Validate Data from Untrusted Sources

Validating data from untrusted sources is covered in extreme detail in Chapter 12, but the issue is serious enough that you should know how to use the new validation controls in .NET to reduce the risk of script-injection attacks and various other input-based attacks.

ASP.NET includes new functionality named Web Server Controls, which allows precreated controls to be placed on Web pages and executed and rendered at the server and the client. One such control, named RegularExpressionValidator, allows a Web developer to rapidly check the syntax of any input from a user. What makes this control so useful is the fact that it is completely self-contained. You don t need to create extra script spread across the Web application. The following is a simple example of testing a form entry at the server to make sure it is a valid e-mail address:

<form post runat="server"> <asp:TextBox server"> </asp:TextBox> <asp:RegularExpressionValidator server ErrorMessage="Try again! ControlToValidate="txtEmail ValidationExpression= "\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)* ToolTip="Enter a valid email name. Display="Dynamic"> </asp:RegularExpressionValidator> </form>

You should create one RegularExpressionValidator object per form entry and check whether the data at the server is correctly formed, rather than blindly accept input.


	ASP.NET supports validation at the client as well as at the server. Although checking input at the client is not particularly secure, it can help reduce annoying, slow roundtrips to the server if a simple mistake is made by the user.