User Input Validation in ASP.NET
HTML forms exist to collect data from the user. And this data, like every piece of user input, needs to be checked first for both security and logical reasons (what could we do with irrelevant data). There are two ways of checking the validity of user input: on the client side, and on the server side. Client side validation is swifter and more elegant, then posting back the data to the server, and the send back and error message. But we must implement both validation techniques, because a crafty attacker can bypass our client-validating methods, and send for example scripts or SQL commands back to our page to process them.
|ASP.NET Validation Controls|
|RequiredFieldValidator||Checks that a given field in the form isn’t empty (or its default data has been changed) on submit.|
|RangeValidator||Checks that the given value is within a specific range – numerical, string or date.|
|CompareValidator||Compares a value of a specific control to a static value (less, greater, equal, identical), or another control.|
|RegularExpressionValidator||Checks whether a given control’s value matches a regular expression.|
|CustomValidator||Allows you to build up your own client- and server-side validation logic.|
|ValidationSummary||Shows a summary of validation errors for your page on submit.|
More than one validation control can work on a control, but every control has one and only one property, which can be validated. When building custom control, you can specify this property with the ValidationPropertyAttribute.
The Validation Process:
You can control your page’s validation behavior. Generally, it makes sense to validate a form, when the user is about to submit it. And this can generally be done with a button. Set the button’s CausesValidation to true (or don’t set it to anything, since this is the default), and when the user clicks on it, validation will take place. Set it to false, and there won’t be any. Please note that there is a property to control the client-side validation too, but it can be set individually for each validator. This is called EnableClientScript, and accepts a Boolean value.
Furthermore, you can specify groups of controls, which should be validated together, with one or more controls (such as buttons) that will trigger their validation, by using the ValidationGroup property.
When you want to check if a control is valid, you can call its IsValid property. But be aware of that you can only use it, when client-side validation did not run. A more comfortable approach is the Page.IsValid property, which shows you if all controls are passed validation on your page.
The one validation control which worth a little more explanation is CustomValidator. You can use it in the case if the supplied validator controls aren’t enough for a specified task. It lets you define your custom client and server-side validation logic, with the following implementation:
<asp:TextBox runat=”server” ID=”MyBox”/>
<asp:CustomValidator runat=”server” ControlToValidate=”MyBox” ClientValidationFunction=”CheckMyBoxClient” OnServerValidate=”CheckMyBoxServer” ErrorMessage=”Value isn’t even!”/>
Now, the client-side validation logic:
function CheckMyBoxClient(sender, args)
args.IsValid = (args.Value%2==0);
Then the server side:
protected void CheckMyBoxServer(object sender, ServerValidateEventArgs args)
args.IsValid = (int.Parse(args.Value)%2==0);
args.IsValid = false;
Accessing Validation Controls from Code:
You can validate a page, or a validation control, calling the Validate method, which sets the IsValid property. Checking that property can help you determine whether your page/control is valid or not.
You can also set some aspects of the validation process, by setting validator controls Enabled, EnbleClientScript properties. You can even validate only specific validation groups, calling Page.Validate(“GroupName”).