Input validation in ASP.NET websites
When data sent form browser to server need to ensure it is valid.
Users expect feedback and assistance to enter valid data.
ASP.NET provides mechanisms for bot client and server side validation.
Client side validation is convenient for users, but is not a security feature.
Improves performance by checking data before submission to server.
Malicious user can easily circumnavigate.
Found in Visual Studio Toolbox.
Add same way as other controls.
- Open page in Design View & add input controls requiring validation
- Drag desired validation control next to (or near) input control to validate
- Set ID property of validation control - for readability make it similar to input control it is validating, e.g. NameTextBoxValidator
- Set ControlToValidate property on validation control to control being validated
- Set ErrorMessage to something meaningful for the user. Typically displayed in ValidationSummary control on the page
- Set Text property to display at the validation control location if the validation fails. If plan to use ValidationSummary control set Text property to something short, such as *
- Set tooltip property to something similar to ErrorMessage. The tooltip will be displayed when user points to validation control after validation fails.
- Set Display property to None to prevent Text property being displayed. Set to Static to leave blank space where message will appear. Set to Dynamic to reformat ASP.NET output around Text when validation fails.
- Optionally add ValidationSummary to display validation error messages in one location after user has triggered page-level validation by clicking a submit button. Useful in page crowded with other controls. Typically placed near submit button. If ShowMessageBox property is true then control will display a pop-up message.
Validation controls work in concert with Page object. ASP.NET uses Page class and validation controls to ensure incoming data is valid.
Page class Validators property contains collection of validation controls defined on page.
The Pages Validate method causes the page to check each validation control.
Validate method called automatically after Load event handler method executed.
Can check if page is Valid by checking Page.IsValid property (after the page has loaded).
Should check Page.IsValid property in every event handler to determine if code should run.
ASP.NET writes client-side validation code for validation control on page.
Turned on by default.
Can turn off for specific controls by setting EnableClientScript property to false.
Validation controls have SetFocusOnError property that when true causes invalid control to receive focus.
When to cause validation
Client side validation is convenience for users.
Primary benefit is stopping page from being posted back until all client-side validation passes.
Can be a problem in some circumstances, e.g. clicking cancel or help button when page not in valid state. Avoid problem by setting CausesValidation property to false for controls that should bypass validation.
May not want entire page to be validated as a whole.
May want to break up into sections and have them validated independently, e.g. form with multiple sections.
Validation controls support ValidationGroup property, which is assigned string value. Same property also present on controls causing postback. When control performs postback, validation controls with matching ValidationGroup property are validated.
On server the Page.IsValid property only reflects validity of controls that have been validated. By default these are controls in same ValidationGroup. Can call controls Validate method to add control to set of controls the IsValid property reports on.
Overload of Page.Validate method accepts a string to specify ValidationGroup to check.
The Page.GetValidators method accepts string identifying ValidationGroup and returns list of controls in that validation group.
Ensures users has entered value into field.
Provides InitialValue property that when set ensures the user has changed field value.
Performs comparison using operators like greater than or less than (set via Operator property) to compare user data with constant value provided, or another control.
ValueToCompare property provides constant used to perform comparison against - ignored for DataTypeCheck comparisons.
CompareToControl property allows comparisons to be made against value of another control.
Can also check data entered is of certain data type, e.g. date or number, by setting Type property to required data type. Can limit to type checks by setting Operator property to DataTypeCheck.
Ensures value entered within predefined range, specified by MinimumValue and MaximumValue.
The ValidationExpression property specifies a regular expression that the control being checked must pass.
Used to create own validation mechanism.
Custom Client-Side Validation
Function must have signature of function ClientFunction(source, arguments)
The source parameter contains reference to validation control performing validation.
The arguments parameter contains an object with a Value property that contains data to be validated.
Validation logic should set arguments.IsValid to true (valid) or false (invalid).
Used for complex scenarios that cannot be covered by regular expressions, e.g. calling web service to make sure user name available without requiring post back to take place.
Custom Server-Side Validation
CustomValidator can work client-side, server-side or both.
To implement server side handle the ServerValidate event of the CustomValidator - same way implement event handler for any control.
Two parameters provided to handler:
- the source object - provides access to the source validation control
- the ServerValidateEventArgs - the arguments for checking. args.Value is the value to check and args.IsValid should be set to indicate validation success or failure.
Server side validation does not need to provide exactly same validation as client side, e.g. client side might check 5 digit user id is within an acceptable range whilst server side will perform database lookup to verify it actually exists.