By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,543 Members | 2,085 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,543 IT Pros & Developers. It's quick & easy.

server side validation

P: n/a
should i to validate all the "Request"s calls
like Request.FORM("...") and Request.Cookies("...")
????

if it is so, i have to see inside
every "Input" elements like "Text" and even "Hidden"
and every Request.Cookies i'm using ???

thanks

--
atte,
HernŠn Castelo
SGA - UTN - FRBA

Jul 19 '05 #1
Share this Question
Share on Google+
6 Replies


P: n/a
>if it is so, i have to see inside
every "Input" elements like "Text" and even "Hidden"
and every Request.Cookies i'm using ???


Well, if you make the assumption that you have a malicious user on the other
end, then you'd have to assume that they can possibly submit any name/value
pairs that they want (client side scripts being bypassed).

So, yes, client side validation is not a replacement for server side
validation.
Jul 19 '05 #2

P: n/a
You should always validate all data received and used by your application.
That does not necessarily mean that every data element sent by the browser
needs to be looked at, just the data elements that you will be using.

--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"HernŠn Castelo" <hc******@cedi.frba.utn.edu.ar> wrote in message
news:uQ**************@TK2MSFTNGP12.phx.gbl...
should i to validate all the "Request"s calls
like Request.FORM("...") and Request.Cookies("...")
????

if it is so, i have to see inside
every "Input" elements like "Text" and even "Hidden"
and every Request.Cookies i'm using ???

thanks

--
atte,
HernŠn Castelo
SGA - UTN - FRBA
Jul 19 '05 #3

P: n/a
> just the data elements that you will be using.

do you say values that i gather
for querying data at the data server (sql) ?
any other ?
do i not need to validate
elements that i use only for show ?

thanks

--
atte,
HernŠn Castelo
SGA - UTN - FRBA

"Mark Schupp" <ms*****@ielearning.com> escribiů en el mensaje
news:%2****************@TK2MSFTNGP12.phx.gbl...
You should always validate all data received and used by your application.
That does not necessarily mean that every data element sent by the browser
needs to be looked at, just the data elements that you will be using.

--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"HernŠn Castelo" <hc******@cedi.frba.utn.edu.ar> wrote in message
news:uQ**************@TK2MSFTNGP12.phx.gbl...
should i to validate all the "Request"s calls
like Request.FORM("...") and Request.Cookies("...")
????

if it is so, i have to see inside
every "Input" elements like "Text" and even "Hidden"
and every Request.Cookies i'm using ???

thanks

--
atte,
HernŠn Castelo
SGA - UTN - FRBA

Jul 19 '05 #4

P: n/a
thanks

a malicious person
is not a thing of other world...

in what scenario,
a furious server side validation
is not recommended ?

a hard server side validation
can be replaced by other technique?

thanks again

--
atte,
HernŠn Castelo
SGA - UTN - FRBA

"ChrisRath" <ch*******@aol.com> escribiů en el mensaje
news:20***************************@mb-m15.aol.com...
if it is so, i have to see inside
every "Input" elements like "Text" and even "Hidden"
and every Request.Cookies i'm using ???
Well, if you make the assumption that you have a malicious user on the

other end, then you'd have to assume that they can possibly submit any name/value pairs that they want (client side scripts being bypassed).

So, yes, client side validation is not a replacement for server side
validation.

Jul 19 '05 #5

P: n/a
Validation:

Validation comes in 2 forms, server side and client side this much you
probaly know.

The advantage to client side validation is that its faster and the
browser takes the hit for the performance. The disadvantage is that
the user can turn off the scripting feature in the security settings
and bypass any JS you've written. The only way I've found to thwart
people doing this is to add the <noscript></noscript> tags pointing
them to an error page explaining that they need to turn it on in order
for the site to work properly.
i.e <noscript><% response.redirect ("err.asp?err=nojs") %></noscript>

Sever side validation is considerably slower, especially depending on
the users connection. Everytime the user submits a form it makes a
round trip to the server and back. The advantage to server side
validation is that is much more secure. Users cant turn off scripting
and get around it. It happens no matter what.

So which one to use?
It really depends on what you are validating and what for. Personally,
any time I am writing information to a database for say financial
transactions like e-commerce I'll use server side validation. Its more
secure and depending on the amout of transactions the performance hit
is hardly noticeable. If the information is not all that important or
the customer doesnt feel that data be strictly formatted client side
validation will work just fine.

Two thing I do with either way is use Regular Expressions to validate
data and Escape special characters.

Using Regular Expressions does a few things,
1. Will protect you from Cross Site Scripting Attacks and SQL
injection attacks - Validation can be pretty scrict
2. Keeps the amout of code you need to write down.
3. RegEx are pretty much universal in the way they are implimented.
Use one for JavaScript and you can use the same one for ASP

the other thing is Escaping special characters are essential when
doing dB stuff. You may already know this but so I apologize if I'm
rehasing old material.

I've written a function that I use almost constantly in all my
projects that I keep adding to that will escape special chars like
single quotes and double quotes. Something like this

function fixSpecialchars(strText)
replaceit = replace(strText, "'", """")
fixSpecialchars = replaceit
end function

call that function anytime you need to add stuff to a dB and you'll be
all set.

The MS Security conference I went to so a few months ago stressed data
validation as the number one priority for coders.

I use this site quite often http://regexlib.com its got almost all the
regular expressions you'd ever need for form validation
On Tue, 13 Jul 2004 17:47:47 -0300, "HernŠn Castelo"
<hc******@cedi.frba.utn.edu.ar> wrote:
thanks

a malicious person
is not a thing of other world...

in what scenario,
a furious server side validation
is not recommended ?

a hard server side validation
can be replaced by other technique?

thanks again


Jul 19 '05 #6

P: n/a
Another consideration is to think about the amount of JavaScript code
being sent down to the browser and how this will impact the page load
time. I originally went with client-side and then converted to
server-side to increase page load time. Again, its a trade-off since
there's now a roundtrip to and from the server, but I felt that a faster
INITIAL load time was worth it.

David H

B„ßT„R– wrote:
Validation:

Validation comes in 2 forms, server side and client side this much you
probaly know.

The advantage to client side validation is that its faster and the
browser takes the hit for the performance. The disadvantage is that
the user can turn off the scripting feature in the security settings
and bypass any JS you've written. The only way I've found to thwart
people doing this is to add the <noscript></noscript> tags pointing
them to an error page explaining that they need to turn it on in order
for the site to work properly.
i.e <noscript><% response.redirect ("err.asp?err=nojs") %></noscript>

Sever side validation is considerably slower, especially depending on
the users connection. Everytime the user submits a form it makes a
round trip to the server and back. The advantage to server side
validation is that is much more secure. Users cant turn off scripting
and get around it. It happens no matter what.

So which one to use?
It really depends on what you are validating and what for. Personally,
any time I am writing information to a database for say financial
transactions like e-commerce I'll use server side validation. Its more
secure and depending on the amout of transactions the performance hit
is hardly noticeable. If the information is not all that important or
the customer doesnt feel that data be strictly formatted client side
validation will work just fine.

Two thing I do with either way is use Regular Expressions to validate
data and Escape special characters.

Using Regular Expressions does a few things,
1. Will protect you from Cross Site Scripting Attacks and SQL
injection attacks - Validation can be pretty scrict
2. Keeps the amout of code you need to write down.
3. RegEx are pretty much universal in the way they are implimented.
Use one for JavaScript and you can use the same one for ASP

the other thing is Escaping special characters are essential when
doing dB stuff. You may already know this but so I apologize if I'm
rehasing old material.

I've written a function that I use almost constantly in all my
projects that I keep adding to that will escape special chars like
single quotes and double quotes. Something like this

function fixSpecialchars(strText)
replaceit = replace(strText, "'", """")
fixSpecialchars = replaceit
end function

call that function anytime you need to add stuff to a dB and you'll be
all set.

The MS Security conference I went to so a few months ago stressed data
validation as the number one priority for coders.

I use this site quite often http://regexlib.com its got almost all the
regular expressions you'd ever need for form validation
On Tue, 13 Jul 2004 17:47:47 -0300, "HernŠn Castelo"
<hc******@cedi.frba.utn.edu.ar> wrote:

thanks

a malicious person
is not a thing of other world...

in what scenario,
a furious server side validation
is not recommended ?

a hard server side validation
can be replaced by other technique?

thanks again



Jul 19 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.