Do I have to call Page.Validate on server side for val controls?

[TS]

If I have a required field validator for instance, does it require any
server side code to make it validate on server?
I'm not sure if this is called by default, or if I need to call this on my
page, and wrap all my code within this if block.

 

[bruce barker]

no. server validation is run when you call Page.IsValid

-- bruce (sqlwork.com)

 

[TS]

so I have to query page.isvalid on every posted back page, and only process
the page if this test succeeds

 

[Steven Cheng[MSFT]]

Hi TS,

As Bruce has mentioned, the ASP.NET will call all the validation
controls(if enabled)'s validation on the page before the page's post back
eventhandler is executed. So if you want to execute some certain operations
only when the page is validatored , you can add the following code in your
event handler:
private void btnSubmit_Click(object sender, System.EventArgs e)
{

if(Page.IsValid)
{
//... your code
}
}

#notice that you should not call "Page.IsValid" property before a certain
server control's post back event handler(such as in page_load or page_Init
). Because the page's serverside validation hasn't been completed at that
time, if you try accessing the IsValid propery in those event, you 'll get
exceptions.

In addtion, the validator controls by default has
"EnabledClientScript=true" which means the page need to be validated at
clientside before it is postedback. If not valid, it won't be posted back.
So I think you can also use the clientside validation to ensure that when a
page is posted back, it has been valid.

And here are two good tech articles on detailed description of the ASP.NET
validaor control's mechanism and useage:
#ASP.NET Validation in Depth
http://msdn.microsoft.com/library/en-us/dnaspp/html/aspplusvalid.asp?frame=t
rue#aspplusvalid_serverside

#Validating ASP.NET Server Controls
http://msdn.microsoft.com/library/en-us/dnaspp/html/aspnet-validateaspnetser
vercontrols.asp?frame=true

Hope they also helpful.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[TS]

On the examples, the only time a call to page.IsValid is in customValidator
examples. So to make this crystal clear, if someone bypasses my form or has
JS disabled, and enters invalid data, if I don't call to page.isvalid, and
just process the page normally, the page will still process?

If this is so, then don't you agree that to be secure and to catch any
possible exceptions that may occur when using bad data, you should always
make a call to page.IsValid before you do anything with the data that was
entered, such as stick in a db?

 

[Steven Cheng[MSFT]]

Hi TS,

Thanks for your followup. Yes, the user many use disabling client side
script to bypass the client validation. Thus, we may need to call the
Page's "Page.Validate()" function to instructure all the validator controls
work and then in post back event
check the Page.IsValid to ensure the page is valid or not. So the user is
able to by pass the client script validation but not able to hack the
serverside operations if we add the validaion check. Do you think so?

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[TS]

thanks