Browse DevX
Sign up for e-mail newsletters from DevX


All Input Data Is Evil—So Make Sure You Handle It Correctly and with Due Care : Page 5

Neglecting to check all application input to ensure it contains only valid content is simply asking for trouble.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

What About ASP.NET AJAX?
To make sure that input is always of the expected type, validators are definitely helpful, but they should not be the only tool you use. By design, a validator just "validates" a value meaning that it returns a Boolean answer to indicate whether the value is coherent with the rules set. An error message appears in the page to explain what is wrong. In a fair number of cases, you could make checks on the client without refreshing the page. As mentioned, though, client-side validation represents a potential risk because an attacker might be able to try the page with JavaScript disabled, thus bypassing all controls. To be effective, validation must be done on the server and optionally on the client.

To validate on the server, though, you need to post back the page. Refreshing real-world pages may be problematic from a user perspective due to possible flickering and latency. ASP.NET AJAX and out-of-band, lightweight postbacks may offer the best of both worlds—server-side validation and easy postbacks.

The simplest way to add AJAX capabilities to validators is wrapping the form in an UpdatePanel control. For example, the fragment of a page in Listing 1 needs only the following changes to be AJAX-ified:

<asp:ScriptManager runat="server" ID="ScriptManager1" /> <asp:UpdatePanel runat="server" ID="UpdatePanel1"> <ContentTemplate> <table> : </table> </ContentTemplate> </asp:UpdatePanel>

The UpdatePanel control is installed as part of the ASP.NET AJAX Extensions framework. It wraps any block of traditional ASP.NET 2.0 markup and makes sure that any postbacks that originates from that markup are handled out-of-band and without fully refreshing the page. Only the wrapped markup is refreshed over the postback—everything else in the page is left intact. From where does the postback originate?

UpdatePanel intercepts any classic postbacks that originate from any of the contained controls or from controls designated as triggers. To illustrate, consider the link button that submits the contents of the form in Listing 1. You can choose to put it inside or outside the updatable panel. If included in the panel, each click on the button is captured and served with an AJAX-style postback. If not included, a click on the button originates a traditional postback with a full page refresh. However, you can either declaratively or programmatically choose to define the button as a trigger for the updatable panel. In this case, whenever a user clicks the button the panel is updated, even if the button is placed outside the panel:

<asp:ScriptManager runat="server" ID="ScriptManager1" /> <asp:UpdatePanel runat="server" ID="UpdatePanel1"> <ContentTemplate> <table> : <table> </ContentTemplate> <Triggers> <asp:AsyncPostBackTrigger ControlID="LinkButton1" EventName="Click" /> </Triggers> </asp:UpdatePanel>

Wrapped up in this way, a page can perform server-side validation without fully refreshing the page, which results in a significantly better user experience. Also, in this way the observable behavior of the page is the same whether you enable client validation or not.

Validate Thoroughly
Input data is a serious thing for all applications and for Web applications in particular. Most of the issues are solved if you could ensure that data you receive is strongly typed and its contents verified on a character basis. On the Web, most of the input arrives as a plain string. Mapping the string to the right type and stripping off undesired characters is up to you. ASP.NET validators do help, but they provide mostly a first barrier against patently wrong data. More is needed and designed in the perspective of the application. For this reason, a validation layer that serves the business logic layer strongly typed (and clean) data is essential for any serious application.

The theme of validating input data is cross-platform and cross-version. However, the advent of ASP.NET AJAX helps in making the user interface a bit more responsive and prompt to signal any incongruous data to the end user. Aside from this, all input is evil. It's up to you—the developer—to demonstrate the opposite.

Dino Esposito is a mentor at Solid Quality Mentors where he manages the ASP.NET, workflow, and AJAX courseware. A speaker at many industry events including Microsoft TechEd, Basta, DevWeek, and DevConnections, Dino is the author of two volumes of Programming Microsoft ASP.NET 2.0 Applications, for Microsoft Press. You can find late breaking news at http://weblogs.asp.net/despos.
Thanks for your registration, follow us on our social networks to keep up-to-date