Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to handle input and parameter validation between layers?

Tags:

c#

asp.net

If I have a 3 layer web forms application that takes user input, I know I can validate that input using validation controls in the presentation layer. Should I also validate in the business and data layers as well to protect against SQL injection and also issues? What validations should go in each layer?

Another example would be passing a ID to return a record. Should the data layer ensure that the id is valid or should that happen in BLL / UI?

like image 717
jpshook Avatar asked Mar 05 '10 15:03

jpshook

People also ask

How do you validate input parameters?

Go to Web Protection > Input Validation > Parameter Validation and select the Parameter Validation Rule tab. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category.

What is the best approach in regards of input validation?

In general, it is best to perform input validation on both the client side and server side. Client-side input validation can help reduce server load and can prevent malicious users from submitting invalid data. However, client-side input validation is not a substitute for server-side input validation.

At which point should input validation occur?

Data validation should occur in two locations: The point where data is acted upon, for example validating input parameters to an SQL query. General validation at the point where data is submitted, for example in a web application some validation should occur on the client.

1 Answers

You should validate in all layers of your application.

What validation will occur at each layer is specific to the layer itself. Each layer should be safe to send "bad" requests to and get a meaningful response, but which checks to perform at each layer will depend on your specific requirements.

Broadly:

  • User Interface - Should validate user input, provide helpful error messages and visual clues to correcting them; it should be protecting your lower layers against invalid user input.
  • Business / Domain Layer - Should check arguments to methods are valid (throwing ArgumentException and similar when they are not) and should check that operations are possible within the constraints of your business rules; it should be protecting your domain against programming mistakes.
  • Data Layer - Should check the data you are trying to insert or update is valid within the context of your database, that it meets all the relational constraints and check constraints; it should be protecting your database against mistakes in data-access.

Validation at each layer will ensure that only data and operations the layer believes to be correct are allowed to enter. This gives you a great deal of predictability, knowing information had to meet certain criteria to make it through to your database, that operations had to be logical to make it through your domain layer, and that user input has been sanitized and is easier to work with.

It also gives you security knowing that if any of your layers was subverted, there is another layer performing checks behind it which should prevent anything entering which you don't want to.

like image 172
Paul Turner Avatar answered Oct 14 '22 07:10

Paul Turner
Sign in to Comment

Related questions

Get paths of assemblies used in Type
Binding to a Nullable<DateTime> control property
Why are delegates null rather than an empty list when there is no subscriber?
Execute .NET 3.0 code from Office 2003
How to clear fields after post back in asp.net mvc?
C# 4.0: Why MethodBag when there's ExpandoObject?
What's the best way of returning constructed IDisposables safely?
Getting ID of recently created entity - ADO Entity Framework
GetElementById() not finding the tag?
Has RX Extensions "solved" the problem of complex event driven programming?
Lambda's in VB.net?
Generate C# automatic properties with Codedom
Automatically creating a collection in the Dictionary<Key, Collection<Value>>
Question about Windows Events
Grouping child objects in WPF TreeView
What is the exactly Runtime Host?
Modifying a TextBox control on the Leave event prevents tabbing out of the control
"==" Operator Doesn't Behave Like Compiler-generated Equals() override for anonymous type
Can I get the delta of two IEnumerables in LINQ?
How to make Visual Studio to automatically include curly brackets in C# code?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!