In the previous tutorial you created an MVC application that stores and displays data using the Entity Framework and SQL Server LocalDB. In this tutor
In the previous tutorial you created an MVC application that stores and displays data using the Entity Framework and SQL Server LocalDB. In this tutorial you'll review and customize the CRUD (create, read, update, delete) code that the MVC scaffolding automatically creates for you in controllers and views.
在之前的課程中,你使用Ef和SQL Server LocalDB創建了可以存儲和顯示數據的MVC程式,在這個系列的課程中,你將會複習和自定義MVC增刪查改的代碼。
Note It's a common practice to implement the repository pattern in order to create an abstraction layer between your controller and the data access layer. To keep these tutorials simple and focused on teaching how to use the Entity Framework itself, they don't use repositories. For information about how to implement repositories, see the ASP.NET Data Access Content Map.
現在很普遍會實現倉儲模式,用來在你的控制器和數據訪問層之間,創建一個抽象層。為了保證這個系列的課程,儘可能的簡單,並且集中註意力在教授怎麼去使用EF,這裡不使用倉儲模式,要瞭解怎麼實現倉儲模式,請看鏈接的文章。
Create a Details Page
The scaffolded code for the Students Index page left out the Enrollments property, because that property holds a collection. In the Details page you'll display the contents of the collection in an HTML table.
基架忽視了Student列表頁的Enrollments屬性,因為這個屬性包含一個集合,在詳細頁面,你將會在一個HTML表格中顯示這個集合的內容。
1 public ActionResult Details(int? id) 2 { 3 if (id == null) 4 { 5 return new HttpStatusCodeResult(HttpStatusCode.BadRequest); 6 } 7 Student student = db.Students.Find(id); 8 if (student == null) 9 { 10 return HttpNotFound(); 11 } 12 return View(student); 13 }
After the EnrollmentDate field and immediately before the closing </dl> tag, add the highlighted code to display a list of enrollments, as shown in the following example: 在Enrollmentdate欄位的後面,添加下麵高亮顯示的代碼:
1 @model ContosoUniversity.Models.Student 2 3 @{ 4 ViewBag.Title = "Details"; 5 Layout = "~/Views/Shared/_Layout.cshtml"; 6 } 7 8 <h2>Details</h2> 9 10 <div> 11 <h4>Student</h4> 12 <hr /> 13 <dl class="dl-horizontal"> 14 <dt> 15 @Html.DisplayNameFor(model => model.LastName) 16 </dt> 17 18 <dd> 19 @Html.DisplayFor(model => model.LastName) 20 </dd> 21 22 <dt> 23 @Html.DisplayNameFor(model => model.FirstMidName) 24 </dt> 25 26 <dd> 27 @Html.DisplayFor(model => model.FirstMidName) 28 </dd> 29 30 <dt> 31 @Html.DisplayNameFor(model => model.EnrollmentDate) 32 </dt> 33 34 <dd> 35 @Html.DisplayFor(model => model.EnrollmentDate) 36 </dd> 37 <dt> 38 @Html.DisplayNameFor(model=>model.Enrollments) 39 </dt> 40 <dd> 41 <table> 42 <tr> 43 <th>Course Title</th> 44 <th>Grade</th> 45 </tr> 46 @foreach (var item in Model.Enrollments) 47 { 48 <td>@Html.DisplayFor(s=>item.Course.Title)</td> 49 <td>@Html.DisplayFor(s=>item.Grade)</td> 50 } 51 </table> 52 </dd> 53 54 </dl> 55 </div> 56 <p> 57 @Html.ActionLink("Edit", "Edit", new { id = Model.ID }) | 58 @Html.ActionLink("Back to List", "Index") 59 </p>
小技巧:Ctrl+K+D,代碼縮進
現在,運行項目,點擊詳細列表:
Update the Create Page
In Controllers\StudentController.cs, replace the HttpPost Create action method with the following code to add a try-catch block and remove ID from the Bind attribute for the scaffolded method:
打開Student控制器,用下麵的代碼來更新:
1 // POST: Students/Create 2 // 為了防止“過多發佈”攻擊,請啟用要綁定到的特定屬性,有關 3 // 詳細信息,請參閱 http://go.microsoft.com/fwlink/?LinkId=317598。 4 [HttpPost] 5 [ValidateAntiForgeryToken] 6 public ActionResult Create([Bind(Include = "LastName,FirstMidName,EnrollmentDate")] Student student) 7 { 8 try 9 { 10 if (ModelState.IsValid) 11 { 12 db.Students.Add(student); 13 db.SaveChanges(); 14 return RedirectToAction("Index"); 15 } 16 17 } 18 catch (DataException /*dex*/) 19 { 20 //Log the error (uncomment dex variable name and add a line here to write a log. 21 ModelState.AddModelError("", "Unable to save changes. Try again, and if the problem persists see your system administrator."); 22 } 23 24 25 return View(student); 26 }
This code adds the Student entity created by the ASP.NET MVC model binder to the Students entity set and then saves the changes to the database. (Model binder refers to the ASP.NET MVC functionality that makes it easier for you to work with data submitted by a form; a model binder converts posted form values to CLR types and passes them to the action method in parameters. In this case, the model binder instantiates a Studententity for you using property values from the Form collection.)
You removed ID from the Bind attribute because ID is the primary key value which SQL Server will set automatically when the row is inserted. Input from the user does not set the ID value.
Security Note: The ValidateAntiForgeryToken attribute helps prevent cross-site request forgery attacks. It requires a corresponding Html.AntiForgeryToken() statement in the view, which you'll see later.
ValidateAntiForgeryToken屬性幫助阻止跨站點請求攻擊,它需要在視圖中寫上Html.AntiForgeryToken()語句。你後面將會看到。
The Bind attribute is one way to protect against over-posting in create scenarios. For example, suppose the Student entity includes a Secret property that you don't want this web page to set.
Even if you don't have a Secret field on the web page, a hacker could use a tool such asfiddler, or write some JavaScript, to post a Secret form value. Without the Bind attribute limiting the fields that the model binder uses when it creates a Student instance, the model binder would pick up that Secret form value and use it to create the Studententity instance. Then whatever value the hacker specified for the Secret form field would be updated in your database. The following image shows the fiddler tool adding theSecret field (with the value "OverPost") to the posted form values. 這段話,簡而言之就是,沒有Bind屬性,黑客就會將數據Post到你的資料庫中。(PS:本來翻譯好了,結果手殘,按錯了,懶得再翻譯。)
You can prevent overposting in edit scenarios is by reading the entity from the database first and then calling TryUpdateModel, passing in an explicit allowed properties list. That is the method used in these tutorials.
An alternative way to prevent overposting that is preferrred by many developers is to use view models rather than entity classes with model binding. Include only the properties you want to update in the view model. Once the MVC model binder has finished, copy the view model properties to the entity instance, optionally using a tool such as AutoMapper. Use db.Entry on the entity instance to set its state to Unchanged, and then set Property("PropertyName").IsModified to true on each entity property that is included in the view model. This method works in both edit and create scenarios.
(PS:這裡我有空再完善了,先學完這個系列的課程)
Other than the Bind attribute, the try-catch block is the only change you've made to the scaffolded code. If an exception that derives from DataException is caught while the changes are being saved, a generic error message is displayed. DataException exceptions are sometimes caused by something external to the application rather than a programming error, so the user is advised to try again. Although not implemented in this sample, a production quality application would log the exception. For more information, see the Log for insight section in Monitoring and Telemetry (Building Real-World Cloud Apps with Azure).
(PS:這裡我有空再完善了,先學完這個系列的課程)
The code in Views\Student\Create.cshtml is similar to what you saw in Details.cshtml, except that EditorForand ValidationMessageFor helpers are used for each field instead of DisplayFor. Here is the relevant code:
(PS:這裡我有空再完善了,先學完這個系列的課程)
Update the Edit HttpPost Method
In Controllers\StudentController.cs, the HttpGet Edit method (the one without the HttpPost attribute) uses theFind method to retrieve the selected Student entity, as you saw in the Details method. You don't need to change this method.
However, replace the HttpPost Edit action method with the following code:
1 [HttpPost,ActionName("Edit")] 2 [ValidateAntiForgeryToken] 3 public ActionResult EditPost(int?id) 4 { 5 if (id == null) 6 { 7 return new HttpStatusCodeResult(HttpStatusCode.BadRequest); 8 } 9 var studentTOUpdate = db.Students.Find(id); 10 if (TryUpdateModel(studentTOUpdate, "", new string[] {"LastName","FirstName","EnrollmentDate" })) 11 { 12 13 try 14 { 15 db.SaveChanges(); 16 return RedirectToAction("Index"); 17 } 18 catch (DataException /*dex */) 19 { 20 ModelState.AddModelError("", "不能保存,請再試"); 21 } 22 } 23 return View(studentTOUpdate); 24 }
These changes implement a security best practice to prevent overposting, The scaffolder generated a Bind attribute and added the entity created by the model binder to the entity set with a Modified flag. That code is no longer recommended because the Bind attribute clears out any pre-existing data in fields not listed in the Includeparameter. In the future, the MVC controller scaffolder will be updated so that it doesn't generate Bind attributes for Edit methods.
The new code reads the existing entity and calls TryUpdateModel to update fields from user input in the posted form data. The Entity Framework's automatic change tracking sets the Modified flag on the entity. When the SaveChangesmethod is called, the Modified flag causes the Entity Framework to create SQL statements to update the database row. Concurrency conflicts are ignored, and all columns of the database row are updated, including those that the user didn't change. (A later tutorial shows how to handle concurrency conflicts, and if you only want individual fields to be updated in the database, you can set the entity to Unchanged and set individual fields to Modified.)
