Form validation client side and server side

Question

Validation for an html form should be done on both side, with also regex on both side.

Client side: display a message to the user without ask the server

Server side: confirm that everything is fine and safety check in case js is disabled or someone try to hack the form

My question is: I usually see some mistakes between server side regex and client side regex which are not the same.

I'm in C#, do you think Regex should be in backend and the server should put his own regex on the client side (Js)?

I want to avoid this:

C# -> public const string AlphanumericField = @"[^A-Za-z0-9_]";
JS -> var alpahField = "[^A-Za-z_-]";

I want to avoid both declaration for the same thing.

Answer 1

For the regualtare expression I always make use of RegularExpressionValidator available in the asp.net

Check : http://msdn.microsoft.com/en-us/library/eahwtc9e.aspx for more detail about the regular expression validator.

Answer 2

If possible in your app, you could do an AJAX call for your client side validation, which would allow you to have that RegEx in one place, and easily testable. You may take a very minor performance hit going to the server everytime you need to check this, but the maintainability is worth it in many cases.

Answer 3

You can ask C# to declare this variable for javascript using register client script block

Dim cstext2 As New StringBuilder()
            cstext2.Append("<script type=""text/javascript"">")
            cstext2.Append("var alpahField = \"" + AlphanumericField  +"\";")
            cstext2.Append("script>")
            RegisterClientScriptBlock(csname2, cstext2.ToString())

Answer 4

You can use the exact same regex (as seen by the regex engine), on both the client and server side but you will need to declare them separately, because C# and JavaScript use different escaping schemes. Take for example a regex which validates a double quoted string which may contain any character escaped with a backslash. Here is the native regex needed:

Native regex:
^"[^"\\\\]*(\\\\.[^"\\\\]*)*"$

Javascript regex in regex literal:
/^"[^"\\\\]*(\\\\.[^"\\\\]*)*"$/

C# regex in verbatim literal string
@"^""[^""\\\\]*(\\\\.[^""\\\\]*)*""$"

With Javascript literal syntax, the only metacharacter (which needs to be escaped) is the forward slash. With a regex stored in a C# verbatim literal string, the only metacharacter is the double quote which is "escaped" by placing two double quotes in a row.

The RegexBuddy Solution

One good way to accomplish your goal (to maintain only one master regex for each validation rule) is to build all your native regexes using: RegexBuddy (RB). You can store all your fully tested and debugged validation regexes (along with appropriate test data for each regex) in a single regexbuddy library file. Then simply use RB's built-in exporting feature to generate the (correctly escaped) C# and Javascript regex snippets for the code.

If you are serious about crafting accurate and efficient regexes, you should really be using this tool anyway - to test that each regex works correctly for all edge cases (both matching and non-matching).