Validator Controls

Validators use JavaScript when it is available, but keep in mind that users
can disable JavaScript. To make sure this does not prevent the Validators
from validating the submitted data, validation is performed server-side as
well. Why bother to create the code in both places, you ask? Well, because
when JavaScript is enabled, the server-side validation will not be executed
until the data is valid (except in the case of a CustomValidator). This
means less trips between the client and server. As for your question as to
whether you still need to validate user input at the server side, the answer
is the boring "It depends". What does it depend on? Well, it depends on what
you are validating and what validators you have. The key questions to ask
yourself are:

1. What do I know about the input I am recieving now that it has passed the
test of my validators?
2. What requirements do I need the input to meet in order to be valid?
3. Do I know for sure that the input meets these requirements?
4. What, if any, extra validation do I need to do to the input in order to
be sure it meets these requirements?

Normally, the answer to #4 will be performed in a CustomValidator so that
the error message can be displayed in a friendlier manner if the user needs
to see it and so that you can determine whether the data is valid by using
the Page.IsValid property. As far as the part about attackers, well, I'm not
an expert in that area, so all I can say is validate all input as strictly
as possible (without making the page unattractive to users, of course), make
sure the error message tells the user what is wrong with their input, and,
of course, use all the network safety features on your network, because an
attacker can't run their custom script if they can't get to your network.
Hopefully this information is helpful, and for more details, you might want
to post to one of the security or network newsgroups. Good Luck!
--
Nathan Sokalski
nj********@hotmail.com
http://www.nathansokalski.com/

"Howard" <ho*******@yahoo.com> wrote in message
news:uA**************@TK2MSFTNGP05.phx.gbl...

Since validator controls use client side javascript to validate the input.
Do I still need to validate user input at the server side?
What if an attacker writes a custom script that doesn't require the use of
an internet browser? Will he be able to skip the asp.net validator
controls?

Thanks,
Howard

Thanks.
This is very helpful

"Nathan Sokalski" <nj********@hotmail.com> wrote in message
news:ut*************@TK2MSFTNGP05.phx.gbl...

Validators use JavaScript when it is available, but keep in mind that
users can disable JavaScript. To make sure this does not prevent the
Validators from validating the submitted data, validation is performed
server-side as well. Why bother to create the code in both places, you
ask? Well, because when JavaScript is enabled, the server-side validation
will not be executed until the data is valid (except in the case of a
CustomValidator). This means less trips between the client and server. As
for your question as to whether you still need to validate user input at
the server side, the answer is the boring "It depends". What does it
depend on? Well, it depends on what you are validating and what validators
you have. The key questions to ask yourself are:

1. What do I know about the input I am recieving now that it has passed
the test of my validators?
2. What requirements do I need the input to meet in order to be valid?
3. Do I know for sure that the input meets these requirements?
4. What, if any, extra validation do I need to do to the input in order to
be sure it meets these requirements?

Normally, the answer to #4 will be performed in a CustomValidator so that
the error message can be displayed in a friendlier manner if the user
needs to see it and so that you can determine whether the data is valid by
using the Page.IsValid property. As far as the part about attackers, well,
I'm not an expert in that area, so all I can say is validate all input as
strictly as possible (without making the page unattractive to users, of
course), make sure the error message tells the user what is wrong with
their input, and, of course, use all the network safety features on your
network, because an attacker can't run their custom script if they can't
get to your network. Hopefully this information is helpful, and for more
details, you might want to post to one of the security or network
newsgroups. Good Luck!
--
Nathan Sokalski
nj********@hotmail.com
http://www.nathansokalski.com/

"Howard" <ho*******@yahoo.com> wrote in message
news:uA**************@TK2MSFTNGP05.phx.gbl...

Since validator controls use client side javascript to validate the
input. Do I still need to validate user input at the server side?
What if an attacker writes a custom script that doesn't require the use
of an internet browser? Will he be able to skip the asp.net validator
controls?

Thanks,
Howard