Validation:
Validation comes in 2 forms, server side and client side this much you
probaly know.
The advantage to client side validation is that its faster and the
browser takes the hit for the performance. The disadvantage is that
the user can turn off the scripting feature in the security settings
and bypass any JS you've written. The only way I've found to thwart
people doing this is to add the <noscript></noscript> tags pointing
them to an error page explaining that they need to turn it on in order
for the site to work properly.
i.e <noscript><% response.redirect ("err.asp?err=nojs") %></noscript>
Sever side validation is considerably slower, especially depending on
the users connection. Everytime the user submits a form it makes a
round trip to the server and back. The advantage to server side
validation is that is much more secure. Users cant turn off scripting
and get around it. It happens no matter what.
So which one to use?
It really depends on what you are validating and what for. Personally,
any time I am writing information to a database for say financial
transactions like e-commerce I'll use server side validation. Its more
secure and depending on the amout of transactions the performance hit
is hardly noticeable. If the information is not all that important or
the customer doesnt feel that data be strictly formatted client side
validation will work just fine.
Two thing I do with either way is use Regular Expressions to validate
data and Escape special characters.
Using Regular Expressions does a few things,
1. Will protect you from Cross Site Scripting Attacks and SQL
injection attacks - Validation can be pretty scrict
2. Keeps the amout of code you need to write down.
3. RegEx are pretty much universal in the way they are implimented.
Use one for JavaScript and you can use the same one for ASP
the other thing is Escaping special characters are essential when
doing dB stuff. You may already know this but so I apologize if I'm
rehasing old material.
I've written a function that I use almost constantly in all my
projects that I keep adding to that will escape special chars like
single quotes and double quotes. Something like this
function fixSpecialchars(strText)
replaceit = replace(strText, "'", """")
fixSpecialchars = replaceit
end function
call that function anytime you need to add stuff to a dB and you'll be
all set.
The MS Security conference I went to so a few months ago stressed data
validation as the number one priority for coders.
I use this site quite often
http://regexlib.com its got almost all the
regular expressions you'd ever need for form validation