Don’t use Delete Links

  • Article

So says Stephen Walther (who recently keynoted the Reston MSDN Developer Conference). Why not use Delete links in an MVC app? I’ll let Stephen tell you:

I created a sample ASP.NET MVC application that I plan to post at the https://www.ASP.net/mvc website. While the application was being code reviewed by the ASP.NET MVC Feature team, a surprising objection surfaced.

The application is extremely simple. It contains a view that renders a list of database records. Next to each record, there is an Edit link and a Delete link (see Figure 1). Pretty standard stuff. Or, so I thought…

Figure 1 – A Grid of database records

clip_image002

Here’s the objection. You should not use a link for deleting a record. Using a Delete link opens up a security hole.

Read the whole post for what happens if you provide a Delete link in a typical MVC app, and some ways you can avoid the negative security implications. Really good tip!

ASP.NET MVC Tip #46 – Don’t use Delete Links because they create Security Holes