Server-side validation is not automatically enabled by simply having a control validator in the aspx code such as the following:
<asp:TextBox ID="TextBox1" runat="server">
<asp:RegularExpressionValidator runat=server ErrorMessage="Bad input"
ControlToValidate="TextBox1" ValidationExpression="[0-9]" Display=Dynamic />
The code-behind implementing the PostBack for the Button_click event should check the Page.IsValid Property, otherwise no server-side validation occurs.
protected void Button1_Click(object sender, EventArgs e)
{
Page.Validate();
if(Page.IsValid){
Label1.Text = TextBox1.Text;
}
}
The reason this is noted is that if you do not check the IsValid property, you will only have client-side validation. To prove this to myself I did the following:
- Set up IE to go through my favorite Proxy (burpsuite).
- Run with the above code and on the first response from the server modify the Javascript section to remove the client-side validation. (just change the regex expression to be .*)
- Submit the request with data that would have been invalid (the regex [0-9] should have only accepted numbers, to test it we put "abc"). You should get a nice Validation Error message. This means our form field validator was processed on the server-end.
Now,
Repeat the above sequence but comment out the check on the IsValid property, you should find that your request follows through.
No comments:
Post a Comment