ASP.NET Web Forms Validation Controls are Server-Side or Client-Side Validation?

M

Matt

I want to know if ASP.NET Web Forms Validation Controls are Server-Side or
Client-Side form validation? Since I think each validator control can select
either 1) JavaScript based error dialog or 2) show the error message next to
the control. For example, if the text field is empty with RequiredField
Validator control, it can show the value in ControlToValidate property in
two ways as I mentioned.

Please advise. Thanks!
 
S

Scott M.

All the validation controls perform their respective validations BOTH client
and server side. The validation is first done client side to prevent a
wastefull trip to the server when the data is know to violate the validation
rules. Assuming the data is good (or seems to be), the validation is again
performed on the server to catch any spoofing attempts by the client.

Validation controls have an "EnableClientScript" property (which defaults to
true) to indicate if the client side validation should, in fact, take place
(this is presumably for situations when the client might have scripting
turned off). Even if this setting is false, the server side validation will
still occur.

Now to your specific question, in VS.NET 2002, there is only 1 way that a
validator will show its error message and that is to show the error message
on the page where the validation control is placed. There is no setting for
the message to come up in a JavaScript "alert()" dialog. The exception to
this is the ValidationSummary control which does have a "ShowMessageBox"
property where the summary results from all validations that have failed
will show in a JavaScript "alert()" dialog.
 
M

Matt

Thanks Scott.

For the server side validation you mentioned: "the validation is again
performed on the server to catch any spoofing attempts by the client." What
does it mean "spoofing attempts by the client?" Can you give some concrete
examples?

thanks!
 
S

Scott M.

"Spoofing" is one of the oldest problems on the web...

Let's say I run a business and have a form on my web site abc.com that
requires that you fill in certain information and enforces this by including
some client side code to check that you have filled that data in before the
form will submit data back to me (abc.com).

Now, let's say you view my source code once the page has been delivered to
your browser (client) and save that source code to a local file on your hard
drive. You have now, made a copy of my web page and saved it on your own
machine. You go into my code and remove all my JavaScript that was
enforcing the required data and save your copy of my page without all that
stuff.

Now, you bring up YOUR MODIFIED VERSION of my web page and fill in the form
(or don't fill in the form) and hit submit...Since the form will still send
the data back to me (abc.com), I will now recieve whatever you sent (or
didn't send). The form no longer checks you. This is spoofing.

Because .NET validation controls will do their check on the server as well
as the client, in the example I just described (spoofing), your mal-formed
data submission will be caught not by the client (you removed that remember)
by the server. So, in .NET, spoofing is not a problem.

Hope this helps!

Scott M.
 
M

Matt

Thanks Scott.

As you mentioned, ASP.NET has server-side validation to prevent "Spoofing".
But how ASP to handle that situation?

Thanks!
 
S

Scott M.

It doesn't! Developers has to write thier own server side code to double
check the data coming in from a form.
 
P

Peter Blum

Here's a slightly different perspective on Microsoft's client-side
validation: it only works on IE and IE/Mac browsers. For other browsers, it
uses that server side validation to catch errors. I have a commercial
solution that replaces Microsoft's validators with 22 validator controls
that support IE, IE/Mac, Netscape/Mozilla, Opera 7 and Safari with
client-side validation. Its called "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx.

--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
 
S

Scott M.

Actually, the validation controls will work client-side on any browser that
supports JavaScript. This includes IE, Netscape, Mozilla, Opera & Mosaic.
 
S

Scott M.

I supect he has custom validators that go beyond the 6 that MS provides.
I'm not saying his validators are/aren't useful, but his statement about the
MS validators only working in IE/Mac browsers is incorrect.
 
C

Chad Z. Hower aka Kudzu

Scott M. said:
I supect he has custom validators that go beyond the 6 that MS provides.
I'm not saying his validators are/aren't useful, but his statement about
the MS validators only working in IE/Mac browsers is incorrect.

Thanks for the clarification.
7


--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"


ELKNews - Get your free copy at http://www.atozedsoftware.com
 
P

Peter Blum

Let's try this again. Microsoft's client side script file,
WebUIValidation.js, is written for DHTML browsers. It uses document.all[] to
lookup the <span> tag that represents the validator's error message. It does
not use document.getElementById(), which is required for DOM-based browsers
like Netscape/Mozilla and Safari. Whether or not you can get the
WebUIValidation.js file to load on these DOM browsers, they will report
javascript errors when the code is run.

I'm not making any new claims here. This limitation has long been realized.

To be clear, I didn't write a few custom validators. I wrote an entirely new
framework for validation to address a long list of desirable things in
validation that were very difficult and at times impossible to address with
Microsoft's framework.

--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx
 
C

Chad Z. Hower aka Kudzu

Peter Blum said:
Let's try this again. Microsoft's client side script file,
WebUIValidation.js, is written for DHTML browsers. It uses
document.all[] to lookup the <span> tag that represents the validator's
error message. It does not use document.getElementById(), which is

Can anyone else confirm this?


--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"


ELKNews - Get your free copy at http://www.atozedsoftware.com
 
P

Peter Blum

I don't appreciate this lack of trust in me. Just because I publish a
commercial replacement to Microsoft's validators makes me suspect? Look, I
created a product because I spent time studying the issues and found a
tremendous list of problems to be addressed
(http://www.peterblum.com/vam/valmain.aspx). At this point, I may be one of
the most experienced people in the validation technology on ASP.NET
platforms.

1. Does WebUIValidation.js use the document.all[] command? Open the file and
search for it! Its in the function ValidatorHookupControlID, which attaches
the ControlToValidate to a client-side function that is called on onclick or
onchange events.

2. Is document.all[] DHTML only? Look at the w3c.org standard for DOM and
see that they only support document.getElementById() as a method to lookup
an ID. Look at Microsoft's DHTML reference for the 'all' property:
http://msdn.microsoft.com/library/d...hor/dhtml/reference/dhtml_reference_entry.asp
It says under "Standards information" "There is no public standard that
applies to this collection". In otherwords, its not in the W3C (DOM)
standard.

--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

Chad Z. Hower aka Kudzu said:
Peter Blum said:
Let's try this again. Microsoft's client side script file,
WebUIValidation.js, is written for DHTML browsers. It uses
document.all[] to lookup the <span> tag that represents the validator's
error message. It does not use document.getElementById(), which is

Can anyone else confirm this?


--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"


ELKNews - Get your free copy at http://www.atozedsoftware.com
 
C

Chad Z. Hower aka Kudzu

Peter Blum said:
I don't appreciate this lack of trust in me. Just because I publish a
commercial replacement to Microsoft's validators makes me suspect? Look,
I created a product because I spent time studying the issues and found a

Nowhere did I state a lack of trust. Im simply looking for secondary
verifications and or other experiences.



--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"


ELKNews - Get your free copy at http://www.atozedsoftware.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,733
Messages
2,569,439
Members
44,829
Latest member
PIXThurman

Latest Threads

Top