Client-Side Validation

As mentioned, the validation controls use the WebUIValidation.js file's JScript validation functions to perform validation on browsers that support it. This is referred to as client-side validation and is preferred over server-side validation because it offers the user a better, more responsive experience. It can be very frustrating to have to wait 5 or 10 seconds after each page request, only to find out after each submission that another form element is not valid. By performing all the validation client-side, the user doesn't have the delays that are commonly associated with server-side validation.

However, there are some problems with client-side validation that preclude its use as the sole means of validating user input. First of all, not all browsers support client-side scripting, so obviously we cannot use this approach everywhere. Second, it is not difficult for a malicious user to bypass client-side script by saving the Web form on the user's own machine, removing the validation script, and then submitting the form. If client-side validation were the only method used, this would pose a security hole, because the end user could potentially submit values that would confuse the ASP event handler or simply place garbage data into the application's database.

For these reasons, server-side validation is always performed by ASP.NET validation controls, and client-side validation is only done on those browsers that are known to support client-side scripting. This behavior can be further controlled by the developer through the use of the Page directive's ClientTarget property. By setting this property to " Downlevel ", you force the validation controls to assume that the client has no client-side scripting capabilities, and so only server-side validation is used. With this setting, no Dynamic HTML (DHTML) is used, and every form submission will result in a round trip to the server. Similarly, by setting the property to " Uplevel ", you force the validation controls to always use client-side validation (in addition to server-side) and DHTML, without checking to see whether the client supports these features.