473,624 Members | 2,121 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Validator Controls

Since validator controls use client side javascript to validate the input.
Do I still need to validate user input at the server side?
What if an attacker writes a custom script that doesn't require the use of
an internet browser? Will he be able to skip the asp.net validator controls?

Thanks,
Howard
Jun 3 '06 #1
2 1407
Validators use JavaScript when it is available, but keep in mind that users
can disable JavaScript. To make sure this does not prevent the Validators
from validating the submitted data, validation is performed server-side as
well. Why bother to create the code in both places, you ask? Well, because
when JavaScript is enabled, the server-side validation will not be executed
until the data is valid (except in the case of a CustomValidator ). This
means less trips between the client and server. As for your question as to
whether you still need to validate user input at the server side, the answer
is the boring "It depends". What does it depend on? Well, it depends on what
you are validating and what validators you have. The key questions to ask
yourself are:

1. What do I know about the input I am recieving now that it has passed the
test of my validators?
2. What requirements do I need the input to meet in order to be valid?
3. Do I know for sure that the input meets these requirements?
4. What, if any, extra validation do I need to do to the input in order to
be sure it meets these requirements?

Normally, the answer to #4 will be performed in a CustomValidator so that
the error message can be displayed in a friendlier manner if the user needs
to see it and so that you can determine whether the data is valid by using
the Page.IsValid property. As far as the part about attackers, well, I'm not
an expert in that area, so all I can say is validate all input as strictly
as possible (without making the page unattractive to users, of course), make
sure the error message tells the user what is wrong with their input, and,
of course, use all the network safety features on your network, because an
attacker can't run their custom script if they can't get to your network.
Hopefully this information is helpful, and for more details, you might want
to post to one of the security or network newsgroups. Good Luck!
--
Nathan Sokalski
nj********@hotm ail.com
http://www.nathansokalski.com/

"Howard" <ho*******@yaho o.com> wrote in message
news:uA******** ******@TK2MSFTN GP05.phx.gbl...
Since validator controls use client side javascript to validate the input.
Do I still need to validate user input at the server side?
What if an attacker writes a custom script that doesn't require the use of
an internet browser? Will he be able to skip the asp.net validator
controls?

Thanks,
Howard

Jun 3 '06 #2
Thanks.
This is very helpful

"Nathan Sokalski" <nj********@hot mail.com> wrote in message
news:ut******** *****@TK2MSFTNG P05.phx.gbl...
Validators use JavaScript when it is available, but keep in mind that
users can disable JavaScript. To make sure this does not prevent the
Validators from validating the submitted data, validation is performed
server-side as well. Why bother to create the code in both places, you
ask? Well, because when JavaScript is enabled, the server-side validation
will not be executed until the data is valid (except in the case of a
CustomValidator ). This means less trips between the client and server. As
for your question as to whether you still need to validate user input at
the server side, the answer is the boring "It depends". What does it
depend on? Well, it depends on what you are validating and what validators
you have. The key questions to ask yourself are:

1. What do I know about the input I am recieving now that it has passed
the test of my validators?
2. What requirements do I need the input to meet in order to be valid?
3. Do I know for sure that the input meets these requirements?
4. What, if any, extra validation do I need to do to the input in order to
be sure it meets these requirements?

Normally, the answer to #4 will be performed in a CustomValidator so that
the error message can be displayed in a friendlier manner if the user
needs to see it and so that you can determine whether the data is valid by
using the Page.IsValid property. As far as the part about attackers, well,
I'm not an expert in that area, so all I can say is validate all input as
strictly as possible (without making the page unattractive to users, of
course), make sure the error message tells the user what is wrong with
their input, and, of course, use all the network safety features on your
network, because an attacker can't run their custom script if they can't
get to your network. Hopefully this information is helpful, and for more
details, you might want to post to one of the security or network
newsgroups. Good Luck!
--
Nathan Sokalski
nj********@hotm ail.com
http://www.nathansokalski.com/

"Howard" <ho*******@yaho o.com> wrote in message
news:uA******** ******@TK2MSFTN GP05.phx.gbl...
Since validator controls use client side javascript to validate the
input. Do I still need to validate user input at the server side?
What if an attacker writes a custom script that doesn't require the use
of an internet browser? Will he be able to skip the asp.net validator
controls?

Thanks,
Howard


Jun 3 '06 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
0
1346
Validator controls in Netscape 7+
by: Antonio Maciel | last post by:
Hi. I tried the asp.net newsgroup before but with no success. I have some asp.net validator controls on the pages of a site. In IE the controls work ok but when I run the site on Netscape 7 the scripts for the validator controls are not generated. I tried to get a new <browsercaps> with support for Netscape 7 but could not find anything that works. Have anyone seen this behaviour?
.NET Framework
0
1014
Validator controls and usercontrols
by: Antonio Maciel | last post by:
Hi. I have two usercontrols on the same page. The first control is a login control, with two textboxes, one button and some validator controls for the textboxes. The second control is a 'search the site' control, with one textbox, one button and some validator controls for the textbox. My users don't need to be logged to do a search in the site but everytime I type something in the search textbox and click the button, the validators of...
ASP.NET
2
3156
validator controls and disabled controls
by: Dune | last post by:
Hi there, If a control is disabled (enabled = false), will the validator controls associated with it automatically know not to carry out validation? I have a page with a bunch of controls and depending on what is passed in through the querystring, I disable some of those controls in my code-behind. However, my validator controls still seem to be trying to validate the disabled controls. Cheers :)
ASP.NET
1
1154
Problems with Validator controls
by: John Holmes | last post by:
I'm using the RequiredFieldValidator on 9 text boxes and then a Validation Summary control for bringing up a message when the user tries to click a button that makes a trip to the server. This works fine on my development machine, but when I copy the project to my test web server the required validation doesn't occur and the summary dialog doesn't come up. The user is allowed to click the button and it processes the event code on the server...
ASP.NET
2
1298
Selective Validation Using Validator Controls
by: Bobby Maul | last post by:
I'm not sure the subject of this post adequately describes my situation, so let my elaborate. We have a web form with two textboxes--one for a start date/time and the other for an end date/time. We are wanting to use the validator controls to ensure that the user enters a date/time and that it's in the correct format, along with a couple of other validations. This is easy enough. Our web page also includes links to navigate back one...
ASP.NET
1
929
Validator Controls for the Mac
by: Simon Harvey | last post by:
Hi, Does anyone know if the validator controls work with Safari and other Non IE browsers? I have a number of required field validators and a summary control and when using safari, the controls are just ignored - the user can just fly right by and cause all sorts of trouble Does anyone know how to deal with this without having to right custom
ASP.NET
2
1656
asp.net validator controls in an IFRAME - PLEASE HELP!
by: BillGatesFan | last post by:
I have asp.net validator controls on a page in an IFRAME. How can I keep the page from submitting if the page in the iframe has validation errors. I can call a function in the child page from the parent page but I have no clue what to do.
ASP.NET
3
1221
ASP.NET v1.1, Validator Controls, Web Standards and Valid (X)HTML
by: danny.rendle | last post by:
I am attempting to create a web site using ASP.NET v1.1 to comply with the W3C's WAI Triple-A standard. To this end I need ASP.NET to emit valid HTML 4.01 Transitional (once confident with ASP.NET and HTML 4.01 I plan to move onto XHTML). I have found several articles suggesting the use of Response Filters to amend the HTML on route to the client which are very usefull for adding a container for the ViewState and removing the Form's...
ASP.NET
1
2273
Paul's Glavich Dom Validator Controls problem
by: Maciek | last post by:
Hi all, I'm desinging a web page and I'm novice in this matters, so I need your help. I need to validate if checkbox is checked and to show an alert if it isn't. So I've added two Paul's Glavich Dom Validator Controls: CustomDomValidator and DomValidationSummary. The first validator has Display property set to none and the second one has property ShowMessageBox set to True. Custom validator calls this function:
ASP.NET
0
8236
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
8173
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
8679
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8475
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
1
6110
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5563
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4174
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
2606
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
1482
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us