Scribd
Upload
69 views18 pages

Form Validation Techniques: Don Edlin, MRSC

This document discusses techniques for validating web forms to ensure security, data integrity, and usability. It recommends combining client-side validation using JavaScript with server-side validation for security. Client-side validation improves the user experience, while server-side validation is necessary to prevent attacks, as client-side scripts can be disabled. Regular expressions and limiting input lengths can help prevent SQL and cross-site scripting attacks. Both client-side and server-side validation should be used to validate forms on both the user interface and server.

Uploaded by

myacscribd
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
69 views18 pages

Form Validation Techniques: Don Edlin, MRSC

This document discusses techniques for validating web forms to ensure security, data integrity, and usability. It recommends combining client-side validation using JavaScript with server-side validation for security. Client-side validation improves the user experience, while server-side validation is necessary to prevent attacks, as client-side scripts can be disabled. Regular expressions and limiting input lengths can help prevent SQL and cross-site scripting attacks. Both client-side and server-side validation should be used to validate forms on both the user interface and server.

Uploaded by

myacscribd
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd

Form Validation

Techniques

Don Edlin, MRSC


[email protected]

1
Why Validate?

 Usability
 Frustrating for the user
 Data Integrity
 Ensure your getting data in the format you expect
 Security
 Keeping your forms from being used against you or your users
 Assume all input is evil

2
SQL Injection Attacks

 Not limited to SQL Server – Oracle, MySQL, DB2, Sybase, etc.


 It’s suggested that you take a layered approach to preventing these
attacks.
 Can be executed in form fields and in querystrings.
 First layer of protection:

Principle Implementation

Never trust user input Validate all textbox entries using validation
controls, regular expressions, code, and so on

3
Cross Site Scripting Attack

 Cross-site scripting allows hackers to run malicious script


in a client’s Web browser
 Any Web page that renders dynamic HTML based on
content that users submit is vulnerable
 That script can then be executed by the browser of an
unsuspecting user. The browser has know way of
knowing that the script shouldn’t be executed.

4
Approaches to Form Validation

 Disallow incorrect input


 You have to know what to disallow
 May be other ways to represent certain characters.
 Allow a small number of required input characters
 Requires more code, but allows for much tighter code
 (Either way or both ways - limit entry length)
 Many injection attacks require a large number of characters

5
Where to Validate

 Server Side
 CGI, ASP, .Net, Coldfusion, etc.
 Pros

 Ensures that every time the form is submitted, the validation will
run.
 Allows for validation against other server resources, such as a
backend database and business rules.
 Cons
 Puts more load on the server.
 Slower

6
Where to Validate

 Client Side
 JavaScript
 Pros

 Processing is done on the client computer


 Faster
 Cons
 Will not work if the user has it disabled
 Not a solution for security.
 Not a good solution for data integrity.

7
The Answer

 Most likely you will want a combination of client side and server side
validation.*
 Consider JavaScript validation as adding usability, not providing security.
 Never use client side validation for security.
 Do include a maximum length on your input tags.
 Encode input from users and querystrings.

*Some validation will run on both the client and on the server.
.Net validation controls for example

8
When Server Side is also Client Side
 Many server side controls will produce JavaScript for validation
when the page is served.
 Asp.net form field with validation
<form runat="server">
Email:<asp:textbox id="txtEmail" size="20" runat="server"/><br>
<ASP:RequiredFieldValidator ControlToValidate="txtEmail" Display="Static"
ErrorMessage="*Email is a required field."
runat="server" />

 Resulting form on Page


<form name="_ctl0" method="post" action="name_email1.aspx"
language="javascript" onsubmit="ValidatorOnSubmit();" id="_ctl0">
<script language="javascript" type="text/javascript"
src="/aspnet_client/system_web/1_0_3705_6018/WebUIValidation.js"></
script>

9
JavaScript for Usability

 What can you do with JavaScript?


 Check required fields
 Compare one input value against another.
 Set a field based on user input.
 Check substrings entered by the user.
 Combine with Regular Expressions to perform more
detailed string matching validation

10
JavaScript Zip Code Example
function validateZIP(field) {
var valid = "0123456789-";
var hyphencount = 0;

if (field.length!=5 && field.length!=10) {


alert("Please enter your 5 digit or 5 digit+4 zip code.");
return false;
}
for (var i=0; i < field.length; i++) {
temp = "" + field.substring(i, i+1);
if (temp == "-") hyphencount++;
if (valid.indexOf(temp) == "-1") {
alert("Invalid characters in your zip code. Please try again.");
return false;
}
if ((hyphencount > 1) || ((field.length==10) && ""+field.charAt(5)!="-")) {
alert("The hyphen character should be used with a properly formatted 5 digit+four zip code, like
'12345-6789'. Please try again.");
return false;
}
}
return true;
}
11
Regular Expressions

 A powerful tool used in pattern-matching and substitution


 Included in JavaScript 1.2

12
Some of The Special Characters

 Always begin and end with a slash.


/regular expression is in here/
 \ Toggles between literal and special characters.
 $ - end of a string. \$ - ignore the special character and use the
$.
 w – literal character. \w – matches any letter, number, or the
underscore

13
Example

 Validate a zip code.


 Want to allow for 5 or 10 digit zip code.
 Make sure the “–” is in the correct position.
 Don’t allow a “–” for 5 digit zip.

14
Regular Expression Code

re = /(^\d{5}$)|(^\d{5}-\d{4}$)/

function validateZIP(field) {
if (re.test(field)) {
return true
}
alert("Invalid Zip Code")
return false }

15
Regular Expression Code

/(^\d{5}$)|(^\d{5}-\d{4}$)/
/ - start and end of regular expression
() - used for grouping
\d – matches any digit 0 through 9
{5} – at least 5 occurrences of the previous character
$ - end of string
| - alternation - or

16
Conclusion

 Provide JavaScript client side validation for the primary


purpose of usability and formatting.
 Perform server side validation for security purposes.
 Regular expressions can be used on client and server
side to validate data and reduce coding.
 Test client side scripting, then turn off active scripting in
your browser and test again.

17
Resources
Security
 http://www.owasp.org/index.jsp
 http://www.cgisecurity.com/articles/xss-faq.shtml#whatis
 http://www.technicalinfo.net/papers/CSS.html
 http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx

JavaScript and Regular Expressions


 http://javascript.internet.com/forms/
 http://www.webdevtips.com/webdevtips/js/validform/index.shtml
 http://www.webreference.com/js/column5/
 http://javascriptkit.com/javatutors/re.shtml

18

You might also like