0

i want to know something that if we use DBEntities like this in view that is right way or not? means that is security issue or not in our project? Any Suggestion or Recommendation Please.

VIEW

@using proName.Models
@{
        proNameEntities DB = new proNameEntities();
}

<div class"">
@{
   int conID;
   var UserExist = DB.Users.Where(x => x.UserID =conID).FirstOrDefault();

   if (UserExist != null)
   {
    <p>@UserExist.name</p>
   }

 }
</div>
Improve this question
1
  • 3
    You should be doing loading of entities in your controller / an injected class to your controller... Your view should be lightweight / display logic only... Commented Apr 18, 2019 at 9:42

4 Answers 4

Reset to default
1

To follow an MVC pattern you should:

  1. Create a viewmodel object

    class ViewModel{
    public List<Users> Users {get; set;} // whatever the name of your entity is
}

  2. Populate that ViewModel with your list from the controller side:

    public class HomeController : Controller {

    proNameEntities DB = new proNameEntities();   //initalise db entities here        

    public ActionResult Index(){
        ViewModel vm = new ViewModel();
        vm.Users = this.DB.Users
        return View(vm); // pass the viewmodel object to the view
    }
}

  3. At the top of the View, indicate the type of object it is receiving:

    @model ViewModel //use full path if it's not in the same scope

  4. Then use your viewmodels list in the view:

    @{
  foreach (user in Users){
       //do something
  }
}

Ideally, you would also want to do that UserExist logic inside your controller. So create a new property on the viewmodel, perform your check from the controller, then insert the data into the ViewModel object, and pass it to the View.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

as you answered it is only for index method it will run only when index method called. but i want it in all over my project so that,s why i posted that right way to code. because i have partial view in my header and header is all over in my project.
I don't quite understand your comment fully, but it seems like this could be accomplished with partial views and viewmodel inheritance.. short explaination: You have child viewmodels and a base.. This way, your partial view uses a controller which passes a child viewmodel, so your UserExist check is executed each time, and the child viewmodel still works with the parent view because it inherits from the base Viewmodel.. so all types are consistent
1

its not correct and not recommended

The codes that are related to backend should be written in the controller (also recommended by Microsoft)

write in the code in controller then pass result by model to view

Improve this answer

Comments

0

It is not correct, because it violates MVC (refers to Model-View-Controller).

Controller responsibility is to link database to view. Putting database logic in view will make your code very bad and hard to maintain, test.

Besides, you cancelled the role of ViewModel

Improve this answer

2 Comments

agreed with you,but one thing to know that is Security issue or not?
When publishing, views are copied as they are, while controllers are compiled to dlls. So code can be seen. This should be avoided aspecially if your database involves some password or connection string.
0

Rather than putting your business/database code into View (MVC), you should inject the view data into Action. like below code:

public ActionResult Index()
{
    var conID = 1; //BASED ON DATA-INPUT
    var userExists = DB.Users.Where(x => x.UserID = conID).FirstOrDefault();
    return View(userExists?.Name);
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.