Is there a security reason to validate a textbox input if you are limiting the max length of the input?

Question

Since I'm new to coding and I'm trying to understand why here is a little more detail on the question.

If you have a text box and you are limiting the input to say 2 charactrs do you really need to validate the input further?

What I have is a text box that has a max length of 2. Is there a security reason to add a validator to the textbox. I should add this is in Asp.net.

Answer 1

Yes, you must still check. Setting the MaxLength property only sets the MaxLength attribute on the input element; a user can simply remove that value in the HTML source they are getting, or 'hack' it via any of many tools available.

Your server still needs to make sure it's only 2 characters, with server-side validation.

Answer 2

Are you talking about server-side validation of the input? If so, then you should validate beacuse anyone can build a HTTP POST request without passing through a browser, in which case their is no 2 character limit.

However, the security validation just depends on what you're going to accomplish with the given input. If you're constructing a database query, sending an e-mail or other such thing using the input, then you should always validate, independantly of input length.