The `HttpRequest` class provides access to the raw request data through the `QueryString`, `Headers`, and `Forms` properties. However, whenever possible it is recommended to use model binding instead of directly accessing the input data.
== Why is this an issue?
Both ASP.Net MVC implementations - https://learn.microsoft.com/en-us/aspnet/core[Core] and https://learn.microsoft.com/en-us/aspnet/overview[Framework] - support model binding in a comparable fashion. Model binding streamlines the process by automatically aligning data from HTTP requests with action method parameters, providing numerous benefits compared to manually parsing raw incoming request data:
Simplicity:: Model binding simplifies the code by automatically mapping data from HTTP requests to action method parameters. You don't need to write any code to manually extract values from the request.
Type Safety:: Model binding provides type safety by automatically converting the incoming data into the appropriate .NET types. If the conversion fails, the model state becomes invalid, which you can easily check using `ModelState.IsValid`.
Validation:: With model binding, you can easily apply validation rules to your models using data annotations. If the incoming data doesn't comply with these rules, the model state becomes invalid.
Security:: Model binding helps protect against over-posting attacks by only including properties in the model that you explicitly bind using the `[Bind]` attribute or by using view models that only contain the properties you want to update.
Maintainability:: By using model binding, your code becomes cleaner, easier to read, and maintain. It promotes the use of strongly typed views, which can provide compile-time checking of your views.
== How to fix it in ASP.NET Core
https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.httprequest.form[`Request.Form`], https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.iformcollection.files[`Request.Form.Files`], https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.httprequest.headers[`Request.Headers`], https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.httprequest.query[`Request.Query`] and https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.httprequest.routeValues[`Request.RouteValues`] are keyed collections that expose data from the incoming HTTP request:
* `Request.Form` - https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST#:~:text=%3Cbutton%3E%20elements%3A-,application/x%2Dwww%2Dform%2Durlencoded,-%3A%20the%20keys%20and[`application/x-www-form-urlencoded`] form data from the HTTP request body
* `Request.Form.Files` - https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST#:~:text=form%2Ddata%20instead)-,multipart/form%2Ddata,-%3A%20each%20value%20is[`multipart/form-data`] file data from the HTTP request body
* `Request.RouteValues` - Values extracted from the https://developer.mozilla.org/en-US/docs/Learn/Common_questions/Web_mechanics/What_is_a_URL#path_to_resource[path portion of the URL]
Model binding can bind these keyed collections to
* action method parameters by matching the key to the parameter name or
* the property of a complex type by matching the key to the property name.
To replace the keyed collection access, you can:
[options="header"]
|===
|Replace | with parameter binding | or complex type binding | or route binding
|optional https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.fromformattribute[`++[FromForm]++`] attribute on the parameter or a https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.formcollection[`FormCollection`] parameter
|optional https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.fromformattribute[`++[FromForm]++`] attribute on the property
|https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.iformfile[`IFormFile`], https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.iformfilecollection[`IFormFileCollection`], or `IEnumerable<IFormFile>` parameter
|optional https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.fromrouteattribute[`++[FromRoute]++`] attribute on the parameter
|
|optional https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.fromrouteattribute[`++[Route("{id}")]++`]attribute on the action method/controller or via conventional routing
|===
The https://learn.microsoft.com/en-us/aspnet/core/mvc/models/model-binding[Model Binding in ASP.NET Core] article describes the mechanisms, conventions, and customization options for model binding in more detail. Route-based binding is described in the https://learn.microsoft.com/en-us/aspnet/core/mvc/controllers/routing[Routing to controller actions in ASP.NET Core] document.
=== Code examples
==== Noncompliant code example
[source,csharp,diff-id=1,diff-type=noncompliant]
----
public IActionResult Post()
{
var name = Request.Form["name"]; // Noncompliant: Request.Form
var birthdate = DateTime.Parse(Request.Form["Birthdate"]); // Noncompliant: Request.Form
var locale = Request.Query.TryGetValue("locale", out var locales)
https://learn.microsoft.com/en-us/dotnet/api/system.web.httprequestbase.form[`Request.Form`] and https://learn.microsoft.com/en-us/dotnet/api/system.web.httprequestbase.querystring[`Request.QueryString`] are keyed collections that expose data from the incoming HTTP request:
* `Request.Form` - https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/POST#:~:text=%3Cbutton%3E%20elements%3A-,application/x%2Dwww%2Dform%2Durlencoded,-%3A%20the%20keys%20and[`application/x-www-form-urlencoded`] form data from the HTTP request body
|optional https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.bindattribute[`++[Bind]++`] attribute on the parameter or a https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.formcollection[`FormCollection`] parameter
|optional https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.bindattribute[`++[Bind]++`] attribute on the parameter or type
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/aspnet/core/mvc/models/model-binding[Model Binding in ASP.NET Core]
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/aspnet/core/mvc/models/validation[Model validation in ASP.NET Core MVC and Razor Pages]
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/aspnet/core/mvc/advanced/custom-model-binding[Custom Model Binding in ASP.NET Core]
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.httprequest.form[HttpRequest.Form Property]
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.iformcollection.files[IFormCollection.Files Property]
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.httprequest.headers[HttpRequest.Headers Property]
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.httprequest.query[HttpRequest.Query Property]
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.httprequest.routevalues[HttpRequest.RouteValues Property]
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.formcollection[FormCollection Class]
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.iformfile[IFormFile Interface]
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.iformfilecollection[IFormFileCollection Interface]
* Microsoft Learn - Asp.Net Core - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.bindattribute[BindAttribute Class]
* Microsoft Learn - ASP.NET MVC 4.x - https://learn.microsoft.com/en-us/aspnet/web-api/overview/formats-and-model-binding/parameter-binding-in-aspnet-web-api[Parameter Binding in ASP.NET Web API]
* Microsoft Learn - ASP.NET MVC 4.x - https://learn.microsoft.com/en-us/aspnet/mvc/overview/getting-started/introduction/adding-a-controller[Adding a New Controller]
* Microsoft Learn - ASP.NET MVC 4.x - https://learn.microsoft.com/en-us/aspnet/mvc/overview/getting-started/introduction/adding-a-model[Adding a New Model]
* Microsoft Learn - ASP.NET MVC 4.x - https://learn.microsoft.com/en-us/aspnet/mvc/overview/getting-started/introduction/adding-validation[Adding Validation]
* Microsoft Learn - ASP.NET MVC 4.x - https://learn.microsoft.com/en-us/aspnet/web-api/overview/formats-and-model-binding/model-validation-in-aspnet-web-api[Model Validation in ASP.NET Web API]
* Microsoft Learn - ASP.NET MVC 4.x - https://learn.microsoft.com/en-us/dotnet/api/system.web.httprequest.form[HttpRequest.Form Property]
* Microsoft Learn - ASP.NET MVC 4.x - https://learn.microsoft.com/en-us/dotnet/api/system.web.httprequest.querystring[HttpRequest.QueryString Property]
* Microsoft Learn - ASP.NET MVC 4.x - https://learn.microsoft.com/en-us/dotnet/api/system.web.mvc.bindattribute[BindAttribute Class]
