Hi
I'm interested to know what peoples opinions are on using the Client-side
Validators in ASP.NET? I use them very heavily but am experiencing the odd
occassion when users have either intentionally or inadvertantly bipassed
them.
Any ideas on how this could happen. I know that a determined hacker can push
data into http context and viewstate. But other than that, would disabling
javascript in the browser allow a user to bipass validation yet still use
the site as normal?
Thanks
Ben 6 1294
Ben:
I rely on client-side validation heavily too, but only as a first step
measure. It's great because it's efficient for my server (no postback) and
responsive for the user (no postback).
But it's easily circumventable. By disabling javascript, by simply using
telnet, by using one of the many plugins for firefox.
You should always put a
Page.Validate()
if Page.IsValid then
...
end if
in your event handlers or wherever else you need to make sure the validation
is run on the server..
Karl
--
MY ASP.Net tutorials http://www.openmymind.net/ - New and Improved (yes, the popup is annoying) http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"Ben Fidge" <be*******@btop enworld.com> wrote in message
news:ug******** ********@tk2msf tngp13.phx.gbl. .. Hi
I'm interested to know what peoples opinions are on using the Client-side Validators in ASP.NET? I use them very heavily but am experiencing the odd occassion when users have either intentionally or inadvertantly bipassed them.
Any ideas on how this could happen. I know that a determined hacker can push data into http context and viewstate. But other than that, would disabling javascript in the browser allow a user to bipass validation yet still use the site as normal?
Thanks
Ben
The built-in validation controls use both client side AND server side
validation by default.
This is to cover the scenarios you mentioned.
--
I hope this helps,
Steve C. Orr, MCSD, MVP http://SteveOrr.net
"Ben Fidge" <be*******@btop enworld.com> wrote in message
news:ug******** ********@tk2msf tngp13.phx.gbl. .. Hi
I'm interested to know what peoples opinions are on using the Client-side Validators in ASP.NET? I use them very heavily but am experiencing the odd occassion when users have either intentionally or inadvertantly bipassed them.
Any ideas on how this could happen. I know that a determined hacker can push data into http context and viewstate. But other than that, would disabling javascript in the browser allow a user to bipass validation yet still use the site as normal?
Thanks
Ben
Karl,
Thanks for the advice. If for example I use your suggestion on the Confirm
button OnClick event on a given page, what's the standard procedure for
delaing with validation errors, or does ASP.NEt handle this automatically?
Ben
"Karl Seguin" <karl REMOVE @ REMOVE openmymind REMOVEMETOO . ANDME net>
wrote in message news:OQ******** ******@TK2MSFTN GP09.phx.gbl... Ben: I rely on client-side validation heavily too, but only as a first step measure. It's great because it's efficient for my server (no postback) and responsive for the user (no postback).
But it's easily circumventable. By disabling javascript, by simply using telnet, by using one of the many plugins for firefox.
You should always put a Page.Validate() if Page.IsValid then ... end if
in your event handlers or wherever else you need to make sure the validation is run on the server..
Karl
-- MY ASP.Net tutorials http://www.openmymind.net/ - New and Improved (yes, the popup is annoying) http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to come!)
"Ben Fidge" <be*******@btop enworld.com> wrote in message news:ug******** ********@tk2msf tngp13.phx.gbl. .. Hi
I'm interested to know what peoples opinions are on using the Client-side Validators in ASP.NET? I use them very heavily but am experiencing the odd occassion when users have either intentionally or inadvertantly bipassed them.
Any ideas on how this could happen. I know that a determined hacker can push data into http context and viewstate. But other than that, would disabling javascript in the browser allow a user to bipass validation yet still use the site as normal?
Thanks
Ben
> You should always put a Page.Validate() if Page.IsValid then ... end if in your event handlers or wherever else you need to make sure the validation is run on the server..
You shouldn't need to explicitly call Page.Validate unless you need to check
if the page has passed validation in or prior to Page_Load. If it's only
ever needed in your server side controls' event handlers, then Page.IsValid
is sufficient.
-Brock
DevelopMentor http://staff.develop.com/ballen
Hi Brock,
Thanks for that. What is standard prcoedure for IsValid = false? Does
ASP.NET automatically report to the user that there's a problem using the
client-side validators or do I have to do this manually?
Ben
"Brock Allen" <ba****@NOSPAMd evelop.com> wrote in message
news:60******** **************@ msnews.microsof t.com... You should always put a Page.Validate() if Page.IsValid then ... end if in your event handlers or wherever else you need to make sure the validation is run on the server..
You shouldn't need to explicitly call Page.Validate unless you need to check if the page has passed validation in or prior to Page_Load. If it's only ever needed in your server side controls' event handlers, then Page.IsValid is sufficient.
-Brock DevelopMentor http://staff.develop.com/ballen
If the page fails to validate then the server side validation controls render
as such. At the end of the day it looks just like as if the validation was
done client-side. So, no, there's nothing special to do when you're relying
upon the server side validation. One thing to note is that if there is no
client side validation then things such as the ValidationSumma ry's ShowMessageBox
won't work as desired.
-Brock
DevelopMentor http://staff.develop.com/ballen Hi Brock,
Thanks for that. What is standard prcoedure for IsValid = false? Does ASP.NET automatically report to the user that there's a problem using the client-side validators or do I have to do this manually?
Ben
"Brock Allen" <ba****@NOSPAMd evelop.com> wrote in message news:60******** **************@ msnews.microsof t.com...
You should always put a Page.Validate() if Page.IsValid then ... end if in your event handlers or wherever else you need to make sure the validation is run on the server.. You shouldn't need to explicitly call Page.Validate unless you need to check if the page has passed validation in or prior to Page_Load. If it's only ever needed in your server side controls' event handlers, then Page.IsValid is sufficient.
-Brock DevelopMentor http://staff.develop.com/ballen
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Michael Rybak |
last post by:
hi, everyone.
I'm writing a 2-players game that should support network mode. I'm now
testing it on 1 PC since I don't have 2. I directly use sockets, and
both client and server do computations, the only data transfered is
user mouse/kbd input.
It works synchronously, but somehow, when I play in client window,
both client and server have 17 fps, while when playing in server
window, server has 44 fps while client ...
|
by: Raquel |
last post by:
How do I know whether the 'runtime client' and the 'application
development client' are installed on my machine? When I issue the
command "db2licm -l", it gives the following output:
Product Name = "DB2 Personal Edition"
Product Password = "DB2PE"
Version Information = "8.1"
Expiry Date = "Permanent"
Annotation = ""
Other information = ""
|
by: Rhino |
last post by:
I am trying to verify that I correctly understand something I saw in the DB2
Information Center.
I am running DB2 Personal Edition V8.2.1 on Windows. I came across the
following in the Info Center:
To return a result set from a procedure to the originating application, use
the WITH RETURN TO CLIENT clause. When WITH RETURN TO CLIENT is specified on
a result set, no nested procedures can access the result set.
|
by: Harley |
last post by:
Hello,
I am just learning the tcp/ip functions etc under vb.net so please
look over me if this is obviouse. I have been all over looking into
any functions that I didn't totaly understand and can't see that I am
doing anything wrong (i obviousely am though)
everything "works", client connects to server and when anything is
sent to the server it starts the mp3 and passes all messages the way i
ment for it to except that my server is...
|
by: Ankit Aneja |
last post by:
i am doing here some some socket-client work in C# windows service
it is working fine for multiple clients
now i want to limit these multiple clients to 25 for example
i want that when service starts objects for all these 25 clients
are created and when client connects it should be accepted and will not
allow more than 25 clients to connect
and when client diconnects that object can be allocated to another client
who requests
i am not...
| |
by: J Huntley Palmer |
last post by:
I am having a horrific time integrating uw-imap's c-client for imap
support in php. The problem is a whole bunch of "Text relocation remains
referenced against symbol" errors during
linking. Any help appreciated!
The ordeal is a follows
I am using Solaris 10 with php5.1.1.
GCC:
|
by: horizon5 |
last post by:
Hi,
my collegues and I recently held a coding style review.
All of the code we produced is used in house on a commerical project.
One of the minor issues I raised was the common idiom of specifing:
<pre>
if len(x) 0:
do_something()
</pre>
|
by: khu84 |
last post by:
Here is client server very simple code, seems to work with telnet but with with web client code gives blank output.
Following is the server code:-
<?php
function createSocketServer($host='192.168.1.34',$port=2222)
{
$max_clients = 10;
|
by: nsaffary |
last post by:
hi
I hava a client/server program that run correctly when i run it in one computer(local) but when I run client on a one computer and run server run on another, connection does not stablish.(I set server machine IP for client and server) please guide me?
server :
#include <winsock2.h>
#include <iostream>
#include <stdio.h>
#include <string.h>
#include <windows.h>
#pragma comment(lib, "ws2_32");
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |