Input validation

shs · May 16th, 2004, 01:26 AM

I have problem with input validation on remote server.
here is my code:
---------------------------------------------------
<asp:textbox ID="first_name" runat="server" />
---------------------------------------------------
<asp:regularexpressionvalidator runat="server"
Display="None"
ControlToValidate="first_name"
ErrorMessage="Main contact: First name must be 1-15 characters of the alphabet."
ValidationExpression="[a-zA-Z '](1,15}" />
(I believe the validation expresstion says what values are allowed)
--------------------------------------------------
<asp:ValidationSummary id="ValidationSummary" runat="server"
EnableClientValidation="true"
ShowMessageBox="true"
ShowSummary="false" />
--------------------------------------------------
on my local computer, If I insert a value like <dsafdas> in the first name textbox, I get the error message defined in validation expression, but on the remote server, it directs me to another page which says for security reason they can not display the error message but... I guess the error message would be something like sql server has found these < > characters....
I don't think that I should do any extra validation for any characters since I have defined accaptable chars in validation expression...
any help?

Thanks

alyeng2000 · May 16th, 2004, 06:32 AM

to enable view for detail error on the remote side you have to adjust
Web.config file <customErrors /> as follows

<customErrors mode="off|on|remoteOnly" />

Ahmed Ali
Software Developer

bmains · May 16th, 2004, 10:01 AM

Hello,

It says for security reasons it can't show it because it thinks you're posting HTML, which may be malicious (like Javascript). If you want to post <>, you can do Server.HtmlEncode() so that the system will encode the values so that it can display in the browser, and evaluate it that way. Server.HtmlDecode will convert the code back into HTML (and possibly script). Or write javascript to check that at the client, and error there or strip the characters there.

Brian

melvik · May 16th, 2004, 10:25 AM

u just guess?! I suggest to make sure with using PROFILE!

Always:),
Hovik Melkomian.

shs · May 16th, 2004, 04:33 PM

Thanks everyone,
I guess I didn't explain myself well.
I do not want to insert any html ot script in this field. I like to validate 'any' input which anyone might insert and display the error message I have defined.
The remote server doesn't check the field for regular expression as it defined for these <> chars!...

bmains · May 16th, 2004, 08:01 PM

If you are validating on the server, the security error occurs as you are posting back. You don't get a chance to do any validation before this error occurs. Therefore, you need to encode the text, or test for these characters in JavaScript.

Brian

shs · May 17th, 2004, 02:27 AM

Thank you very much Brian and Ahmed Ali.

although I don't dare to touch that config file again...(had a problem with it last time)...I might give it a go....

thanks

stu9820 · May 17th, 2004, 07:36 AM

Follow this post, it might help:

http://p2p.wrox.com/topic.asp?TOPIC_ID=7348

bmains · May 17th, 2004, 11:21 AM

Stu,

By the way, to prevent against SQL injection attacks, you may want to not allow characters such as "--", "*", etc., because that may alter the SQL string that you are running against.

If you want to know more about it, here is an example from a web site. There is a link to the answers at the bottom of the page:

http://www.counterhack.net/when_trin...he_irs_d-.html

Brian

stu9820 · May 17th, 2004, 12:29 PM

Thanks for the link.