server side validation

Discussion in 'ASP General' started by Hernán Castelo, Jul 13, 2004.

  1. should i to validate all the "Request"s calls
    like Request.FORM("...") and Request.Cookies("...")
    ????

    if it is so, i have to see inside
    every "Input" elements like "Text" and even "Hidden"
    and every Request.Cookies i'm using ???

    thanks

    --
    atte,
    Hernán Castelo
    SGA - UTN - FRBA
    Hernán Castelo, Jul 13, 2004
    #1
    1. Advertising

  2. Hernán Castelo

    Mark Schupp Guest

    You should always validate all data received and used by your application.
    That does not necessarily mean that every data element sent by the browser
    needs to be looked at, just the data elements that you will be using.

    --
    Mark Schupp
    Head of Development
    Integrity eLearning
    www.ielearning.com


    "Hernán Castelo" <> wrote in message
    news:uQ6$...
    should i to validate all the "Request"s calls
    like Request.FORM("...") and Request.Cookies("...")
    ????

    if it is so, i have to see inside
    every "Input" elements like "Text" and even "Hidden"
    and every Request.Cookies i'm using ???

    thanks

    --
    atte,
    Hernán Castelo
    SGA - UTN - FRBA
    Mark Schupp, Jul 13, 2004
    #2
    1. Advertising

  3. > just the data elements that you will be using.

    do you say values that i gather
    for querying data at the data server (sql) ?
    any other ?
    do i not need to validate
    elements that i use only for show ?

    thanks

    --
    atte,
    Hernán Castelo
    SGA - UTN - FRBA

    "Mark Schupp" <> escribió en el mensaje
    news:%...
    > You should always validate all data received and used by your application.
    > That does not necessarily mean that every data element sent by the browser
    > needs to be looked at, just the data elements that you will be using.
    >
    > --
    > Mark Schupp
    > Head of Development
    > Integrity eLearning
    > www.ielearning.com
    >
    >
    > "Hernán Castelo" <> wrote in message
    > news:uQ6$...
    > should i to validate all the "Request"s calls
    > like Request.FORM("...") and Request.Cookies("...")
    > ????
    >
    > if it is so, i have to see inside
    > every "Input" elements like "Text" and even "Hidden"
    > and every Request.Cookies i'm using ???
    >
    > thanks
    >
    > --
    > atte,
    > Hernán Castelo
    > SGA - UTN - FRBA
    >
    >
    Hernán Castelo, Jul 13, 2004
    #3
  4. thanks

    a malicious person
    is not a thing of other world...

    in what scenario,
    a furious server side validation
    is not recommended ?

    a hard server side validation
    can be replaced by other technique?

    thanks again



    --
    atte,
    Hernán Castelo
    SGA - UTN - FRBA

    "ChrisRath" <> escribió en el mensaje
    news:...
    > >if it is so, i have to see inside
    > >every "Input" elements like "Text" and even "Hidden"
    > >and every Request.Cookies i'm using ???

    >
    > Well, if you make the assumption that you have a malicious user on the

    other
    > end, then you'd have to assume that they can possibly submit any

    name/value
    > pairs that they want (client side scripts being bypassed).
    >
    > So, yes, client side validation is not a replacement for server side
    > validation.
    >
    >
    Hernán Castelo, Jul 13, 2004
    #4
  5. Hernán Castelo

    Bã§TãRÐ Guest

    Validation:

    Validation comes in 2 forms, server side and client side this much you
    probaly know.

    The advantage to client side validation is that its faster and the
    browser takes the hit for the performance. The disadvantage is that
    the user can turn off the scripting feature in the security settings
    and bypass any JS you've written. The only way I've found to thwart
    people doing this is to add the <noscript></noscript> tags pointing
    them to an error page explaining that they need to turn it on in order
    for the site to work properly.
    i.e <noscript><% response.redirect ("err.asp?err=nojs") %></noscript>

    Sever side validation is considerably slower, especially depending on
    the users connection. Everytime the user submits a form it makes a
    round trip to the server and back. The advantage to server side
    validation is that is much more secure. Users cant turn off scripting
    and get around it. It happens no matter what.

    So which one to use?
    It really depends on what you are validating and what for. Personally,
    any time I am writing information to a database for say financial
    transactions like e-commerce I'll use server side validation. Its more
    secure and depending on the amout of transactions the performance hit
    is hardly noticeable. If the information is not all that important or
    the customer doesnt feel that data be strictly formatted client side
    validation will work just fine.

    Two thing I do with either way is use Regular Expressions to validate
    data and Escape special characters.

    Using Regular Expressions does a few things,
    1. Will protect you from Cross Site Scripting Attacks and SQL
    injection attacks - Validation can be pretty scrict
    2. Keeps the amout of code you need to write down.
    3. RegEx are pretty much universal in the way they are implimented.
    Use one for JavaScript and you can use the same one for ASP

    the other thing is Escaping special characters are essential when
    doing dB stuff. You may already know this but so I apologize if I'm
    rehasing old material.

    I've written a function that I use almost constantly in all my
    projects that I keep adding to that will escape special chars like
    single quotes and double quotes. Something like this

    function fixSpecialchars(strText)
    replaceit = replace(strText, "'", """")
    fixSpecialchars = replaceit
    end function

    call that function anytime you need to add stuff to a dB and you'll be
    all set.

    The MS Security conference I went to so a few months ago stressed data
    validation as the number one priority for coders.

    I use this site quite often http://regexlib.com its got almost all the
    regular expressions you'd ever need for form validation


    On Tue, 13 Jul 2004 17:47:47 -0300, "Hernán Castelo"
    <> wrote:

    >thanks
    >
    >a malicious person
    >is not a thing of other world...
    >
    >in what scenario,
    >a furious server side validation
    >is not recommended ?
    >
    >a hard server side validation
    >can be replaced by other technique?
    >
    >thanks again
    Bã§TãRÐ, Jul 28, 2004
    #5
  6. Another consideration is to think about the amount of JavaScript code
    being sent down to the browser and how this will impact the page load
    time. I originally went with client-side and then converted to
    server-side to increase page load time. Again, its a trade-off since
    there's now a roundtrip to and from the server, but I felt that a faster
    INITIAL load time was worth it.

    David H

    Bã§TãRÐ wrote:
    > Validation:
    >
    > Validation comes in 2 forms, server side and client side this much you
    > probaly know.
    >
    > The advantage to client side validation is that its faster and the
    > browser takes the hit for the performance. The disadvantage is that
    > the user can turn off the scripting feature in the security settings
    > and bypass any JS you've written. The only way I've found to thwart
    > people doing this is to add the <noscript></noscript> tags pointing
    > them to an error page explaining that they need to turn it on in order
    > for the site to work properly.
    > i.e <noscript><% response.redirect ("err.asp?err=nojs") %></noscript>
    >
    > Sever side validation is considerably slower, especially depending on
    > the users connection. Everytime the user submits a form it makes a
    > round trip to the server and back. The advantage to server side
    > validation is that is much more secure. Users cant turn off scripting
    > and get around it. It happens no matter what.
    >
    > So which one to use?
    > It really depends on what you are validating and what for. Personally,
    > any time I am writing information to a database for say financial
    > transactions like e-commerce I'll use server side validation. Its more
    > secure and depending on the amout of transactions the performance hit
    > is hardly noticeable. If the information is not all that important or
    > the customer doesnt feel that data be strictly formatted client side
    > validation will work just fine.
    >
    > Two thing I do with either way is use Regular Expressions to validate
    > data and Escape special characters.
    >
    > Using Regular Expressions does a few things,
    > 1. Will protect you from Cross Site Scripting Attacks and SQL
    > injection attacks - Validation can be pretty scrict
    > 2. Keeps the amout of code you need to write down.
    > 3. RegEx are pretty much universal in the way they are implimented.
    > Use one for JavaScript and you can use the same one for ASP
    >
    > the other thing is Escaping special characters are essential when
    > doing dB stuff. You may already know this but so I apologize if I'm
    > rehasing old material.
    >
    > I've written a function that I use almost constantly in all my
    > projects that I keep adding to that will escape special chars like
    > single quotes and double quotes. Something like this
    >
    > function fixSpecialchars(strText)
    > replaceit = replace(strText, "'", """")
    > fixSpecialchars = replaceit
    > end function
    >
    > call that function anytime you need to add stuff to a dB and you'll be
    > all set.
    >
    > The MS Security conference I went to so a few months ago stressed data
    > validation as the number one priority for coders.
    >
    > I use this site quite often http://regexlib.com its got almost all the
    > regular expressions you'd ever need for form validation
    >
    >
    > On Tue, 13 Jul 2004 17:47:47 -0300, "Hernán Castelo"
    > <> wrote:
    >
    >
    >>thanks
    >>
    >>a malicious person
    >>is not a thing of other world...
    >>
    >>in what scenario,
    >>a furious server side validation
    >>is not recommended ?
    >>
    >>a hard server side validation
    >>can be replaced by other technique?
    >>
    >>thanks again

    >
    >
    David C. Holley, Jul 28, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Colin Mackay
    Replies:
    0
    Views:
    2,684
    Colin Mackay
    Jun 25, 2003
  2. Matt
    Replies:
    14
    Views:
    4,092
    Chad Z. Hower aka Kudzu
    Jan 30, 2004
  3. Mythran
    Replies:
    2
    Views:
    504
    Mythran
    Jan 22, 2005
  4. =?Utf-8?B?dmlkeWE=?=
    Replies:
    1
    Views:
    748
    Kevin Spencer
    Jun 2, 2005
  5. Thor
    Replies:
    1
    Views:
    1,011
    Mikkel Heisterberg
    Jul 2, 2003
Loading...

Share This Page