As per msdn article “AllowUnsafeUpdates is set to true when you are trying to update the database as a result of the GET request”.
E.g. Say you have a list and you want to update something to the SharePoint data [content DB], then you need to set AllowUnsafeUpdates = true for the web and after you have done you need to set it back to false.
What will happen if you set as AllowUnsafeUpdates to false? And what is preventing it from cross site scripting attacks? Yes, the FormDigest control is taking care of all about it. I have already explained about “FormDigest’ control in previous post. Please go through to get more on it here.
To GET the content from the content DB, we need to set the AllowUnsafeUpdates = true.
To POST the content to the content DB, not require to set the AllowUnsafeUpdates = true. why means because of "FormDigest" control placed in every master page.
For reasons of security, by default, Microsoft SharePoint Foundation does not allow you to make posts from a Web application to modify the contents of the database unless you include security validation on the page making the request. You can update data for a single site or for a site collection by adding a page directive and a FormDigest control to the page that makes the request.
How to do manipulation to the SharePoint data programmatically?
So if you need to allow your code to make some updates, you need to set allow unsafe updates to true and then back to false as soon you update.SPList list= web.Lists["list name"];
SPListItemCollection items= list.GetItems();
web.AllowUnsafeUpdates = true;
foreach (SPListItem item in items)
{
     item["Field"] = "new val";
     item.Update();
}
web.AllowUnsafeUpdates = false;
Remembering point on "AllowUnsafeUpdates"
Please refer to know more on “AllowUnsafeUpdates” with some real-time examples here:- You can set it true to true to avoid security validation before the changes are written to the content database.
- GET Request needs "AllowUnsafeUpdates" enabled before updating the sharepoint objects.
- POST request doesn't need "AllowUnsafeUpdates" before updating in sharepoint objects.
- updates are currently disallowed on GET requests. To allow updates on GET, set the"AllowUnsafeUpdates" property to true.
- Always set AllowUnsafeUpdates back to true after you break inheritance in an environment with HTTPContext.
- What I have learned the hard way today is that when you set the AllowUnsafeUpdates property to true and your code jumps to the catch block of a try/catch statement that property will be set to false again.
- Remember if you inherit the page from WebPartPage class then no need to use AllowUnsafeUpdates.
- http://msdn.microsoft.com/en-us/library/microsoft.sharepoint.spweb.allowunsafeupdates.aspx
- http://blog.animesh.co.in/2010/03/sharepoint-spsiteallowunsafeupdates.html
- http://svengillis.blogspot.in/2008/08/reminder-allowunsafeupdates-issues.html
- http://www.moss2007.be/blogs/vandest/archive/2007/07/23/spweb-allowunsafeupdates-and-trycatch.aspx
Comments