AJAX Validation QuickStart documentation | ServerSideValidationExtender Control documentation | Patterns related to validation

Validation

Validation can be classified in two different types:
  • Server-side validation. This type of validation takes place in the server, during a postback.
  • Client-side validation. This type of validation takes place in the browser and does not require a postback.

Choosing the Validation Type

Web client developers have to choose the validation type (client-side or server-side) that best suits their scenarios. When deciding the validation type to use, consider the following guidelines:
  • If providing immediate feedback to the user about validation results is critical, use client-side validation.
  • If your validation requires resources in the server, use server-side validation. Also, for security reasons, server-side validation should always be done.

If providing immediate feedback to the user about validation results is critical, use client-side validation.

Client-side validation takes place in the browser; therefore, it does not require a round trip to the server. Thus, it is useful to enhance the UI responsiveness because the user does not need to wait for the server to response.

Note:
Client-side validation can easily be bypassed by malicious users to perform attacks against your application. For more information, see the section “Validation Security Guidelines.”

If your validation requires resources in the server, use server-side validation. Also, for security reasons, server-side validation should always be done.

Server-side validation takes place in the server; therefore, it requires round trips to the server. Developers have to perform server-side validation when the validation process requires resources on the server, such as a list of valid values stored in a database, against which input can be compared. Server-side validation also improves security because it is not trivial to bypass it. In cases where client-side and server-side validation types are used together, the validation on the server acts as a second barrier that stops malicious users who bypass client-side validation (for more information, see the section, “Validation Security Guidelines”).
If improving the UI responsiveness is critical in your application, consider combining server-side validation with client-side validation.

ASP.NET Validation Controls

The Web Forms framework includes a set of validation server controls that provide an easy-to-use but powerful way to check input forms for errors and, if necessary, display messages to the user.
Validation controls are added to a Web Forms page like other server controls. There are controls for specific types of validation, such as range checking or pattern matching, plus a RequiredFieldValidator that ensures that a user does not skip an entry field. You can attach more than one validation control to an input control. For example, you might specify both that an entry is required and that it must contain a specific range of values.
Validation controls work with a limited subset of HTML and Web server controls. For each control, a specific property contains the value to be validated. The validation controls always perform validation checking in server code; therefore, they require a full-page round trip. However, if the user is working with a browser that supports DHTML, the validation controls can also perform validation using client script. With client-side validation, any errors are detected on the client when the form is submitted to the server. If any of the validators are found to be in error, the submission of the form to the server is canceled and the validator's Text property is displayed. This permits the user to correct the input before submitting the form to the server. Field values are revalidated immediately after the field containing the error loses focus, thus providing the user with a rich, interactive validation experience.
The ASP.NET validation framework includes a control named CustomValidator. This control enables users to perform validation that is not included in another validation control or to perform validation that requires access to information on the server, such as a database or Web service. When developers use a CustomValidator, they have to provide a server validation function that performs the validation logic. If you add a CustomValidator with only a server validation function defined, client-side validation will not be performed. The CustomValidator does not perform validations as users tab between fields, and it requires a round trip to the server to perform its validation. If you are using a CustomValidator to perform a check that does not need any information that lives on the server, you can also have your validator fully participate in client-side validation by implementing a client validation function. It is assumed that if you provide a client validation function, it should ideally perform exactly the same checks as your server validation handler. Failing that, it should perform a subset of that verification. Make sure you do not have a client validation function that does more verifications than are performed on the server, because hackers will be able to easily bypass it.

Enterprise Library Validation Application Block

The Enterprise Library Validation Application Block provides a library of classes, named validators, that contain code for validating .NET Framework data types. For example, one validator checks for null strings and another validator checks that a number falls within a specified range. The Validation Application Block is designed to allow you to easily validate objects. In many situations, you can validate an object with a single line of code. The following example shows how to associate a validator with an object and how to validate that object.

using Microsoft.Practices.EnterpriseLibrary.Validation;
using Microsoft.Practices.EnterpriseLibrary.Validation.Validators;
public class Customer
{
    [StringLengthValidator(0, 20)]
    public string CustomerName;

    public Customer(string customerName)
    {
        this.CustomerName = customerName;
    }
}

public class MyExample
{
    public static void Main() 
    {
        Customer myCustomer = new Customer("A name that is too long");
        ValidationResults r = Validation.Validate<Customer>(myCustomer);
        if (!r.IsValid)
        {
            throw new InvalidOperationException("Validation error found.");
        }
    }
} 

You can easily integrate the Validation Application Block with ASP.NET applications. For example, you can use the application block to validate information a user enters into a Web form.
The Validation Application Block includes the custom ASP.NET control named PropertyProxyValidator. Developers use this control on Web pages to validate an ASP.NET control's value using the Validation Application Block validators. The PropertyProxyValidator class acts as a wrapper that links a control to a validator in an application-level class.

Note:
For more information about integrating the Validation Application Block with ASP.NET, see Integrating with ASP.NET in Enterprise Library Help.

Selecting Validation Controls

Developers of Web client applications have to decide what validation controls to use to perform the chosen validation type. The following guidelines will help you choose the best validation controls for your particular scenario:
  • If you need to reuse validation logic across screens, applications and/or tiers, use the Enterprise Library Validation Application Block.
  • If you need to reuse validation logic across different pages, consider creating a custom validation class that extends the ASP.NET BaseValidator class.
  • When performing client-side validation, consider ASP.NET validation controls as the first option.
  • If you need to perform cross-field validation in the server and UI responsiveness is important in your scenario, consider using a CustomValidator control inside an UpdatePanel control.

If you need to reuse validation logic across screens, applications and/or tiers, use the Enterprise Library Validation Application Block

If encapsulation and reutilization of the validation logic is a primary concern in your system, consider defining the validation logic with the Enterprise Library Validation Application Block and using the PropertyProxyValidator control in your Web pages. By using the application block, you can define validation rules in one place and reuse them across layers and tiers of your applications. The PropertyProxyValidator control requires a round trip to the server; therefore, to improve the UI responsiveness, you can combine PropertyProxyValidator controls with ServerSideValidationExtender extenders.

If you need to reuse validation logic across different pages, consider creating a custom validation class that extends the ASP.NET BaseValidator class

If different pages of your Web application need to perform the same validation logic, consider creating a new validator control. To create a new validator, derive from the BaseValidator class exposed by the ASP.NET framework. By doing this, you will encapsulate the validation logic in a reusable control that you can include in multiple pages.
For more information about the BaseValidator class, see BaseValidator.

When performing client-side validation, consider ASP.NET validation controls as the first option

To perform client-side validation, consider using the built-in ASP.NET validation controls as the first option. These controls always perform server-side validation independently of the client-side validation; therefore, security is improved. If the ASP.NET validation controls do not address your requirements, write custom client script.

If you need to perform cross-field validation in the server and UI responsiveness is important in your scenario, consider using a CustomValidator control inside an UpdatePanel control

If you need to perform cross-field validation in the server, consider using a CustomValidator control inside an UpdatePanel control. By placing the validator inside an UpdatePanel, full postbacks are avoided; therefore, UI responsiveness is improved.

Validation Security Guidelines

With responsive Web user interfaces, developers have more choices of how, when, and where to validate information entered by the user. To improve security, consider the following guidelines:
  • Do not rely on client-side validation.
  • Validate input for length, range, format, and type.
  • Validate input from all sources, such as query strings, cookies, and HTML controls.
  • Do not rely on ASP.NET request validation.
  • Avoid user-supplied file name and path input.
  • Do not echo untrusted input.
  • If you need to write out untrusted data, encode the output.
The next sections describe each of these guidelines.

Do Not Rely on Client-Side Validation

Do not rely on client-side validation because it can be easily bypassed. For example, a malicious user could disable your client-side script routines by disabling JavaScript or could generate a harmful HTTP request simulating a post from your Web site.
Use client-side validation in addition to server-side validation to reduce round trips to the server and to improve the user experience.

Validate Input for Length, Range, Format, and Type

Do not trust input. An attacker passing malicious input can attempt SQL injection, cross-site scripting, and other injection attacks that aim to exploit your application's vulnerabilities. Check for known good data and constrain input by validating it for type, length, format, and range. For Web form applications that obtain input through server controls, use the ASP.NET validator controls, such as the RegularExpressionValidator, RangeValidator, and CustomValidator, to validate and constrain input. Check all numeric fields for type and range. If you are not using server controls, you can use regular expressions and the Regex class, and you can validate numeric ranges by converting the input value to an integer or double and then performing a range check.

Validate Input from All Sources, such as Query Strings, Cookies, and HTML Controls

Most Web applications accept input from various sources, including HTML controls, server controls, query strings, and cookies. Validate input from all of these sources to help prevent injection attacks. Use regular expressions to help validate input. The following example shows how to use the Regex class.

using System.Text.RegularExpressions;

// Instance method:
Regex reg = new Regex(@"^[a-zA-Z'.\s]{1,40}$");
Response.Write(reg.IsMatch(Request.QueryString["Name"]));

// Static method:
if (!Regex.IsMatch(Request.QueryString["Name"],@"^[a-zA-Z'.\s]{1,40}$")) 
{
   // Name does not match expression
} 

If you cannot cache your regular expression for frequent use, you should use the static IsMatch method where possible for performance reasons (to avoid unnecessary object creation).

Do Not Rely on ASP.NET Request Validation

The ASP.NET request validation feature performs basic input validation. Do not rely on it. Use it as an extra precautionary measure in addition to your own input validation. Only you can define what represents good input for your application.
By default, request validation is enabled. You can see this by examining the validateRequest attribute, which is set to true on the <pages> element in the Machine.config.comments file. Ensure that it is enabled for all pages except those that need to accept a range of HTML elements. If you need to disable it for a page, set the ValidateRequest attribute to false by using the @Page directive.

Avoid User-Supplied File Name and Path Input

Where possible, avoid writing code that accepts user-supplied file or path input. Failure to do this can result in attackers coercing your application into accessing arbitrary files and resources. If your application must accept input file names, file paths, or URL paths, you need to validate that the path is in the correct format and that it points to a valid location within the context of your application.

File Names

Ensure that file paths refer only to files within your application's virtual directory hierarchy if that is appropriate. When checking file names, obtain the full name of the file by using the System.IO.Path.GetFullPath method.

File Paths

If you use MapPath to map a supplied virtual path to a physical path on the server, use the overloaded Request.MapPath method that accepts a bool parameter so that you can prevent cross-application mapping. The following code example shows this technique.

try
{
 string mappedPath = Request.MapPath( inputPath.Text, 
                                      Request.ApplicationPath, false);
}
catch (HttpException)
{
 // Cross-application mapping attempted 
} 

The final false parameter prevents cross-application mapping. This means that a user cannot successfully supply a path that contains ".." to traverse outside of your application's virtual directory hierarchy. Any attempt to do this results in an exception of type HttpException.

Do Not Echo Untrusted Input

Do not echo input back to the user without first validating and/or encoding the data. Echoing input directly back to the user makes your application susceptible to malicious input attacks, such as cross-site scripting.

If You Need to Write Out Untrusted Data, Encode the Output

If you write output that includes user input or data from a shared database or a local file that you do not trust, encode it. Echoing input directly back to the user makes your application vulnerable to cross-site scripting attacks. Encoding the data ensures that it is treated as literal text and not as script. You can use the HttpUtility.HtmlEncode method. Similarly, if you write URLs that might contain unsafe characters because they have been constructed from input data or data from a shared database, use HttpUtilty.UrlEncode to make them safe.

Note:
Make sure that you encode data at the last possible opportunity before the data is returned to the client.

For more information about how to improve the security of your application, see the following topics on MSDN: AJAX Validation QuickStart documentation | ServerSideValidationExtender Control documentation | Patterns related to validation

Last edited Nov 8, 2007 at 11:53 AM by siacomuzzi, version 5

Comments

No comments yet.