Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
BOOK: Beginning ASP.NET 1.0
This is the forum to discuss the Wrox book Beginning ASP.NET 1.0 with C# by Chris Goode, John Kauffman, Christopher L. Miller, Neil Raybould, S. Srinivasa Sivakumar, Dave Sussman, Ollie Cornes, Rob Birdwell, Matt Butler, Gary Johnson, Ajoy Krishnamoorthy, Juan T. Llibre, Chris Ullman; ISBN: 9780764543708
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP.NET 1.0 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
  #1 (permalink)  
Old May 16th, 2004, 01:26 AM
shs shs is offline
Authorized User
 
Join Date: Mar 2004
Location: , , New Zealand.
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default Input validation

I have problem with input validation on remote server.
here is my code:
---------------------------------------------------
<asp:textbox ID="first_name" runat="server" />
---------------------------------------------------
<asp:regularexpressionvalidator runat="server"
Display="None"
ControlToValidate="first_name"
ErrorMessage="Main contact: First name must be 1-15 characters of the alphabet."
ValidationExpression="[a-zA-Z '](1,15}" />
(I believe the validation expresstion says what values are allowed)
--------------------------------------------------
<asp:ValidationSummary id="ValidationSummary" runat="server"
EnableClientValidation="true"
ShowMessageBox="true"
ShowSummary="false" />
--------------------------------------------------
on my local computer, If I insert a value like <dsafdas> in the first name textbox, I get the error message defined in validation expression, but on the remote server, it directs me to another page which says for security reason they can not display the error message but... I guess the error message would be something like sql server has found these < > characters....
I don't think that I should do any extra validation for any characters since I have defined accaptable chars in validation expression...
any help?

Thanks
  #2 (permalink)  
Old May 16th, 2004, 06:32 AM
Friend of Wrox
 
Join Date: Oct 2003
Location: Cairo, , Egypt.
Posts: 336
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to alyeng2000
Default

to enable view for detail error on the remote side you have to adjust
Web.config file <customErrors /> as follows

<customErrors mode="off|on|remoteOnly" />


Ahmed Ali
Software Developer
  #3 (permalink)  
Old May 16th, 2004, 10:01 AM
Friend of Wrox
 
Join Date: Jun 2003
Location: Harrisburg, PA, USA.
Posts: 1,998
Thanks: 0
Thanked 3 Times in 3 Posts
Default

Hello,

It says for security reasons it can't show it because it thinks you're posting HTML, which may be malicious (like Javascript). If you want to post <>, you can do Server.HtmlEncode() so that the system will encode the values so that it can display in the browser, and evaluate it that way. Server.HtmlDecode will convert the code back into HTML (and possibly script). Or write javascript to check that at the client, and error there or strip the characters there.

Brian
  #4 (permalink)  
Old May 16th, 2004, 10:25 AM
Friend of Wrox
Points: 3,558, Level: 25
Points: 3,558, Level: 25 Points: 3,558, Level: 25 Points: 3,558, Level: 25
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: California, USA
Posts: 996
Thanks: 2
Thanked 11 Times in 11 Posts
Send a message via Yahoo to melvik
Default

u just guess?! I suggest to make sure with using PROFILE!

Always:),
Hovik Melkomian.
  #5 (permalink)  
Old May 16th, 2004, 04:33 PM
shs shs is offline
Authorized User
 
Join Date: Mar 2004
Location: , , New Zealand.
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks everyone,
I guess I didn't explain myself well.
I do not want to insert any html ot script in this field. I like to validate 'any' input which anyone might insert and display the error message I have defined.
The remote server doesn't check the field for regular expression as it defined for these <> chars!...
  #6 (permalink)  
Old May 16th, 2004, 08:01 PM
Friend of Wrox
 
Join Date: Jun 2003
Location: Harrisburg, PA, USA.
Posts: 1,998
Thanks: 0
Thanked 3 Times in 3 Posts
Default

If you are validating on the server, the security error occurs as you are posting back. You don't get a chance to do any validation before this error occurs. Therefore, you need to encode the text, or test for these characters in JavaScript.

Brian
  #7 (permalink)  
Old May 17th, 2004, 02:27 AM
shs shs is offline
Authorized User
 
Join Date: Mar 2004
Location: , , New Zealand.
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you very much Brian and Ahmed Ali.

although I don't dare to touch that config file again...(had a problem with it last time)...I might give it a go....

thanks
  #8 (permalink)  
Old May 17th, 2004, 07:36 AM
Friend of Wrox
 
Join Date: Jun 2003
Location: , , USA.
Posts: 1,110
Thanks: 0
Thanked 3 Times in 3 Posts
Default

Follow this post, it might help:

http://p2p.wrox.com/topic.asp?TOPIC_ID=7348


  #9 (permalink)  
Old May 17th, 2004, 11:21 AM
Friend of Wrox
 
Join Date: Jun 2003
Location: Harrisburg, PA, USA.
Posts: 1,998
Thanks: 0
Thanked 3 Times in 3 Posts
Default

Stu,

By the way, to prevent against SQL injection attacks, you may want to not allow characters such as "--", "*", etc., because that may alter the SQL string that you are running against.

If you want to know more about it, here is an example from a web site. There is a link to the answers at the bottom of the page:

http://www.counterhack.net/when_trin...he_irs_d-.html

Brian
  #10 (permalink)  
Old May 17th, 2004, 12:29 PM
Friend of Wrox
 
Join Date: Jun 2003
Location: , , USA.
Posts: 1,110
Thanks: 0
Thanked 3 Times in 3 Posts
Default

Thanks for the link.





Similar Threads
Thread Thread Starter Forum Replies Last Post
Input Validation sams ASP.NET 2.0 Professional 4 June 12th, 2007 03:29 AM
Validation to input fields amol_0008 XML 1 May 30th, 2007 04:36 AM
Input validation in JFormattedTextField harini19 Java Basics 2 November 14th, 2006 01:50 AM
Input Validation Maxood C++ Programming 11 August 6th, 2004 02:55 PM
Validation of TextBox Input bpgadhia ASP.NET 1.0 and 1.1 Professional 1 March 16th, 2004 05:07 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.