I create new page with lots of validation controls, such as RequiredValidation, RegexValidation and so on. I found out that when I create these validation controls, it seems like it render both client java-script and server validation for me automatically.
I want to know, do I understand correctly or not?
Yep. That is correct. The built-in controls do server side validation (for security) and client side validation (for performance and user experience) for you.
Tip: Don't add these validations to the mark-up, but add them through the code behind, as shown in this blog post, since it keeps your code DRY.
Related
I am a long time webform developer. I am used to using the asp.net validator controls to validate user input.
While I like the fact that asp.net has the potential to validate the input on both the client and server side, I feel that the way the validators render isn't ideal. I'm constantly looking, with envy, at javascript validation libraries (like Parsley.js) and wishing asp.net validators would work like that. For instance, I'd like to be able to change the css class for fields that fail validation. Or I'd like to hide or display an img based on validation logic.
However, the problem with moving to a library like Parsley.js is I lose server side validation, which for security purposes, is the most important layer.
Is there a way to integration server side validation, with a client side framework? In a way that doesn't require a lot of duplicate effort?
In asp.net You can always trigger validation by the validator1.Validate() method, which will do the server-side comparison. Check Page.IsValid to see if server-side validation isn't being performed? I think you can invoke it via Page.Validate().Or the overloaded Page.Validate(string) to target one of your validation groups.
http://msdn.microsoft.com/en-us/library/aa479013.aspx
Let's assume I have a profile page where DropDown is shown and 1 Admin user can change role of different user.
Eg:
2 - Admin
3 - Member
Assume that 1 is for SuperAdmin. If we have a DropDownList in Asp.Net and bind it to datasource in code behind and then mysteriously try to change values in DropDownList and then submit the form we get exception due to EventValidation. However in Asp.Net MVC if we edit it would definitely because it embraces the web. Is there anything I could do to prevent this kind of cross cutting things in my web applications?
One of thing I could is to check when the form is posted to see if value posted is either 2 or 3 and if not display some message like "Are you trying to hack". Are there any better alternatives?
The solution you mentioned (checking on server) IS the correct solution to prevent such hacks on web sites of any kind.
Using firebug is not the only option to "cheat" javascript based validation. It can also be done with any basic sniffer tools, such as fiddler, which can help a potential hacker to analyze the posted data to ur site, change it in a whatever way he wishes, and then to post it again, using the browser or his own networking tool.
I usually use both the validations (script and server side) in all the scenarios, while the client side validation's main purpose, in my opinion, is to prevent postbacks to server (which will annoy a normal user) when i can already tell on the client side, hes doing something wrong.
Such validations, however, can never be secure enough to guarrante the data is to be automaticlly trusted on server, as its too easy to modify javascript/ posted data, to override them.
EDIT
Following the resposne of UnhandleException:
In MVC specificly, you can use the Data Annotation attributes, to make the mvc engine render client side and server side validation for u
This tutorial explains how do use the attributes validation in ur mvc apps
Do not rely on client side validation. Build a validator for each input. Place the set of validators on the server-side of your application. If there are validators on the client-side, make sure the same validators are implemented on the server-side as well.
Here inputs means URL-based parameters, Form-based parameters, Hidden fields, Cookies ets.
I would like to replace asp.net form validation with jQuery validation but not sure is this secure. ASP.NET validation use client side and server side validation to prevent hack post to server by disabling client side JS validation.
If I will use client side jQuery validation then it can be easily compromised, no? Maybe I am missing something?
You should not use ONLY client side validation. It can be easily avoided. People generally use client side validation for the User Experience. That way forms don't have to do a full post to catch mistakes. You want to do server side validation for security purposes.
jQuery validation is exactly the same as client side JS validation. jQuery is javascript framework.
ALWAYS use server side validation, and if you want to improve the user's experience then include your client side validation.
you should always write server-side validation code even if you validate the data on the client, otherwise your site will be unsafe and easily could be hacked. But the reason for writing client-side validation is to avoid the round-trip to the server that would otherwise be required to validate the data. In other words, if the user enters invalid data, it's much more efficient and user-friendly to trap the error before
sending the data to the server, where if the data is invalid you'll have to rebuild the page and maintain the page state as well so that the user can fix the invalid value.
Try using asp.net AJAX plus server control validators as your validation framework for the following reasons:
It's secure because your validation runs in the server side
It's easier to implement because you dont have to write the same code twice, both in the server and in the client (javascript)
Server side code it's by far much easier to maintain than client side code
Your website will look responsive, although you must take care on how to reduce the data traveling in every partial postback. Research on this.
You are tied to the asp.net sintax and your developers will love this too. You won't actually need more.
Recommendations:
focus is lost on every partial postback: the DOM portion of the form submitted inside the update panel is replaced, and the browser does nothing to set the focus for the user. So make sure to set the focus on the proper controls thinking the user is entering data using the TAB keystroke.
if you want to customize the appeareance of your server validator controls with css, try inheriting the main validators: Custom, Regex and requiredField, with your own classes, which basically set and unset the error css class and message you want every server roundtrip (set before rendering). then map those custom classes to the framework's classes in the web.config (use tagmapping), so you alway use the default markup for server side validations. You get this way the best of the two worlds.
Jquery.validate.js
https://github.com/jzaefferer/jquery-validation
You can set this up to run independently of your own client side validation/instead of/or in conjunction with.
For the ASP.NET validator controls, I want to use both client-side validation for the user experience and server-side validation to guard against hackers. ASP.NET documentation leads me to believe that if EnableClientScript="True" then there will be no server-side validation if client-side validation is possible for the user agent. To get server-side validation, the documentation says use EnableClientScript="False", which bypasses client-side validation altogether.
Am I misunderstanding how the validator controls work? I ask because it seems obvious that many developers would want both client and server side validation together, and I find it hard to believe both together is not possible with one of the standard validation controls.
If I am understanding the ASP.NET documentation correctly, then I can find only two options:
Use two validator controls exactly the same except for their ID and EnableClientScript properties. Obviously ugly for maintaining two controls almost the same.
Write some code behind to check if postback then invoke the Validate method on the validator group. Why write code behind if there a way to be automatic from the control?
Is there a way to do so using a single validator control with no code behind?
Thanks in advance for your input.
The server-side validation will always occur, so you don't have to worry about it. The only way around that would be to use the CustomValidator or create your own validator class from BaseValidator that don't do anything server-side.
By default, server-side validation occurs after Page_Load() and before any triggered events (e.g. button click). In your Page_Load(), however, you can force a Page.Validate(). After validation has occurred you can check the Page.IsValid property.
I recommend you read ASP.NET Validation in Depth. Also, it's not what you asked for, but it is fundamental that you understand the page lifecycle and ViewState (if you're not using MVC). Almost everything you will encounter makes use of it.
You are misunderstanding how the validators work. You always get server validation, bit client validation is optional. The only exception to this is the custom validator where you do not have to do anything server side if you don't want to.
use an asp validator in your markup, then on postback do the following:
Page.Validate()
if(Page.isValid)
{
// Validation passed
}
According to this Microsoft source, "the Web Forms page framework always performs validation on the server, even if the validation has already been performed on the client."
There is a lot more information there about how to implement the validation controls in ASP.Net 2.0. Presumably, the basic behavior has not changed in subsequent ASP.Net releases.
I am working on a form, which I would like to validation features like This. Should this all be done on clientside? or server side? I am aware of using some of MS ajax controld, however, at what point do I display the message at the top?
I hope I explained myself.
You should validate at both ends.
Client side to make sure feedback is immediate so users can complete it fast (a bonus for them) and you save server resources (bonus for you).
Server side to make sure that any user-agents not using JS can check the incoming data. This is essential to stop malicious/corrupt data entering your system.
If you were only going to do one, make it server side, but there are considerable benefits to the user by implementing a dual-system.
validation on the client-side and provide feedback when they click the submit button
but since you cannot trust client-side validation, also validation on the server side and display feedback on postback if everything is not correct
but since you cannot trust the calling code, also validate in the database server (stored procedures are best) and raise errors back to the calling code if something is amiss
that way you've covered all the bases
It's generally considered a good practice to validate on both the client side and the server side...just in case someone attempts to directly submit a form POST without actually loading a page.
As far as when to display the validation message, it is something of a personal preference. I tend to perfer giving feedback as soon as possible, so I would do things like regex validation when the field looses focus.
Its really easy, you can use the ASP.NET Validation controls, you can use them in both, client and server side.
Check this resources:
How Do I: Use Validation Controls in ASP.NET? (video)
Form Validation with ASP.NET - It Doesn't Get Any Easier!
In general terms (depending upon the quality of your Ajax Framework) client-side validation is out. It's a relic from the past (Pre Ajax Times) and not really needed anymore...
Run all your validation on the server. After all with Ajax everything is 100 times as fast anyway, right...?