Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Validating User Input in ASP.NET Web Pages (Razor) Sites
In this articleby Tom FitzMacken
This article contains the following sections:
Overview of User Input ValidationIf you ask users to enter information in a page — for example, into a form — it's important to make sure that the values that they enter are valid. For example, you don't want to process a form that's missing critical information. When users enter values into an HTML form, the values that they enter are strings. In many cases, the values you need are some other data types, like integers or dates. Therefore, you also have to make sure that the values that users enter can be correctly converted to the appropriate data types. You might also have certain restrictions on the values. Even if users correctly enter an integer, for example, you might need to make sure that the value falls within a certain range. Note Important Validating user input is also important for security. When you restrict the values that users can enter in forms, you reduce the chance that someone can enter a value that can compromise the security of your site. Validating User InputIn ASP.NET Web Pages 2, you can use the
The following example shows a page that illustrates these steps.
To see how validation works, run this page and deliberately make mistakes. For example, here's what the page looks like if you forget to enter a course name, if you enter an, and if you enter an invalid date: Adding Client-Side ValidationBy default, user input is validated after users submit the page — that is, the validation is performed in server code. A disadvantage of this approach is that users don't know that they've made an error until after they submit the page. If a form is long or complex, reporting errors only after the page is submitted can be inconvenient to the user. You can add support to perform validation in client script. In that case, the validation is performed as users work in the browser. For example, suppose you specify that a value should be an integer. If a user enters a non-integer value, the error is reported as soon as the user leaves the entry field. Users get immediate feedback, which is convenient for them. Client-based validation can also reduce the number of times that the user has to submit the form to correct multiple errors. Note Even if you use client-side validation, validation is always also performed in server code. Performing validation in server code is a security measure, in case users bypass client-based validation.
The following page shows how to add client validation features to the example shown earlier.
Not all validation checks run on the client. In particular, data-type validation (integer, date, and so on) don't run on the client. The following checks work on both the client and server:
In this example, the test for a valid date won't work in client code. However, the test will be performed in server code. Formatting Validation ErrorsYou can control how validation errors are displayed by defining CSS classes that have the following reserved names:
The following
If you include this style block in the example pages from earlier in the article, the error display will look like the following illustration: Note If you're not using client validation in ASP.NET Web Pages 2, the CSS classes for the Static and Dynamic Error DisplayThe
CSS rules come in pairs, such as
In other words, the In some situations, displaying an error message can cause the page to reflow and can cause elements on the page to move around. The CSS rules that end in Validating Data That Doesn't Come Directly from UsersSometimes you have to validate information that doesn't come directly from an HTML form. A typical example is a page where a value is passed in a query string, as in the following example:
In this case, you want to make sure that the value that's passed to the page (here, 1022 for the value of Note Important Always validate values that you get from any source, including form-field values, query-string values, and cookie values. It's easy for people to change these values (perhaps for malicious purposes). So you must check these values in order to protect your application. The following example shows how you might validate a value that's passed in a query string. The code tests that the value is not empty and that it's an integer.
Notice that the test is performed when the request is not a form submission ( To display this error, you can add the error to the list of validation errors by calling Additional ResourcesWorking with HTML Forms in ASP.NET Web Pages Sites Which method can be used by the client and server to validate user input?Client-side validation is visible to the user. It involves having validation on input forms through JavaScript. For example, if the input is submitted for a phone number or email, a JavaScript validator would provide an error if anything is submitted that does not conform to a phone number or email.
What is clientWhen you enter data, the browser and/or the web server will check to see that the data is in the correct format and within the constraints set by the application. Validation done in the browser is called client-side validation, while validation done on the server is called server-side validation.
What type of input validation should be performed on the client canonicalization and normalization?Canonicalize path names before validating them for more information. Normalization should be performed only on fully assembled user input. Never normalize partial input or combine normalized input with nonnormalized input.
How do we validate user input in programming?The technique we can apply is to accept the input as a string. The analyse the string to be of the illegal types shown above using regular expressions. If the input is valid then convert it into an integer and use it in the program else display an error message.
|