I want to pass the id to the controller (ASP.NET MVC 5) and get the result from the controller. I have the following code:
function LoadBook(id) { $.ajax({ url: '/Book/GetBookById' + id, type: 'get', dataType: 'json', success: function (data) { }, error: function (err) { alert("Error: " + err.responseText); } }) } Is it safe to do url: '/Book/GetBookById' + id? And if it doesn't safe, is there any way to do this?
The prescribed way to do this is:
public JsonResult GetBookById(int id) { // do your getting here var yourdata = MyDataAccessClass.getBookById(id); return new Json(yourdata, JsonRequestBehavior.AllowGet); } Your AJAX url would then be:
function LoadBook(id) { $.ajax({ url: '/Book/GetBookById/' + id, type: 'get', dataType: 'json', success: function (data) { }, error: function (err) { alert("Error: " + err.responseText); } }) } This is the "safe" and standard way to make calls in Microsoft's MVC.
id in the JS is always an integer. It could have a query string or ../some other action and be used to attack things.id is 1?secretParam=blah or ../DeleteBook/24, no error will be thrown.You need to use
encodeURIComponent(Id)
/Book/[id]or/Book/GetBookById/[id](the second way seems redundant to me). Non-RESTful you could do /Book/GetBookById?id=[id]. That said, the VS tools could scaffold this for you automatically.