Validating server side with asp.net and c#
Question
Currently I have a website with a simple signup form in html, this is the code:
<div class="grid_6 push_3 block alpha">
<div class="grid_6 form_block alpha omega">
<label>שם משתמש</label>
</div>
<div class="grid_6 form_block alpha omega">
<input type="text" id="username" name="username" pattern="^\S{4,}$" required />
</div>
<div class="grid_6 alpha omega form_block">
<label>סיסמא</label>
</div>
<div class="grid_6 form_block alpha omega">
<input type="password" id="password" name="password" pattern="^\S{6,}$" required title="סיסמא צריכה להכיל לפחות 6 תווים" />
</div>
<div class="grid_6 alpha omega form_block">
<label>וודא סיסמא</label>
</div>
<div class="grid_6 form_block alpha omega">
<input type="password" id="password2" pattern="^\S{6,}$" required />
</div>
<div class="grid_6 alpha omega form_block">
<label>כתובת אימייל</label>
</div>
<div class="grid_6 form_block alpha omega">
<input id="email" name="email" type="email" required pattern="[^@]+@[^@]+\.[a-zA-Z]{2,6}" />
</div>
<div class="grid_6 alpha omega form_block">
<label>וודא כתובת אימייל</label>
</div>
<div class="grid_6 form_block alpha omega">
<input type="email" id="email2" required pattern="[^@]+@[^@]+\.[a-zA-Z]{2,6}" />
</div>
<div class="grid_6 form_block alpha omega">
<input name="submit" type="submit" onclick="return validateForm()" value="שלח" />
</div>
</div>
(Its actually being wrapped in tags from the master page, this is the master:
<%@ Master Language="C#" AutoEventWireup="true" CodeFile="MasterPage.master.cs" Inherits="MasterPage" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<link href="css/reset.css" rel="stylesheet" />
<link href="css/text.css" rel="stylesheet" />
<link href="css/963_9_10_10.css" rel="stylesheet" />
<link href="css/style.css" rel="stylesheet" />
<asp:ContentPlaceHolder ID="head" runat="server">
</asp:ContentPlaceHolder>
</head>
<body dir="rtl">
<form runat="server">
<div class="container_9">
<div class="header grid_9">
<a href="Default.aspx"><h1>סיכומים.נט</h1></a>
</div>
<!-- END HEADER -->
<nav>
<ul class="clearfix grid_6 push_3">
<a href="literature.aspx"> <li class="grid_1 alpha literature">ספרות</li></a>
<a href="language.aspx"> <li class="grid_1 language">לשון</li></a>
<a href="civics.aspx"><li class="grid_1 civics">אזרחות</li></a>
<a href="history.aspx"><li class="grid_1 history">היסטוריה</li></a>
<a href="bible.aspx"> <li class="grid_1 bible">תנך</li></a>
<a href="english.aspx"> <li class="grid_1 omega english">אנגלית</li></a>
</ul>
</nav>
<div class="grid_3 pull_6" id="search">
<input type="text" id="search_box" placeholder="הקלד מילות חיפוש"/>
<input type="submit" value="חפש" id="search_button"/>
</div>
<asp:ContentPlaceHolder ID="ContentPlaceHolder1" runat="server">
</asp:ContentPlaceHolder>
<footer class="grid_9">
2013 © כל הזכויות שמורות לסיכומים.נט
</footer>
</div>
<!-- END CONTAINER -->
</form>
</body>
</html>
I also have a signup.aspx.cs file that inserts the signup information into the database as follows:
public partial class signup : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (Request.Form["submit"] != null) {
register1();
}
}
public void register1()
{
string sql = "INSERT INTO [userinfo] ([username], [password], [email]) VALUES (N'" + Request.Form["username"] + "', N'" + Request.Form["password"] + "', N'" + Request.Form["email"] + "')";
Database.UpdateData(sql);
}
}
I think i'm doing everything right so far (I'm a beginner in anything beyond html/css) but correct me if I've made any errors.
What I want to do now is validate my form input server-side before I insert it into my database. I want to check that it obeys all my rules, char-lengths, matching fields and so forth - and also that the username/email isn't taken already.
I'm currently doing some basic javascript validation but I understand that isn't sufficient security wise.
an explanation (as simple as possible) as to what I have to go about doing now, would be great. Ideally i would like to return to the signup page and list the errors at the top of the form in a customizable way.
thanks
2 answers
solution1
3 ACCPTED 2013-05-21 16:16:16
The RegularExpressionValidator and CompareValidator are going to be your friends here.
For example:
<asp:RegularExpressionValidator id="valEmail" ControlToValidate="email"
ValidationExpression="[^@]+@[^@]+\.[a-zA-Z]{2,6}"
EnableClientScript="false" ErrorMessage="The email is invalid!"
runat="server" />
And:
<asp:CompareValidator id="valEmails"
ControlToValidate="email" ControlToCompare="email2" Type="String"
EnableClientScript="false" Text="The email addresses must match!"
runat="server" />
Optionally, you can wrap them all neatly in a ValidationSummary control.
Finally, check Page.IsValid in your codebehind.
protected void Page_Load(object sender, EventArgs e)
{
if (Request.Form["submit"] != null && Page.IsValid)
{
register1();
}
}
You can read about the other validation controls here .
Finally, fix your SQL so it's not vulnerable to SQL Injection:
string sql = "INSERT INTO [userinfo] ([username], [password], [email]) VALUES (N'" + Request.Form["username"].Replace("'","''") + "', N'" + Request.Form["password"].Replace("'","''") + "', N'" + Request.Form["email"].Replace("'","''") + "')";
solution2
1 2013-05-21 08:41:50
You may want to use Asp.net server validation controls and Validation Summary Control
By using this control you can be sure that all rules will be followed. You can check it server side by using
if(page.IsValid)
{
//Code goes here
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.