind(Include=“Name,Description,Active”)] MyModelView myModelView) { }
When the post occurs only the properties defined using the attribute will be updated. You have an option to define the properties that are excluded from the update by using the Bind attribute with the Exclude named parameter instead.
[Bind(Exclude=“ID,CreatedDate,CreatedBy”)]
You have another option that is to define on the ViewModel level so all update processes will follow this definition.
[Bind(Include=“Name,Description,Active”)]
public class MyViewModel{ }
Option 2 – UpdateModel method overloads
The generic UpdateModel method has several overloads available but six of them accept arrays of strings to define the properties that must be either included or excluded. Let’s check those overloads:
- void UpdateModel<TModel>(TModel model, string[] includeProperties);
- void UpdateModel<TModel>(TModel model, string prefix, string[] includeProperties);
- void UpdateModel<TModel>(TModel model, string[] includeProperties, IDictionary<string, ValueProviderResult> valueProvider);
- void UpdateModel<TModel>(TModel model, string prefix, string[] includeProperties, IDictionary<string, ValueProviderResult> valueProvider);
- void UpdateModel<TModel>(TModel model, string prefix, string[] includeProperties, string[] excludeProperties);
- void UpdateModel<TModel>(TModel model, string prefix, string[] includeProperties, string[] excludeProperties, IDictionary<string, ValueProviderResult> valueProvider).
So, if you want to define properties to be included or excluded during the Update process, you just need to create an array of strings and invoke the UpdateModel method overload that fits better into your needs.
string[] includeProperties = { “Name”, “Description”, “Active” };
UpdateModel(myModelView, includeProperties);
ITtecture 
Hi Cirilo,
Have you actually seen includeProperties actually working? I am trying it at the moment, and still, all properties are being bound, even ones that don’t exist on the form – and they are being bound to null, including my lists and creation date/time’s etc, which is not good, hence why I wish to use includeProperties.
Any thoughts?
By: Graham O'Neale on 07/30/2009
at 12:17 am