Validation is a fundamental part of any web application for one simple reason. Validation itself is based on one of the foundational laws of the universe for developers and that is users make mistakes. Now we've all done this, we type the wrong things into text boxes because users don't read what's on the screen, users make assumptions, users are stressed, they're trying to do 46 things at once, there's all kind of reasons and then there's also the very disturbing fact of life, that Validation is based on and that is some users out there, intentionally quote, make mistakes. Now what they're trying to do is to put the wrong information in to see how the program reacts and then exploit that to attack us in some way. We'll talk more about that in just a minute here. So the bottom line is that is, if you allow users to input data, you need to validate any data, especially that stuff that they freely can type in before it enters your program. Now what that means is, obviously they've got to type into the text box and click on a button, but before that data goes anywhere and gets used anywhere in your code, you need to validate it for a number of different things. So let's take a look at what those are. First of all, there's some common input errors that happen that you need to be checking for. Leaving important fields blank, we've all done this, you're in a hurry, you forget to put in your zip code or your phone number or something like that and so we don't want to get incomplete information from our users because most of the time, what we're collecting from our users is going into a database and the data loses it's meaning if some of the important fields is not there. Now also this thing that users will do, we've all done this before and that is inputting dummy data to avoid providing information. In other words, we want to download some trial software but we just want to check it, we're not sure whether we're going to like it or not. Last thing I want to do is give them an email address and start getting pounded with, hey buy our stuff, buy our stuff, buy our stuff. So I just put some gibberish in the text box where it asks for the email. Well if there's a savvy web developer out there running the site, then they're going to check and validate that and if it's not structured like a valid email, they're going to say, ah that doesn't look right, go back and check that. On the far side, they could check to make sure it is a working email and see if it can be resolved, but that doesn't happen a lot because it's time consuming and resource consuming. But anyway we want to make sure that we're getting real data. The next thing is entering numbers in a text only field. This happens all the time, users get in a hurry, they assume that things are taking certain data and so we get, instead of the State, we get numbers or instead of a last name, we get a zip code. Then the reverse of that, entering text in a number field. We've asked them for a zip code and we get a last name, that's not going to work well in our database. Then entering too few or too many characters. Now this one could indicate that someone's trying to hack your site, do an injection attack of some kind or they're trying to pass some programming code in. Let's say I've asked for 5 characters, first 5 characters of a last name or something and I get 40 characters put in here. Well a savvy Transact-SQL programmer that's trying to hack into me, could be injecting some SQL code in here to see if it will make it to my database. So this is something we want to watch for. If someone's putting too many or too few characters, we want to know it so one of the most fundamental things you can do for Validation is, where it's possible, limit the number of characters that can be put in. For example, the State field, everybody's going to use 2 state abbreviations, at least here in the United States. I don't know how it's working in your country, but there's some sort of standard usually. Well here in the States, if I ask for State information, I'm not going to accept any more than 2 characters in that field, so that's one way. The next thing is, users will inadvertently enter data outside of a useful or relevant range. Let's say we've built a little site for some company that's going to test for some drug interaction or something like that and they're looking for people between 18 and 40. Well someone inputs 93, well they probably were trying to put in 39 but they transposed the numbers. But we want to check and make sure that all of our ages are within than range and if they're not, let's don't even send it to the server, let's check it on the Client Side and say oh wait a minute, it appears you're outside the age range and of course then the user's going to say, oh wait a minute, should have been 39 not 93. So that's a good example of using a Range Validation. Now here's the scary one, when someone is trying to intentionally enter incorrect data, they will put the wrong thing in the field and click Send or Enter or whatever we've got for them there and they want to see how the program is going to react. Now there's a lot of things that can go wrong here. Number 1, the program could just accept the data, now we've got really bad data going into our database, or in a variable, wreaking havoc in other place in our program. Well usually, what they're trying to do is cause the program to break and, and display an error message. A lot of these error messages will show you the database that the error happened in, the table name, the column name, the name of the user who was trying to execute it and so you can start to collect a lot of information to help you understand how to attack this site. You get information that you can use in a Social Attack on the site and so there's a lot of things that can happen here. You can also inject code to see if it will actually run and do damage to the database or report back information on the database to you. So Validation, as you can tell, is very important. ASP.NET has some really cool things for Validation, we're going to take a quick look at them in this course, because Validation should be part of your design effort and you will no doubt, see questions on the exam that are going to, if not directly address Validation, you'll have to have an understanding of Validation to know which answer to take. So we will delve into Validation in two or three videos here to get you up to speed on that.
|Course:||Designing and Developing ASP.NET 4 Web Apps (Exam 70-519)|
|Duration:||8.5 hrs / 108 lessons|
Vista/XP/2000, OS X, Linux
QuickTime 7, Flash 8
TERMS & CONDITIONS OF USE
BY SUBSCRIBING TO THIS SERVICE, YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS AGREEMENT, THE TERMS AND CONDITIONS OF WHICH SHALL PREVAIL IN GOVERNING YOUR RIGHTS OF USE. BY CLICKING THE "BECOME A MEMBER" BUTTON, THE INDIVIDUAL OR ENTITY LICENSING THE PRODUCT ("YOU") IS CONSENTING TO BE BOUND BY AND IS BECOMING A PARTY TO THIS AGREEMENT. IF LICENSEE DOES NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THE BUTTON INDICATING "BECOME A MEMBER" MUST NOT BE SELECTED, AND LICENSEE MUST NOT INSTALL OR USE THE SOFTWARE.
"VTC" refers to Virtual Training Company,
"You" refers to the user or subscriber.
"Software" refers to the VTC training content and software.
2. LICENSE: VTC hereby grants to You a worldwide, non-royalty bearing, non-exclusive license to use the Software according to the provisions contained herein and subject to payment of the applicable subscription fees.
3. RESTRICTIONS: You may not do any of the following:
Save the Software to Your hard disk or other storage
medium; permit others to use the Software except as specified by addendum;
modify, reverse engineer, decompile, or disassemble the Software; make
derivative works based on the Software; publish or otherwise disseminate
the Software. VTC, Inc., VTC Online University, and the Virtual Training
Company site is owned and operated by VTC, Inc. as a corporation of
All materials on this site are the property of VTC unless otherwise specified. No material from these pages may be copied, reproduced, republished, downloaded, uploaded, posted, transmitted, or distributed in any way. Modification of the materials or use of the materials for any other purpose is a violation of U.S. copyright law and other proprietary rights. For purposes of this Agreement, the use of any such material on any other web site or networked computer environment is prohibited.
4. FEES: The rights granted under this Agreement
are effective only upon payment of the subscription fees, which are
strictly non-refundable other than as expressly provided herein. The
term "monthly subscription" is defined as any 30 day period.
The term "yearly subscription" is defined as one 365 day
period. A yearly subscription ends on the same numerical date as it
began (example July 28, 2004 to July 28, 2005).
The VTC Online University is access to every VTC training tutorial in our library. You pay a flat fee for access to these titles. You are billed according to your renewal selection below, and can renew monthly, yearly, or in any other increment offered. If you choose to be billed monthly, you will be billed every 30 days for the subscription until you request the subscription be cancelled. Our terms of service state that you must cancel a monthly subscription at least two business days before your renewal date. These two days give us enough time to ensure that you will not be charged again.
5. LIMITED WARRANTY: VTC warrants that the Software, if operated as directed, will substantially achieve the functionality described. VTC does not warrant, however, that Your use of the Software will be uninterrupted or that the operation of the Software will be error-free or secure. In addition, the security mechanisms implemented by the Software have inherent limitations, and You must determine that the Software sufficiently meets Your requirements. VTC also warrants that the media containing the Software, if provided by VTC, is free from defects in material from the date You acquired the Software. VTC's sole liability for any breach of this warranty shall be, in VTC's sole discretion: (i) to replace Your defective media or Software; or (ii) to advise You how to achieve substantially the same functionality with the Software as described; or (iii) if the above remedies are impracticable, to refund the subscription fee You paid for the Software. Only if You inform VTC of Your problem with the Software during the applicable subscription period will VTC be obligated to honor this warranty. VTC will use reasonable commercial efforts to repair, replace, advise, or refund pursuant to the foregoing warranty within thirty (30) days of being so notified. If any modifications are made to the Software by You during the warranty period; if the medium is subjected to accident, abuse, or improper use; or if You violate the terms of this Agreement, then this warranty shall immediately terminate. This warranty shall not apply if the Software is used on or in conjunction with hardware or software other than the unmodified version of hardware and software with which the Software was designed to be used as described.
THIS IS A LIMITED WARRANTY, AND IT IS THE ONLY WARRANTY MADE BY VTC OR ITS SUPPLIERS. VTC MAKES NO OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF THIRD PARTIES' RIGHTS. YOU MAY HAVE OTHER STATUTORY RIGHTS. HOWEVER, TO THE FULL EXTENT PERMITTED BY LAW, THE DURATION OF STATUTORILY REQUIRED WARRANTIES, IF ANY, SHALL BE LIMITED TO THE ABOVE LIMITED WARRANTY PERIOD. MOREOVER, IN NO EVENT WILL WARRANTIES PROVIDED BY LAW, IF ANY, APPLY UNLESS THEY ARE REQUIRED TO APPLY BY STATUTE NOTWITHSTANDING THEIR EXCLUSION BY CONTRACT. NO DEALER, AGENT, OR EMPLOYEE OF VTC IS AUTHORIZED TO MAKE ANY MODIFICATIONS, EXTENSIONS, OR ADDITIONS TO THIS LIMITED WARRANTY.
6. PROPRIETARY RIGHTS: VTC reserves all proprietary rights in and to the Software, is protected by copyright and other intellectual property laws and by international treaties. VTC, Inc.
Trademark Notice: VTC, Virtual Training Company,
Inc., The VTC Logo, and VTC Online University, are trademarks of VTC,
Inc. All other company and product names may be trademarks of their
The information contained herein is subject to change without notice. Copyright © 1995 - 2005 VTC, Inc. All rights reserved.
7. TERMINATION: This Agreement shall automatically terminate if You fail to comply with the restrictions described herein. Your obligations to pay outstanding subscription fees shall survive any termination of this Agreement.
8. LIMITATION OF LIABILITY: UNDER NO CIRCUMSTANCES
AND UNDER NO LEGAL THEORY, TORT, CONTRACT, OR OTHERWISE, SHALL VTC
OR ITS SUPPLIERS OR RESELLERS BE LIABLE TO YOU OR ANY OTHER PERSON
FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF
ANY CHARACTER, INCLUDING WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL,
WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER
COMMERCIAL DAMAGES OR LOSSES. IN NO EVENT WILL VTC BE LIABLE FOR ANY
DAMAGES IN EXCESS OF THE AMOUNT VTC RECEIVED FROM YOU FOR A LICENSE
TO THE SOFTWARE, EVEN IF VTC SHALL HAVE BEEN INFORMED OF THE POSSIBILITY
DAMAGES, OR FOR ANY CLAIM BY ANY OTHER PARTY. THIS LIMITATION OF LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM VTC'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU.
9. Links To Other Materials: Linked sites found at the VTC site are not under the control of VTC, and we are not responsible for the content of any linked site or any link contained in a linked site. VTC may change links based solely on our discretion, and we reserve the right to terminate any link or linking program at any time. VTC does not, by linking to sites, endorse companies or products to which it links and reserves the right to note as such on its web pages. If you decide to access any of the third party sites linked to this site, you do this entirely at your own risk.
Forums, and Chat are not always screened by VTC, and we are not responsible for the content of any public or open forum content at the site. VTC may change these public forums based solely on our discretion, and we reserve the right to terminate any forum at any time. VTC does not, by allowing these forums, endorse companies or products which may be mentioned in these forums, and reserves the right to note as such on its web pages. If you decide to access any of the public forums in this site, or linked to this site, you do this entirely at your own risk.
9. GOVERNING LAW & DISPUTE RESOLUTION: This Agreement is governed by Virginia law. All disputes between You and VTC shall be finally resolved through arbitration in Winchester, Virginia. This site is controlled by VTC from its offices within the United States of America. VTC makes no representation that materials in the site are appropriate or available for use in other locations, and access to them from territories where their content is illegal is prohibited. Those who choose to access this site from other locations do so on their own initiative and are responsible for compliance with applicable local laws. You may not use or export the Materials in violation of U.S. export laws and regulations. Any claim relating to the Materials shall be governed by the internal substantive laws of the Commonwealth of Virginia, USA.
VTC may revise these Terms at any time by updating this posting. You should visit this page from time to time to review the then-current Terms because they are binding on you. Certain provisions of these Terms may be superseded by expressly designated legal notices or terms located on particular pages at this Site.
If you have any questions regarding this policy,
or your information specifically,
you may email us at:firstname.lastname@example.org.