Best practices for input validation in ASP.NET?

Question

What is the common practice of input validation? In other words do you check for input validation on client-side, on server-side or on both sides?

Also, if performance is crucial to me, would just the client-side input validation be sufficient for my website without presenting any security risks?

Answer 1

Always perform at least server side validation. If you want to improve users experience, client side validation could be nice. It also allows you to avoid unnecessary requests to the server.

Only client side validation is not sufficient and can be easily bypassed by disabling javascript for example.

I would recommend you to always start by adding server side validation and once you've tested it, you could enable client side validation.

Answer 2

DO NOT RELY ON CLIENT SIDE VALIDATION!!!
It's just there for the honest user. The dishonest user can get around it in no time.

If I shut off Javascript, I can hammer your app to shit. Always put server side validation in... it's not that hard

Web Forms

''# VB
If Page.isValid Then
    ''# submit your data
End If

// C#
if(Page.isValid) {
    // submit your data
}

MVC

''# VB
If ModelState.IsValid Then
    ''# submit your data
End If

// C#
if(ModelState.IsValid) {
    // submit your data
}

Once your server side validation is functioning, then go ahead and add the client side validation. It will make the experience better for the user

Answer 3

One thing that I would recommend is using FluentValidation, xVal and JQuery together to perform Client and Server side validation based on the same rules.

FluentValidation is a rules-based framework that validates .net objects on the server side. It comes with a rules provider for xVal, which is another framework that allows you to link up your choice of server side and client side validation frameworks. It supports generating JQuery validators on the client side

Answer 4

Generally on both sides. The client side one can easily be bypassed either intentionally or innocently (with the prevalence of noscript) but is worth having for usability reasons.

As to whether it presents a security risk. What are you using the user input for and what is the current nature of your validation?

If it is just checking that someone has filled out mandatory fields in a form it is perhaps unlikely that there would be a security risk.

Answer 5

It is required to use at lest server-side validation, because clie-side validation can be quite easily bypassed.

If you want to have a btter user exprience, use client-side validation too. This also increases performance, since it reduces the number of HTTP requests to the server, because invalid forms won't be sent up to the server.

Answer 6

Most common is using both client and server side validation.

would only the client-side input validation be sufficient for my website without presenting any security risks?

No, you should use server side validation too. It's pretty simple to remove client validation with (for example) firebug. Obviously after removing client side validation evildoer can send any data to server. So server side validation is strongly needed too.