I am working on a form, which I would like to validation features like This. Should this all be done on clientside? or server side? I am aware of using some of MS ajax controld, however, at what point do I display the message at the top?
I hope I explained myself.
You should validate at both ends.
Client side to make sure feedback is immediate so users can complete it fast (a bonus for them) and you save server resources (bonus for you).
Server side to make sure that any user-agents not using JS can check the incoming data. This is essential to stop malicious/corrupt data entering your system.
If you were only going to do one, make it server side, but there are considerable benefits to the user by implementing a dual-system.
validation on the client-side and provide feedback when they click the submit button
but since you cannot trust client-side validation, also validation on the server side and display feedback on postback if everything is not correct
but since you cannot trust the calling code, also validate in the database server (stored procedures are best) and raise errors back to the calling code if something is amiss
that way you've covered all the bases
It's generally considered a good practice to validate on both the client side and the server side...just in case someone attempts to directly submit a form POST without actually loading a page.
As far as when to display the validation message, it is something of a personal preference. I tend to perfer giving feedback as soon as possible, so I would do things like regex validation when the field looses focus.
Its really easy, you can use the ASP.NET Validation controls, you can use them in both, client and server side.
Check this resources:
How Do I: Use Validation Controls in ASP.NET? (video)
Form Validation with ASP.NET - It Doesn't Get Any Easier!
In general terms (depending upon the quality of your Ajax Framework) client-side validation is out. It's a relic from the past (Pre Ajax Times) and not really needed anymore...
Run all your validation on the server. After all with Ajax everything is 100 times as fast anyway, right...?
Related
Let's assume I have a profile page where DropDown is shown and 1 Admin user can change role of different user.
Eg:
2 - Admin
3 - Member
Assume that 1 is for SuperAdmin. If we have a DropDownList in Asp.Net and bind it to datasource in code behind and then mysteriously try to change values in DropDownList and then submit the form we get exception due to EventValidation. However in Asp.Net MVC if we edit it would definitely because it embraces the web. Is there anything I could do to prevent this kind of cross cutting things in my web applications?
One of thing I could is to check when the form is posted to see if value posted is either 2 or 3 and if not display some message like "Are you trying to hack". Are there any better alternatives?
The solution you mentioned (checking on server) IS the correct solution to prevent such hacks on web sites of any kind.
Using firebug is not the only option to "cheat" javascript based validation. It can also be done with any basic sniffer tools, such as fiddler, which can help a potential hacker to analyze the posted data to ur site, change it in a whatever way he wishes, and then to post it again, using the browser or his own networking tool.
I usually use both the validations (script and server side) in all the scenarios, while the client side validation's main purpose, in my opinion, is to prevent postbacks to server (which will annoy a normal user) when i can already tell on the client side, hes doing something wrong.
Such validations, however, can never be secure enough to guarrante the data is to be automaticlly trusted on server, as its too easy to modify javascript/ posted data, to override them.
EDIT
Following the resposne of UnhandleException:
In MVC specificly, you can use the Data Annotation attributes, to make the mvc engine render client side and server side validation for u
This tutorial explains how do use the attributes validation in ur mvc apps
Do not rely on client side validation. Build a validator for each input. Place the set of validators on the server-side of your application. If there are validators on the client-side, make sure the same validators are implemented on the server-side as well.
Here inputs means URL-based parameters, Form-based parameters, Hidden fields, Cookies ets.
I would like to replace asp.net form validation with jQuery validation but not sure is this secure. ASP.NET validation use client side and server side validation to prevent hack post to server by disabling client side JS validation.
If I will use client side jQuery validation then it can be easily compromised, no? Maybe I am missing something?
You should not use ONLY client side validation. It can be easily avoided. People generally use client side validation for the User Experience. That way forms don't have to do a full post to catch mistakes. You want to do server side validation for security purposes.
jQuery validation is exactly the same as client side JS validation. jQuery is javascript framework.
ALWAYS use server side validation, and if you want to improve the user's experience then include your client side validation.
you should always write server-side validation code even if you validate the data on the client, otherwise your site will be unsafe and easily could be hacked. But the reason for writing client-side validation is to avoid the round-trip to the server that would otherwise be required to validate the data. In other words, if the user enters invalid data, it's much more efficient and user-friendly to trap the error before
sending the data to the server, where if the data is invalid you'll have to rebuild the page and maintain the page state as well so that the user can fix the invalid value.
Try using asp.net AJAX plus server control validators as your validation framework for the following reasons:
It's secure because your validation runs in the server side
It's easier to implement because you dont have to write the same code twice, both in the server and in the client (javascript)
Server side code it's by far much easier to maintain than client side code
Your website will look responsive, although you must take care on how to reduce the data traveling in every partial postback. Research on this.
You are tied to the asp.net sintax and your developers will love this too. You won't actually need more.
Recommendations:
focus is lost on every partial postback: the DOM portion of the form submitted inside the update panel is replaced, and the browser does nothing to set the focus for the user. So make sure to set the focus on the proper controls thinking the user is entering data using the TAB keystroke.
if you want to customize the appeareance of your server validator controls with css, try inheriting the main validators: Custom, Regex and requiredField, with your own classes, which basically set and unset the error css class and message you want every server roundtrip (set before rendering). then map those custom classes to the framework's classes in the web.config (use tagmapping), so you alway use the default markup for server side validations. You get this way the best of the two worlds.
Jquery.validate.js
https://github.com/jzaefferer/jquery-validation
You can set this up to run independently of your own client side validation/instead of/or in conjunction with.
I want to build user friendly error reporting. Wrong input, db connection errors and such.
Problem is i need the same module be implemented for 3 different systems and to use jQuery UI modal boxes for UI.
when i redirect to another page ie.
db connection error i redirect to
error page
when i use return to same page ie.
input value 1 bigger than value 2
when it should be other way around
ASP.NET Ajax UpdatePanel errors,
wrong input for controls within
UpdatePanel that doesn't do regular
postpacks.
thanks for any help with implementation...
To clarify my question
I don't need input or object validation framework. I use ASP.NET and my own business logic to validate on client and server side.
what i really need is
Help with constructing a class that will show errors to users, current process is i catch exception, wrong input value or wrong link and based on that show user friendly message. I have no time and interest in learning logging framework as from my short experience to configure any pre-made high level framework (low level to me is ASP.NET) is harder that to have your own business logic and sometimes requires application re-design...
anyways... My question is pretty clear above. I need way to show centralized messages using jQuery UI.
When i redirect to another page i can save error in Session and get it on other page, if i use return to same page i cannot use Session and had no luck with overriding MasterPage public variables. When i have Ajax UpdatePanel i want again to validate data and show jQuery UI modal...
thats all
A different tactic would be to perform some validation on the client and since you are using jQuery there is a nice form validation plugin called Validation. Here is a good demo page. This will block you post back to the server until you have appropriate data types supplied for you form and will work with your Ajax update panels as well.
With this plugin your HTML mark up is quite straight forward:
<form id="theForm">
<input id="startDate" type="input" class="required datetime"/>
</form>
This will eliminate the need to direct to Error.aspx, store session variables, etc.
For those error that occur on the server, you need to consider whether the user should be able to progress further should a DBConnection error be thrown. In that case you could redirect to your error page, inject your error text and have the client display the content in the jQuery dialog box.
Edit: Are you logging exceptions to a database? If not I would recommend at least a rudimentary log. Other alternatives would be logging to a rolling file appender using log4net. Then, you can load the appropriate error from the logs for display to the user, regardless of how and where you are displaying the error.
See log4net
Also, a not of caution: Don't display DB connection errors to users. Log them so that you know whet is going on and then just tell the user that an error has occurred and that you are aware of it and looking into it.
End Edit
One good way to validate input is to put the validation on your data classes. This allows you to validate them at any time. I know this doesn't solve your redirection scenario which is more of a workflow issue and I hope some others can help you with that.
The reason I mentioned putting input validation on your data classes is that it allows you full control over when your validation is called and it allows you to validate multiple times, on the Client Side and Server Side for example.
A good implementation of this is the FluentValidation framework, which can be extended to automatically generate clientside validation, using the JQuery Validation plugin.
Another option which is becoming popular is Data Annotations. I don't have experience with these yet, but they are worth searching for with your favourite search engine.
Why do I need script on an aspx page?
Javascript will allow you to perfrorm client side coding, so to avoid having to post back to the server.
From Using JavaScript Along with ASP.NET
Working logic and application
processes on the client-side allows
browser based applications to seem
more responsive and to have more
"snappiness" to them.
For client scripting, i.e. validation. There are many scenarios where you need to execute certain logic on the browser's end.
Javascript runs on the client side. So if you want anything to happen or change without refreshing the whole page you use javascript.
There are a lot of things the server can't really do that well. For example if you want to manipulate the page. You could post the whole thing back to the server with some sort of action and get the server to give you a new page. Or you could just use javascript to change it for you and avoid the trip to the server. It is faster for the client and takes the load off of your server.
It helps in doing things on the client side, which essentially means you can :
reduce burden on your server
by doing less postbacks.
do a round of validations on the client
side itself if they are non critical.
Do some fancy stuff like animations etc with out contacting the server
There are a lot more implications/uses of using JavaScript.
For knowing more, remember google is your friend!
Thanks
I'm not sure if you mean why ASP.NET pages requires Javascript, or if you mean additional scripts on the page.
ASP.NET uses Javascript for several types of postbacks. If you for example have a LinkButton, a script is making a postback instead of the default action of the link.
You can use additional scripts on the page for visual effects and to verify data before doing a postback to prevent unneccessary postbacks. (Of course you should also verify the data on the server side to protect against malicious actions.)
I have a jQuery datepicker that I want to restrict non work days - weekends, public holidays etc. I have seen examples on how to do this from the client side (javascript), but is there a way to restrict the dates from server side ASP.NET code?
I figure you could do using Page.RegisterClientScriptBlock, but was wondering is there a neater way?
The JQuery stuff is all client side, so there is no server side to speak of. My recommendation would be to create some thin server-side wrappers that automagically do the equivalent of writing RegisterClientScriptBlock. That way you only have to fiddle around with the Javascript once, and it always just works.
You just do it when you validate the data being posted, using the same logic you use client-side. You should always be validating data at server-side, NOTHING from the client side can EVER be trusted, even if you have "validation code" there and think you're requiring javascript to be on for it to work.
Doing validation client-side should be a secondary thing, just to provide a nice user experience. There is no security in any client-side code. (Go install firebug and/or the "tamper data" extensions for firefox if you don't believe me).
There only two way to restrict the dates:
Client Side using Javascript
This could be done with the javascript being generated or not in the server side, but you will end up always with javascript
Server side
You must compare the dates inside the webcontrols or input using your favorite.net language (c# or vb.net)
For a better UX experience, you should do the restrict client side, but if you want to be sure the data is valid, you must check it server side.