Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best practices for input validation in ASP.NET?

What is the common practice of input validation? In other words do you check for input validation on client-side, on server-side or on both sides?

Also, if performance is crucial to me, would just the client-side input validation be sufficient for my website without presenting any security risks?

like image 925
Sahat Yalkabov Avatar asked Jul 03 '10 19:07

Sahat Yalkabov


6 Answers

Always perform at least server side validation. If you want to improve users experience, client side validation could be nice. It also allows you to avoid unnecessary requests to the server.

Only client side validation is not sufficient and can be easily bypassed by disabling javascript for example.

I would recommend you to always start by adding server side validation and once you've tested it, you could enable client side validation.

like image 81
Darin Dimitrov Avatar answered Oct 24 '22 17:10

Darin Dimitrov


DO NOT RELY ON CLIENT SIDE VALIDATION!!!
It's just there for the honest user. The dishonest user can get around it in no time.

If I shut off Javascript, I can hammer your app to shit. Always put server side validation in... it's not that hard

Web Forms

''# VB
If Page.isValid Then
    ''# submit your data
End If

// C#
if(Page.isValid) {
    // submit your data
}

MVC

''# VB
If ModelState.IsValid Then
    ''# submit your data
End If

// C#
if(ModelState.IsValid) {
    // submit your data
}

Once your server side validation is functioning, then go ahead and add the client side validation. It will make the experience better for the user

like image 26
Chase Florell Avatar answered Oct 24 '22 17:10

Chase Florell


One thing that I would recommend is using FluentValidation, xVal and JQuery together to perform Client and Server side validation based on the same rules.

FluentValidation is a rules-based framework that validates .net objects on the server side. It comes with a rules provider for xVal, which is another framework that allows you to link up your choice of server side and client side validation frameworks. It supports generating JQuery validators on the client side

like image 33
Daniel Dyson Avatar answered Oct 24 '22 19:10

Daniel Dyson


Generally on both sides. The client side one can easily be bypassed either intentionally or innocently (with the prevalence of noscript) but is worth having for usability reasons.

As to whether it presents a security risk. What are you using the user input for and what is the current nature of your validation?

If it is just checking that someone has filled out mandatory fields in a form it is perhaps unlikely that there would be a security risk.

like image 25
Martin Smith Avatar answered Oct 24 '22 18:10

Martin Smith


It is required to use at lest server-side validation, because clie-side validation can be quite easily bypassed.

If you want to have a btter user exprience, use client-side validation too. This also increases performance, since it reduces the number of HTTP requests to the server, because invalid forms won't be sent up to the server.

like image 1
Venemo Avatar answered Oct 24 '22 18:10

Venemo


Most common is using both client and server side validation.

would only the client-side input validation be sufficient for my website without presenting any security risks?

No, you should use server side validation too. It's pretty simple to remove client validation with (for example) firebug. Obviously after removing client side validation evildoer can send any data to server. So server side validation is strongly needed too.

like image 1
Igor V Savchenko Avatar answered Oct 24 '22 17:10

Igor V Savchenko