ASP Validation on Form

[rogerood]

Hi, I've been using client side validation (javascript) on all my forms but realized you can bypass it simply by turning off javascript in the browser. I was wondering what alternatives their are to this. I know of course I could do the server side validation but this is fiddly and not too user friendly. Is there something you could possibly do with the runat="server" attribute (note i don't know what this does but read something about it).

Appreciate any help. Cheers

 

[damber]

rogerood,

The best practice for validation is to do it twice, once at the client and once at the server.

Why? - because the clientside script makes it user friendly for users that javascript (vast majority) so without navigating away from the page you can tell them the things to change/fix. The server side is to ensure security - although some people (very small minority) don't have javscript enabled, they are not the norm - you need to be more concerned about security violation attempts - where a user doesn't even need to use your page to submit the form, they can do it from the command line using something like telnet or netcat - therefore this server side step is necessary to ensure the security of your sites features - it also has the bonus of catching all the non-javascript users too.

<script runat="server"> means exactly that - it will run the script at the server BEFORE sending the response to the client, similar to <% %> tags.

The only way you can do this without leaving the page to do the validation is to use AJAX... BUT this requires you to manage the POST in a special way - first you post using AJAX and validate at the server - if it is validated OK then commit the transaction on the server and respond back to the client that it was succesful - the client can then redirect to a success page. If the validation fails at the server then it the AJAX response would include the list of fields etc that were in error - or a error message etc - the client side script would alert the user to the fields/errors that need resolving and so on. This is really doing the first option, just not leaving the original page (and not POSTing the form in the normal way -actually, not at all.)

If you're not sure what AJAX is, or how it works in detail (especially how to ensure it is used securely) then just use the first method which will do a full page request as normal.

Hope that helps,

A smile is worth a thousand kind words. So smile, it's easy!

 

[DotNetGnat]

Good Post Damber...
i prefer
[red]client-side Javascript to communicate with the server via XMLHttpRequest[/red]

-DNG

 

[damber]

Cheers DNG,

I must admit I use AJAX/XMLHTTP a fair bit myself, because it can reduce load, reduce latency and improve usability - as well as making apps look pretty slick. It's not ideal for all situations, and can have a steep learning curve if the concept / technologies are not familiar, but quite a compelling approach.



A smile is worth a thousand kind words. So smile, it's easy!

 

[DotNetGnat]

yeah pretty slick and very "attractive"

but would be a steep learning curve for the newbie's...

I like the below two websites...

http://www.clearnova.com/ajax/

http://www.fiftyfoureleven.com/resources/programming/xmlhttprequest/examples

oh BTW Damber...your posts recently are very informative...theniteowl is also posting some good...and how can i forget Sheco...great going guys...

-DNG

 

[Sheco]

Of course if javascript is turned off in the browser then there goes your AJAX...

 

[damber]

To cater for the uber paranoid, or those without a real browser:

<script type="text/javascript">
<!--<[CDATA[
document.write("<form id=""xyz"" method=""POST"" action=""ajaxpost.asp"" onsubmit=""return postAJAX();"">");
//]]>-->
</script>

<noscript>
<form id="xyz" method="POST" action="normalpost.asp">
</noscript>

or something along those lines..

A smile is worth a thousand kind words. So smile, it's easy!