Hi,
Although I have got to the bottom of this problem, it gave me quite a shock
to discover how easy it is to write a very unsafe application with .Net
validators.
The scenario was this: we wrote and tested an application using validators,
but when we deployed the app onto a different server, it accepted and
processed invalid input from the user.
Turns out that in testing the validators were running client-side. When a
client-side validator blocks the input there is no postback and hence
nothing happens on the server. However, if client-side validation is
disabled for any reason, all control events fire on the server even if the
page is invalid. If, like me, you were expecting the page processing to
finish in the event of a validation faliure and not fire button clicks etc,
you are sadly mistaken. If you use validators, you must check manually
Page.IsValid in every "click" event.
I realise this is probably in the documentation (section 34.4b(ii)
subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus will think
this is obvious, but I'm sure that there must be hundreds of apps out there
that are unwittingly relying on client-side validation.
The moral is this: ALWAYS TEST THE APPLICATION WITH CLIENT SIDE VALIDATION
DISABLED. the default configuration could lull you into a false sense of
security and could lead to shipping an unsafe application.
Andy 7 1222
Yes, we do consider this obvious. But I think all of us would also agree
that we see questions with respect to this all too often. Having said that,
remember that there's atleast two sides to every story (yours, mine and
Kevin's Spe...err I mean the right way). If it behaved otherwise, someone
would likely say "BIG WARNING - unable to manually control validation" and
continue to claim that microsoft removed the flexibility of blah blah
blah...so it depends how you look at it.
anyways, thanks for the heads up, hopefully this message will help someone
doing a google group search one day...
Karl
--
MY ASP.Net tutorials http://www.openmymind.net/
"Andy Fish" <aj****@blueyon der.co.uk> wrote in message
news:Oy******** ******@TK2MSFTN GP09.phx.gbl... Hi,
Although I have got to the bottom of this problem, it gave me quite a
shock to discover how easy it is to write a very unsafe application with .Net validators.
The scenario was this: we wrote and tested an application using
validators, but when we deployed the app onto a different server, it accepted and processed invalid input from the user.
Turns out that in testing the validators were running client-side. When a client-side validator blocks the input there is no postback and hence nothing happens on the server. However, if client-side validation is disabled for any reason, all control events fire on the server even if the page is invalid. If, like me, you were expecting the page processing to finish in the event of a validation faliure and not fire button clicks
etc, you are sadly mistaken. If you use validators, you must check manually Page.IsValid in every "click" event.
I realise this is probably in the documentation (section 34.4b(ii) subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus will think this is obvious, but I'm sure that there must be hundreds of apps out
there that are unwittingly relying on client-side validation.
The moral is this: ALWAYS TEST THE APPLICATION WITH CLIENT SIDE VALIDATION DISABLED. the default configuration could lull you into a false sense of security and could lead to shipping an unsafe application.
Andy
On 24 Feb 2005, "Andy Fish" <aj****@blueyon der.co.uk> postulated in
news:Oy******** ******@TK2MSFTN GP09.phx.gbl: Hi,
Although I have got to the bottom of this problem, it gave me quite
a shock to discover how easy it is to write a very unsafe application with
..Net validators.
The scenario was this: we wrote and tested an application using
validators, but when we deployed the app onto a different server, it accepted
and processed invalid input from the user.
Turns out that in testing the validators were running client-side.
When a client-side validator blocks the input there is no postback and
hence nothing happens on the server. However, if client-side validation
is disabled for any reason, all control events fire on the server even
if the page is invalid. If, like me, you were expecting the page
processing to finish in the event of a validation faliure and not fire button
clicks etc, you are sadly mistaken. If you use validators, you must check
manually Page.IsValid in every "click" event.
I realise this is probably in the documentation (section 34.4b(ii) subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus will
think this is obvious, but I'm sure that there must be hundreds of apps
out there that are unwittingly relying on client-side validation.
The moral is this: ALWAYS TEST THE APPLICATION WITH CLIENT SIDE
VALIDATION DISABLED. the default configuration could lull you into a false
sense of security and could lead to shipping an unsafe application.
Andy
Good point, Andy.
No, this is not in the documentation, however, there are plenty of
informative articles available on preventing SQL injection attacks.
Testing is important, but a deliberate practice of defense in depth
is advised to all who use the web as a data aggregator.
I would suggest that if you don't already use parameterized queries,
that you learn what they are and how they can help you prevent data
content attacks against your server.
-- ipgrunt
Just like any client-side checking using vbscript/javascript, they can
always be overrided.
So never just do client-side checking of data, do server-side checking on
the received data as well.
This may seem redundant, but client-side check enables quicker response and
fewer postbacks, while server-side check makes your data safer.
"Andy Fish" <aj****@blueyon der.co.uk> ¦b¶l¥ó
news:Oy******** ******@TK2MSFTN GP09.phx.gbl ¤¤¼¶¼g... Hi,
Although I have got to the bottom of this problem, it gave me quite a
shock to discover how easy it is to write a very unsafe application with .Net validators.
The scenario was this: we wrote and tested an application using
validators, but when we deployed the app onto a different server, it accepted and processed invalid input from the user.
Turns out that in testing the validators were running client-side. When a client-side validator blocks the input there is no postback and hence nothing happens on the server. However, if client-side validation is disabled for any reason, all control events fire on the server even if the page is invalid. If, like me, you were expecting the page processing to finish in the event of a validation faliure and not fire button clicks
etc, you are sadly mistaken. If you use validators, you must check manually Page.IsValid in every "click" event.
I realise this is probably in the documentation (section 34.4b(ii) subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus will think this is obvious, but I'm sure that there must be hundreds of apps out
there that are unwittingly relying on client-side validation.
The moral is this: ALWAYS TEST THE APPLICATION WITH CLIENT SIDE VALIDATION DISABLED. the default configuration could lull you into a false sense of security and could lead to shipping an unsafe application.
Andy
> No, this is not in the documentation, however, there are plenty of informative articles available on preventing SQL injection attacks.
Is it not in the docs ? You better read it more carefully, what the h do you
think the webuivalidation .js is ???
Come on, dont blaim MS because you are bad programmers.
PL.
> I realise this is probably in the documentation (section 34.4b(ii) subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus will think this is obvious, but I'm sure that there must be hundreds of apps out there that are unwittingly relying on client-side validation.
Try reading:
ms-help://MS.NETFramework SDKv1.1/cpguidenf/html/cpconClient-SideValidation. htm
PL.
On 24 Feb 2005, "PL" <pb****@yahoo.s e> postulated in
news:e4******** *****@TK2MSFTNG P12.phx.gbl: Subject: Re: BIG WARNING - validation controls appear to be ignored. From: "PL" <pb****@yahoo.s e> Newsgroups:
microsoft.publi c.dotnet.framew ork.aspnet,micr osoft.public.do tnet.framew
ork.aspnet.secu rity No, this is not in the documentation, however, there are plenty of informative articles available on preventing SQL injection attacks. Is it not in the docs ? You better read it more carefully, what the h
do you think the webuivalidation .js is ???
Come on, dont blaim MS because you are bad programmers.
PL.
You miss the point of his comment, which has nothing to do with the
docs, and everything to do with not depending on validators to protect
your backend data.
That's called defense in depth, and is the practice of good
programmers.
And don't blame M$ because you're a bad speller.
-- ipgrunt
> You miss the point of his comment, which has nothing to do with the docs, and everything to do with not depending on validators to protect your backend data.
That's called defense in depth, and is the practice of good programmers.
Just as a follow-up, the point of my original comment was not really
about relying on client-side validation. no programmer worth his salt
would ever do that deliberately.
My point was that the system as a whole (the framework and development
environment) did not "fail-safe". Without reading every word of the
documentation, I wrote and tested an application making what I
beleived to be a reasonable assumption about how it would work. When I
deployed it I found out by accident that it was relying on client side
validation. IMHO this would be worth a big caveat on every page
relating to the valiation, not just a single note.
Better still, I would have click-type events only fire if the form is
valid, unless the developer specifically overrides this behaviour. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: dries |
last post by:
A friend of mine has a problem with his credit card validation routine
and it is probably a simple thing to solve but I cannot find it.
It has to do with the expiry dates.
What happens is that as each month passes, that month is then not
recognised as being valid, even though the year makes it still valid.
i.e. the number of the month entered has to be bigger than the number
of the current month. Therefor, if it is in august now 09/2005...
|
by: Tony |
last post by:
Hi folks,
I've got a bit of a problem. I have a situation where I build forms
completely dynamically based on a form definition supplied from a database.
Anyway, I noticed that required fields weren't validating on the server
side, so I've whittled the code down to the example below which illustrates
the problem.
Basically, when I programmatically create a control and a required field
validator, and don't use client side validation,...
|
by: Chris Rumsey via .NET 247 |
last post by:
I want to be able to control the order error messages appear in the validation summary. They always seem to appear in reverse order ie not in the same order that the validation controls appear on the page.
--------------------------------
From: Chris Rumsey
-----------------------
Posted by a user from .NET 247 (http://www.dotnet247.com/)
<Id>sOQiQ84IxU2dNojk+tctUw==</Id>
|
by: Hong Hao |
last post by:
Recently, I was trying to modify an existing aspx page when client-side
validation on that page stopped working. I searched this group and the web
in general and found that other people have had the same issue. However,
none of the suggested fixes solved my particular problem. I tracked down the
cause of the problem, which is related to aspx page parser's handling of
controls inside html comments. The problem may be quite common and well...
|
by: Dabbler |
last post by:
I need to insure that at least one of three phone number fields has a value
(requiredfield) but I'm not sure of a way to implement this without server
side logic. Is there a way to use the validation controls to do this?
Thanks.
| |
by: vbnetguy |
last post by:
After adding a couple of atlas controls to my page the validators do
not seem to work.
The first click fires the validator controls correctly, however on the
second click - without touching a thing on the page - the validators
are ignored and the page is posted back.
Has anyone run into this issue?
|
by: Peter Afonin |
last post by:
Hello,
I'm creating an application in ASP.NET 1.1. I need to check whether at least
one checkbox in my datagrid has been checked. To do this, I'm using
Javascript - I'm adding this code to Page_Load event:
Dim iCount As Int32
Dim sClientSideValidate As New StringBuilder
iCount = dgReport.Items.Count
For i As Int32 = 2 To iCount + 1
|
by: holmescn |
last post by:
what is the meaning of
warning attributes ignored on template instantiation.
i got it when i compiled stlport 5.1.3.
anybody can help me ?
thx!
|
by: dewi |
last post by:
Dear All,
I am trying to compile a C code using Visual C++. Can anyone explain how to solve it?
Thank You.
#include <math.h>
#include <string.h>
#include "RV2AJFRONT_NEW.h"
#include "RV2AJFRONT_NEW_private.h"
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |