Re: BIG WARNING - validation controls appear to be ignored.
From: Lau Lei Cheong (leu_lc_at_yehoo.com.hk)
Date: 02/25/05
- Previous message: removethis: "Re: Browser Back button problem"
- In reply to: Andy Fish: "BIG WARNING - validation controls appear to be ignored."
- Next in thread: PL: "Re: BIG WARNING - validation controls appear to be ignored."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Feb 2005 09:34:27 +0800
Just like any client-side checking using vbscript/javascript, they can
always be overrided.
So never just do client-side checking of data, do server-side checking on
the received data as well.
This may seem redundant, but client-side check enables quicker response and
fewer postbacks, while server-side check makes your data safer.
"Andy Fish" <ajfish@blueyonder.co.uk> ¦b¶l¥ó
news:OyahI6oGFHA.3472@TK2MSFTNGP09.phx.gbl ¤¤¼¶¼g...
> Hi,
>
> Although I have got to the bottom of this problem, it gave me quite a
shock
> to discover how easy it is to write a very unsafe application with .Net
> validators.
>
> The scenario was this: we wrote and tested an application using
validators,
> but when we deployed the app onto a different server, it accepted and
> processed invalid input from the user.
>
> Turns out that in testing the validators were running client-side. When a
> client-side validator blocks the input there is no postback and hence
> nothing happens on the server. However, if client-side validation is
> disabled for any reason, all control events fire on the server even if the
> page is invalid. If, like me, you were expecting the page processing to
> finish in the event of a validation faliure and not fire button clicks
etc,
> you are sadly mistaken. If you use validators, you must check manually
> Page.IsValid in every "click" event.
>
> I realise this is probably in the documentation (section 34.4b(ii)
> subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus will think
> this is obvious, but I'm sure that there must be hundreds of apps out
there
> that are unwittingly relying on client-side validation.
>
> The moral is this: ALWAYS TEST THE APPLICATION WITH CLIENT SIDE VALIDATION
> DISABLED. the default configuration could lull you into a false sense of
> security and could lead to shipping an unsafe application.
>
> Andy
>
>
- Previous message: removethis: "Re: Browser Back button problem"
- In reply to: Andy Fish: "BIG WARNING - validation controls appear to be ignored."
- Next in thread: PL: "Re: BIG WARNING - validation controls appear to be ignored."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
