Relying on client-side validation?

B

Ben Fidge

Hi

I'm interested to know what peoples opinions are on using the Client-side
Validators in ASP.NET? I use them very heavily but am experiencing the odd
occassion when users have either intentionally or inadvertantly bipassed
them.

Any ideas on how this could happen. I know that a determined hacker can push
data into http context and viewstate. But other than that, would disabling
javascript in the browser allow a user to bipass validation yet still use
the site as normal?

Thanks

Ben
 
K

Karl Seguin

Ben:
I rely on client-side validation heavily too, but only as a first step
measure. It's great because it's efficient for my server (no postback) and
responsive for the user (no postback).

But it's easily circumventable. By disabling javascript, by simply using
telnet, by using one of the many plugins for firefox.

You should always put a
Page.Validate()
if Page.IsValid then
...
end if

in your event handlers or wherever else you need to make sure the validation
is run on the server..

Karl
 
S

Steve C. Orr [MVP, MCSD]

The built-in validation controls use both client side AND server side
validation by default.
This is to cover the scenarios you mentioned.
 
B

Ben Fidge

Karl,

Thanks for the advice. If for example I use your suggestion on the Confirm
button OnClick event on a given page, what's the standard procedure for
delaing with validation errors, or does ASP.NEt handle this automatically?

Ben
 
B

Brock Allen

You should always put a
Page.Validate()
if Page.IsValid then
...
end if
in your event handlers or wherever else you need to make sure the
validation is run on the server..

You shouldn't need to explicitly call Page.Validate unless you need to check
if the page has passed validation in or prior to Page_Load. If it's only
ever needed in your server side controls' event handlers, then Page.IsValid
is sufficient.
 
B

Ben Fidge

Hi Brock,

Thanks for that. What is standard prcoedure for IsValid = false? Does
ASP.NET automatically report to the user that there's a problem using the
client-side validators or do I have to do this manually?

Ben
 
B

Brock Allen

If the page fails to validate then the server side validation controls render
as such. At the end of the day it looks just like as if the validation was
done client-side. So, no, there's nothing special to do when you're relying
upon the server side validation. One thing to note is that if there is no
client side validation then things such as the ValidationSummary's ShowMessageBox
won't work as desired.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,900
Latest member
Nell636132

Latest Threads

Top