Designing and Developing ASP.NET 4 Web Apps (Exam 70-519) Tutorials
User Interaction / Understanding Validation
Visitors to VTC.com will be able to view all introductory videos for each training course.
Free Trial Members will gain access to first three chapters for each training course.
Full Access Members have full access to VTC.com�s entire library of video tutorials.
Learn More
Subtitles of the Movie (Designing and Developing ASP.NET 4 Web Apps (Exam 70-519) / User Interaction / Understanding Validation)
Validation is a fundamental part of any web application for one simple reason. Validation itself is based on one of the foundational laws of the universe for developers and that is users make mistakes. Now we've all done this, we type the wrong things into text boxes because users don't read what's on the screen, users make assumptions, users are stressed, they're trying to do 46 things at once, there's all kind of reasons and then there's also the very disturbing fact of life, that Validation is based on and that is some users out there, intentionally quote, make mistakes. Now what they're trying to do is to put the wrong information in to see how the program reacts and then exploit that to attack us in some way. We'll talk more about that in just a minute here. So the bottom line is that is, if you allow users to input data, you need to validate any data, especially that stuff that they freely can type in before it enters your program. Now what that means is, obviously they've got to type into the text box and click on a button, but before that data goes anywhere and gets used anywhere in your code, you need to validate it for a number of different things. So let's take a look at what those are. First of all, there's some common input errors that happen that you need to be checking for. Leaving important fields blank, we've all done this, you're in a hurry, you forget to put in your zip code or your phone number or something like that and so we don't want to get incomplete information from our users because most of the time, what we're collecting from our users is going into a database and the data loses it's meaning if some of the important fields is not there. Now also this thing that users will do, we've all done this before and that is inputting dummy data to avoid providing information. In other words, we want to download some trial software but we just want to check it, we're not sure whether we're going to like it or not. Last thing I want to do is give them an email address and start getting pounded with, hey buy our stuff, buy our stuff, buy our stuff. So I just put some gibberish in the text box where it asks for the email. Well if there's a savvy web developer out there running the site, then they're going to check and validate that and if it's not structured like a valid email, they're going to say, ah that doesn't look right, go back and check that. On the far side, they could check to make sure it is a working email and see if it can be resolved, but that doesn't happen a lot because it's time consuming and resource consuming. But anyway we want to make sure that we're getting real data. The next thing is entering numbers in a text only field. This happens all the time, users get in a hurry, they assume that things are taking certain data and so we get, instead of the State, we get numbers or instead of a last name, we get a zip code. Then the reverse of that, entering text in a number field. We've asked them for a zip code and we get a last name, that's not going to work well in our database. Then entering too few or too many characters. Now this one could indicate that someone's trying to hack your site, do an injection attack of some kind or they're trying to pass some programming code in. Let's say I've asked for 5 characters, first 5 characters of a last name or something and I get 40 characters put in here. Well a savvy Transact-SQL programmer that's trying to hack into me, could be injecting some SQL code in here to see if it will make it to my database. So this is something we want to watch for. If someone's putting too many or too few characters, we want to know it so one of the most fundamental things you can do for Validation is, where it's possible, limit the number of characters that can be put in. For example, the State field, everybody's going to use 2 state abbreviations, at least here in the United States. I don't know how it's working in your country, but there's some sort of standard usually. Well here in the States, if I ask for State information, I'm not going to accept any more than 2 characters in that field, so that's one way. The next thing is, users will inadvertently enter data outside of a useful or relevant range. Let's say we've built a little site for some company that's going to test for some drug interaction or something like that and they're looking for people between 18 and 40. Well someone inputs 93, well they probably were trying to put in 39 but they transposed the numbers. But we want to check and make sure that all of our ages are within than range and if they're not, let's don't even send it to the server, let's check it on the Client Side and say oh wait a minute, it appears you're outside the age range and of course then the user's going to say, oh wait a minute, should have been 39 not 93. So that's a good example of using a Range Validation. Now here's the scary one, when someone is trying to intentionally enter incorrect data, they will put the wrong thing in the field and click Send or Enter or whatever we've got for them there and they want to see how the program is going to react. Now there's a lot of things that can go wrong here. Number 1, the program could just accept the data, now we've got really bad data going into our database, or in a variable, wreaking havoc in other place in our program. Well usually, what they're trying to do is cause the program to break and, and display an error message. A lot of these error messages will show you the database that the error happened in, the table name, the column name, the name of the user who was trying to execute it and so you can start to collect a lot of information to help you understand how to attack this site. You get information that you can use in a Social Attack on the site and so there's a lot of things that can happen here. You can also inject code to see if it will actually run and do damage to the database or report back information on the database to you. So Validation, as you can tell, is very important. ASP.NET has some really cool things for Validation, we're going to take a quick look at them in this course, because Validation should be part of your design effort and you will no doubt, see questions on the exam that are going to, if not directly address Validation, you'll have to have an understanding of Validation to know which answer to take. So we will delve into Validation in two or three videos here to get you up to speed on that.
Tutorial Information
| Course: | Designing and Developing ASP.NET 4 Web Apps (Exam 70-519) |
| Author: | Mark Long |
| SKU: | 34292 |
| ISBN: | 978-1-61866-029-9 |
| Release Date: | 2011-12-31 |
| Duration: | 8.5 hrs / 108 lessons |
| Work Files: |
Yes |
| Captions: | No |
| Compatibility: |
Vista/XP/2000, OS X, Linux QuickTime 7, Flash 8 |
VTC Sign up & Benefits
- Unlimited Access
- 81,350 Video Tutorials (14,200 free)
- Video Available as Flash or QuickTime
- Over 715 Courses
- $30 for One Month Access
- Multi-User Discounts Available
