ASP.NET Web Forms Validation Controls are Server-Side or Client-Side Validation?

All the validation controls perform their respective validations BOTH client
and server side. The validation is first done client side to prevent a
wastefull trip to the server when the data is know to violate the validation
rules. Assuming the data is good (or seems to be), the validation is again
performed on the server to catch any spoofing attempts by the client.

Validation controls have an "EnableClientScript" property (which defaults to
true) to indicate if the client side validation should, in fact, take place
(this is presumably for situations when the client might have scripting
turned off). Even if this setting is false, the server side validation will
still occur.

Now to your specific question, in VS.NET 2002, there is only 1 way that a
validator will show its error message and that is to show the error message
on the page where the validation control is placed. There is no setting for
the message to come up in a JavaScript "alert()" dialog. The exception to
this is the ValidationSummary control which does have a "ShowMessageBox"
property where the summary results from all validations that have failed
will show in a JavaScript "alert()" dialog.
"Matt" <ma*******@hotmail.com> wrote in message
news:OZ**************@TK2MSFTNGP11.phx.gbl...

I want to know if ASP.NET Web Forms Validation Controls are Server-Side or
Client-Side form validation? Since I think each validator control can select either 1) JavaScript based error dialog or 2) show the error message next to the control. For example, if the text field is empty with RequiredField
Validator control, it can show the value in ControlToValidate property in
two ways as I mentioned.

Please advise. Thanks!

Thanks Scott.

For the server side validation you mentioned: "the validation is again
performed on the server to catch any spoofing attempts by the client." What
does it mean "spoofing attempts by the client?" Can you give some concrete
examples?

thanks!

"Scott M." <s-***@BADSPAMsnet.net> wrote in message
news:#q*************@TK2MSFTNGP12.phx.gbl...

All the validation controls perform their respective validations BOTH client and server side. The validation is first done client side to prevent a
wastefull trip to the server when the data is know to violate the validation rules. Assuming the data is good (or seems to be), the validation is again performed on the server to catch any spoofing attempts by the client.

Validation controls have an "EnableClientScript" property (which defaults to true) to indicate if the client side validation should, in fact, take place (this is presumably for situations when the client might have scripting
turned off). Even if this setting is false, the server side validation will still occur.

Now to your specific question, in VS.NET 2002, there is only 1 way that a
validator will show its error message and that is to show the error message on the page where the validation control is placed. There is no setting for the message to come up in a JavaScript "alert()" dialog. The exception to
this is the ValidationSummary control which does have a "ShowMessageBox"
property where the summary results from all validations that have failed
will show in a JavaScript "alert()" dialog.
"Matt" <ma*******@hotmail.com> wrote in message
news:OZ**************@TK2MSFTNGP11.phx.gbl...

I want to know if ASP.NET Web Forms Validation Controls are Server-Side or Client-Side form validation? Since I think each validator control can select

either 1) JavaScript based error dialog or 2) show the error message next to

the control. For example, if the text field is empty with RequiredField
Validator control, it can show the value in ControlToValidate property

in two ways as I mentioned.

Please advise. Thanks!

"Spoofing" is one of the oldest problems on the web...

Let's say I run a business and have a form on my web site abc.com that
requires that you fill in certain information and enforces this by including
some client side code to check that you have filled that data in before the
form will submit data back to me (abc.com).

Now, let's say you view my source code once the page has been delivered to
your browser (client) and save that source code to a local file on your hard
drive. You have now, made a copy of my web page and saved it on your own
machine. You go into my code and remove all my JavaScript that was
enforcing the required data and save your copy of my page without all that
stuff.

Now, you bring up YOUR MODIFIED VERSION of my web page and fill in the form
(or don't fill in the form) and hit submit...Since the form will still send
the data back to me (abc.com), I will now recieve whatever you sent (or
didn't send). The form no longer checks you. This is spoofing.

Because .NET validation controls will do their check on the server as well
as the client, in the example I just described (spoofing), your mal-formed
data submission will be caught not by the client (you removed that remember)
by the server. So, in .NET, spoofing is not a problem.

Hope this helps!

Scott M.

"Matt" <ma*******@hotmail.com> wrote in message
news:e3**************@TK2MSFTNGP12.phx.gbl...

Thanks Scott.

For the server side validation you mentioned: "the validation is again
performed on the server to catch any spoofing attempts by the client." What does it mean "spoofing attempts by the client?" Can you give some concrete
examples?

thanks!

"Scott M." <s-***@BADSPAMsnet.net> wrote in message
news:#q*************@TK2MSFTNGP12.phx.gbl...

All the validation controls perform their respective validations BOTH client

and server side. The validation is first done client side to prevent a
wastefull trip to the server when the data is know to violate the

validation

rules. Assuming the data is good (or seems to be), the validation is

again

performed on the server to catch any spoofing attempts by the client.

Validation controls have an "EnableClientScript" property (which defaults to

true) to indicate if the client side validation should, in fact, take place

(this is presumably for situations when the client might have scripting
turned off). Even if this setting is false, the server side validation

will

still occur.

Now to your specific question, in VS.NET 2002, there is only 1 way that a validator will show its error message and that is to show the error

message

on the page where the validation control is placed. There is no setting

for

the message to come up in a JavaScript "alert()" dialog. The exception to this is the ValidationSummary control which does have a "ShowMessageBox"
property where the summary results from all validations that have failed
will show in a JavaScript "alert()" dialog.
"Matt" <ma*******@hotmail.com> wrote in message
news:OZ**************@TK2MSFTNGP11.phx.gbl...

I want to know if ASP.NET Web Forms Validation Controls are Server-Side or Client-Side form validation? Since I think each validator control can

select

either 1) JavaScript based error dialog or 2) show the error message next

to

the control. For example, if the text field is empty with

RequiredField Validator control, it can show the value in ControlToValidate property

in two ways as I mentioned.

Please advise. Thanks!

Thanks Scott.

As you mentioned, ASP.NET has server-side validation to prevent "Spoofing".
But how ASP to handle that situation?

Thanks!
"Scott M." <s-***@BADSPAMsnet.net> wrote in message
news:eC**************@TK2MSFTNGP09.phx.gbl...

"Spoofing" is one of the oldest problems on the web...

Let's say I run a business and have a form on my web site abc.com that
requires that you fill in certain information and enforces this by including some client side code to check that you have filled that data in before the form will submit data back to me (abc.com).

Now, let's say you view my source code once the page has been delivered to
your browser (client) and save that source code to a local file on your hard drive. You have now, made a copy of my web page and saved it on your own
machine. You go into my code and remove all my JavaScript that was
enforcing the required data and save your copy of my page without all that
stuff.

Now, you bring up YOUR MODIFIED VERSION of my web page and fill in the form (or don't fill in the form) and hit submit...Since the form will still send the data back to me (abc.com), I will now recieve whatever you sent (or
didn't send). The form no longer checks you. This is spoofing.

Because .NET validation controls will do their check on the server as well
as the client, in the example I just described (spoofing), your mal-formed
data submission will be caught not by the client (you removed that remember) by the server. So, in .NET, spoofing is not a problem.

Hope this helps!

Scott M.

"Matt" <ma*******@hotmail.com> wrote in message
news:e3**************@TK2MSFTNGP12.phx.gbl...

Thanks Scott.

For the server side validation you mentioned: "the validation is again
performed on the server to catch any spoofing attempts by the client." What

does it mean "spoofing attempts by the client?" Can you give some concrete

examples?

thanks!

"Scott M." <s-***@BADSPAMsnet.net> wrote in message
news:#q*************@TK2MSFTNGP12.phx.gbl...

All the validation controls perform their respective validations BOTH

client

and server side. The validation is first done client side to prevent a wastefull trip to the server when the data is know to violate the

validation

rules. Assuming the data is good (or seems to be), the validation is

again

performed on the server to catch any spoofing attempts by the client.

Validation controls have an "EnableClientScript" property (which defaults

to

true) to indicate if the client side validation should, in fact, take

place

(this is presumably for situations when the client might have scripting turned off). Even if this setting is false, the server side validation will

still occur.

Now to your specific question, in VS.NET 2002, there is only 1 way

that a validator will show its error message and that is to show the error message

on the page where the validation control is placed. There is no

setting for

the message to come up in a JavaScript "alert()" dialog. The

exception to this is the ValidationSummary control which does have a

"ShowMessageBox" property where the summary results from all validations that have failed will show in a JavaScript "alert()" dialog.
"Matt" <ma*******@hotmail.com> wrote in message
news:OZ**************@TK2MSFTNGP11.phx.gbl...
> I want to know if ASP.NET Web Forms Validation Controls are

Server-Side

or

> Client-Side form validation? Since I think each validator control can select
> either 1) JavaScript based error dialog or 2) show the error message

next

to
> the control. For example, if the text field is empty with

RequiredField > Validator control, it can show the value in ControlToValidate

property in

> two ways as I mentioned.
>
> Please advise. Thanks!
>
>

It doesn't! Developers has to write thier own server side code to double
check the data coming in from a form.
"Matt" <ma*******@hotmail.com> wrote in message
news:Ov*************@TK2MSFTNGP12.phx.gbl...

Thanks Scott.

As you mentioned, ASP.NET has server-side validation to prevent "Spoofing". But how ASP to handle that situation?

Thanks!
"Scott M." <s-***@BADSPAMsnet.net> wrote in message
news:eC**************@TK2MSFTNGP09.phx.gbl...

"Spoofing" is one of the oldest problems on the web...

Let's say I run a business and have a form on my web site abc.com that
requires that you fill in certain information and enforces this by including

some client side code to check that you have filled that data in before

the

form will submit data back to me (abc.com).

Now, let's say you view my source code once the page has been delivered to

your browser (client) and save that source code to a local file on your

hard

drive. You have now, made a copy of my web page and saved it on your own machine. You go into my code and remove all my JavaScript that was
enforcing the required data and save your copy of my page without all that stuff.

Now, you bring up YOUR MODIFIED VERSION of my web page and fill in the

form

(or don't fill in the form) and hit submit...Since the form will still

send

the data back to me (abc.com), I will now recieve whatever you sent (or
didn't send). The form no longer checks you. This is spoofing.

Because .NET validation controls will do their check on the server as well as the client, in the example I just described (spoofing), your mal-formed data submission will be caught not by the client (you removed that

remember)

by the server. So, in .NET, spoofing is not a problem.

Hope this helps!

Scott M.

"Matt" <ma*******@hotmail.com> wrote in message
news:e3**************@TK2MSFTNGP12.phx.gbl...

Thanks Scott.

For the server side validation you mentioned: "the validation is again
performed on the server to catch any spoofing attempts by the client."

What

does it mean "spoofing attempts by the client?" Can you give some

concrete examples?

thanks!

"Scott M." <s-***@BADSPAMsnet.net> wrote in message
news:#q*************@TK2MSFTNGP12.phx.gbl...
> All the validation controls perform their respective validations BOTH client
> and server side. The validation is first done client side to prevent a

> wastefull trip to the server when the data is know to violate the
validation
> rules. Assuming the data is good (or seems to be), the validation

is again
> performed on the server to catch any spoofing attempts by the client. >
> Validation controls have an "EnableClientScript" property (which

defaults

to
> true) to indicate if the client side validation should, in fact, take place
> (this is presumably for situations when the client might have

scripting > turned off). Even if this setting is false, the server side validation will
> still occur.
>
> Now to your specific question, in VS.NET 2002, there is only 1 way that

a

> validator will show its error message and that is to show the error
message
> on the page where the validation control is placed. There is no

setting for
> the message to come up in a JavaScript "alert()" dialog. The exception

to

> this is the ValidationSummary control which does have a

"ShowMessageBox" > property where the summary results from all validations that have failed > will show in a JavaScript "alert()" dialog.
>
>
> "Matt" <ma*******@hotmail.com> wrote in message
> news:OZ**************@TK2MSFTNGP11.phx.gbl...
> > I want to know if ASP.NET Web Forms Validation Controls are

Server-Side

or
> > Client-Side form validation? Since I think each validator control can > select
> > either 1) JavaScript based error dialog or 2) show the error message next
> to
> > the control. For example, if the text field is empty with

RequiredField

> > Validator control, it can show the value in ControlToValidate property in
> > two ways as I mentioned.
> >
> > Please advise. Thanks!
> >
> >
>
>

Here's a slightly different perspective on Microsoft's client-side
validation: it only works on IE and IE/Mac browsers. For other browsers, it
uses that server side validation to catch errors. I have a commercial
solution that replaces Microsoft's validators with 22 validator controls
that support IE, IE/Mac, Netscape/Mozilla, Opera 7 and Safari with
client-side validation. Its called "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com

"Matt" <ma*******@hotmail.com> wrote in message
news:OZ**************@TK2MSFTNGP11.phx.gbl...

I want to know if ASP.NET Web Forms Validation Controls are Server-Side or
Client-Side form validation? Since I think each validator control can select either 1) JavaScript based error dialog or 2) show the error message next to the control. For example, if the text field is empty with RequiredField
Validator control, it can show the value in ControlToValidate property in
two ways as I mentioned.

Please advise. Thanks!

Actually, the validation controls will work client-side on any browser that
supports JavaScript. This includes IE, Netscape, Mozilla, Opera & Mosaic.
"Peter Blum" <PL****@Blum.info> wrote in message
news:OC****************@TK2MSFTNGP12.phx.gbl...

Here's a slightly different perspective on Microsoft's client-side
validation: it only works on IE and IE/Mac browsers. For other browsers, it uses that server side validation to catch errors. I have a commercial
solution that replaces Microsoft's validators with 22 validator controls
that support IE, IE/Mac, Netscape/Mozilla, Opera 7 and Safari with
client-side validation. Its called "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com

"Matt" <ma*******@hotmail.com> wrote in message
news:OZ**************@TK2MSFTNGP11.phx.gbl...

I want to know if ASP.NET Web Forms Validation Controls are Server-Side or Client-Side form validation? Since I think each validator control can select

either 1) JavaScript based error dialog or 2) show the error message next to

the control. For example, if the text field is empty with RequiredField
Validator control, it can show the value in ControlToValidate property

in two ways as I mentioned.

Please advise. Thanks!

"Scott M." <s-***@BADSPAMsnet.net> wrote in news:ehg5XFi4DHA.2756
@TK2MSFTNGP09.phx.gbl:

Actually, the validation controls will work client-side on any browser
supports JavaScript. This includes IE, Netscape, Mozilla, Opera &
What is Peter referncing then in his case? Why would he need to write
commercial replacements?
"Peter Blum" <PL****@Blum.info> wrote in message
news:OC****************@TK2MSFTNGP12.phx.gbl...

Here's a slightly different perspective on Microsoft's client-side
validation: it only works on IE and IE/Mac browsers. For other browsers,

it

uses that server side validation to catch errors. I have a commercial
solution that replaces Microsoft's validators with 22 validator controls
that support IE, IE/Mac, Netscape/Mozilla, Opera 7 and Safari with
client-side validation. Its called "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx.

--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"
ELKNews - Get your free copy at http://www.atozedsoftware.com

I supect he has custom validators that go beyond the 6 that MS provides.
I'm not saying his validators are/aren't useful, but his statement about the
MS validators only working in IE/Mac browsers is incorrect.
"Chad Z. Hower aka Kudzu" <cp**@hower.org> wrote in message
news:Xn******************@127.0.0.1...

"Scott M." <s-***@BADSPAMsnet.net> wrote in news:ehg5XFi4DHA.2756
@TK2MSFTNGP09.phx.gbl:

Actually, the validation controls will work client-side on any browser
supports JavaScript. This includes IE, Netscape, Mozilla, Opera &

What is Peter referncing then in his case? Why would he need to write
commercial replacements?

"Peter Blum" <PL****@Blum.info> wrote in message
news:OC****************@TK2MSFTNGP12.phx.gbl...

Here's a slightly different perspective on Microsoft's client-side
validation: it only works on IE and IE/Mac browsers. For other browsers,

it

uses that server side validation to catch errors. I have a commercial
solution that replaces Microsoft's validators with 22 validator

controls that support IE, IE/Mac, Netscape/Mozilla, Opera 7 and Safari with
client-side validation. Its called "Professional Validation And More" at http://www.peterblum.com/vam/home.aspx.

--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"
ELKNews - Get your free copy at http://www.atozedsoftware.com

"Scott M." <s-***@BADSPAMsnet.net> wrote in
news:#R**************@TK2MSFTNGP09.phx.gbl:

I supect he has custom validators that go beyond the 6 that MS provides.
I'm not saying his validators are/aren't useful, but his statement about
the MS validators only working in IE/Mac browsers is incorrect.

Thanks for the clarification.
7
--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"
ELKNews - Get your free copy at http://www.atozedsoftware.com

Let's try this again. Microsoft's client side script file,
WebUIValidation.js, is written for DHTML browsers. It uses document.all[] to
lookup the <span> tag that represents the validator's error message. It does
not use document.getElementById(), which is required for DOM-based browsers
like Netscape/Mozilla and Safari. Whether or not you can get the
WebUIValidation.js file to load on these DOM browsers, they will report
javascript errors when the code is run.

I'm not making any new claims here. This limitation has long been realized.

To be clear, I didn't write a few custom validators. I wrote an entirely new
framework for validation to address a long list of desirable things in
validation that were very difficult and at times impossible to address with
Microsoft's framework.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

"Chad Z. Hower aka Kudzu" <cp**@hower.org> wrote in message
news:Xn*****************@127.0.0.1...

"Scott M." <s-***@BADSPAMsnet.net> wrote in
news:#R**************@TK2MSFTNGP09.phx.gbl:

I supect he has custom validators that go beyond the 6 that MS provides.
I'm not saying his validators are/aren't useful, but his statement about
the MS validators only working in IE/Mac browsers is incorrect.

Thanks for the clarification.
7
--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"
ELKNews - Get your free copy at http://www.atozedsoftware.com

"Peter Blum" <PL****@Blum.info> wrote in
news:#M**************@TK2MSFTNGP12.phx.gbl:

Let's try this again. Microsoft's client side script file,
WebUIValidation.js, is written for DHTML browsers. It uses
document.all[] to lookup the <span> tag that represents the validator's
error message. It does not use document.getElementById(), which is

Can anyone else confirm this?
--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"
ELKNews - Get your free copy at http://www.atozedsoftware.com

I don't appreciate this lack of trust in me. Just because I publish a
commercial replacement to Microsoft's validators makes me suspect? Look, I
created a product because I spent time studying the issues and found a
tremendous list of problems to be addressed
(http://www.peterblum.com/vam/valmain.aspx). At this point, I may be one of
the most experienced people in the validation technology on ASP.NET
platforms.

1. Does WebUIValidation.js use the document.all[] command? Open the file and
search for it! Its in the function ValidatorHookupControlID, which attaches
the ControlToValidate to a client-side function that is called on onclick or
onchange events.

2. Is document.all[] DHTML only? Look at the w3c.org standard for DOM and
see that they only support document.getElementById() as a method to lookup
an ID. Look at Microsoft's DHTML reference for the 'all' property:
http://msdn.microsoft.com/library/de...ence_entry.asp
It says under "Standards information" "There is no public standard that
applies to this collection". In otherwords, its not in the W3C (DOM)
standard.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

"Chad Z. Hower aka Kudzu" <cp**@hower.org> wrote in message
news:Xn******************@127.0.0.1...

"Peter Blum" <PL****@Blum.info> wrote in
news:#M**************@TK2MSFTNGP12.phx.gbl:

Let's try this again. Microsoft's client side script file,
WebUIValidation.js, is written for DHTML browsers. It uses
document.all[] to lookup the <span> tag that represents the validator's
error message. It does not use document.getElementById(), which is

Can anyone else confirm this?
--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"
ELKNews - Get your free copy at http://www.atozedsoftware.com

"Peter Blum" <PL****@Blum.info> wrote in
news:uh**************@TK2MSFTNGP11.phx.gbl:

I don't appreciate this lack of trust in me. Just because I publish a
commercial replacement to Microsoft's validators makes me suspect? Look,
I created a product because I spent time studying the issues and found a

Nowhere did I state a lack of trust. Im simply looking for secondary
verifications and or other experiences.

--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"
ELKNews - Get your free copy at http://www.atozedsoftware.com