Validating User Input

Overview
• Overview of User Input Validation
• Using Validation Controls
• Page Validation
Lesson: Overview of User Input Validation

• What Is Input Validation?

• Client-Side and Server-Side Validation
• ASP.NET Validation Controls
 What Is Input Validation?
• Verifies that a control value is correctly
entered by the user
• Blocks the processing of a page until all
controls are valid
• Avoids spoofing
or the addition of
malicious code
Client-Side and Server-Side Validation
• ASP.NET can create User Enters
both client-side and Data Error
server-side Message
validation
• Client-side validation Valid?
No
– Dependent on browser
version Client Yes
– Instant feedback
Server
– Reduces postback cycles
• Server-side Valid?
No
validation Yes
– Repeats all client-side
validation Web Application
– Can validate against stored
data Processed
 ASP.NET Validation Controls
ASP.NET provides validation controls to:
• Compare values
• Compare to a custom formula
• Compare to a range
• Compare to a regular expression pattern
• Require user input
• Summarize the validation controls on a page
Lesson: Using Validation Controls
• Adding Validation Controls to a Web
Form
• Positioning Validation Controls on a
Web Form
• Combining Validation Controls
• Input Validation Controls
Adding Validation Controls to a Web Form
11 1. Add a validation control
22 2. Select the input control to validate
33 3. Set validation properties
<asp:TextBox
<asp:TextBox id="txtName"
id="txtName" runat="server"
runat="server" />
/>

<asp:Type_of_Validator
<asp:Type_of_Validator
id="Validator_id"
id="Validator_id"
runat="server"
runat="server"
ControlToValidate="txtName"
ControlToValidate="txtName"
ErrorMessage="Message_for_error_summary"
ErrorMessage="Message_for_error_summary"
Display="static|dynamic|none"
Display="static|dynamic|none"
Text="Text_to_display_by_input_control">
Text="Text_to_display_by_input_control">
</asp:Type_of_Validator>
</asp:Type_of_Validator>
 Positioning Validation Controls on a Web Form

• Create error
messages
• Select display
mode
– Static

– Dynamic
 Combining Validation Controls
• Can have multiple validation controls on a single input control
• Only the RequiredFieldValidator checks empty controls
 Input Validation Controls
• RequiredFieldValidator
– InitialValue
• CompareValidator
– ValueToCompare or ControlToCompare
– Type
– Operator
• RangeValidator
– MinimumValue
– MaximumValue
– Type
 Lesson: Page Validation
• Using the Page.IsValid Property
• Using the ValidationSummary Control
• Demonstration: Using the Page.IsValid
Property and the ValidationSummary
Control
Using the Page.IsValid Property
Polls all validation controls
private
private void
void cmdSubmit_Click(object
cmdSubmit_Click(object s,
s, System.EventArgs
System.EventArgs e)
e)
{{ if
if (Page.IsValid)
(Page.IsValid)
{{ Message.Text
Message.Text == "Page
"Page is
is Valid!";
Valid!";
//
// Perform
Perform database
database updates
updates or
or other
other logic
logic here
here
}}
}}
 Using the ValidationSummary Control

• Collects error messages from all validation

controls on the page
• Can display text and error messages
• Use Text="*" to indicate the location of the
error
<asp:ValidationSummary
<asp:ValidationSummary id="valSummary"
id="valSummary"
runat="server"
runat="server"
HeaderText="These
HeaderText="These errors
errors were
were found:"
found:"
ShowSummary="True"
ShowSummary="True"
DisplayMode="List"/>
DisplayMode="List"/>
 Review
• Overview of User Input Validation
• Using Validation Controls
• Page Validation
Managing State
 Overview
• State Management
• Application and Session Variables
 Lesson: State Management
• What is State Management?
• Types of State Management
• Server-Side State Management
• Client-Side State Management
• The Global.asax File
 What is State Management?
Without State With State
Management Management
Login.aspx Login.aspx
Please enter your Please enter your
logon information: logon information:
First Name First Name
John John
Last Name Last Name
Chen Chen

Submit Submit Web

Web Server
Server
Submit Web
Web Server
Server Submit
Greetings.aspx Greetings.aspx
Hello
Hello John Chen

II forget
forget who
who you
you
are!!
are!!
 Types of State Management
Client-Side State
Server-Side State Management
Management
Application state Cookies
 Information is available to all users  Text file stores information to maintain
of a Web application state

Session state The ViewState property

 Information is available only to a  Retains values between multiple
user of a specific session requests for the same page
Server-Side State Management
• Application state is a global storage mechanism
accessible from all pages in the Web application
• Session state is limited to the current browser
session
– Values are preserved through the use of application and
session variables
– Scalability
• ASP.NET session is identified by the SessionID string

Web
Web Server
Server
Client
Client Computer
Computer
Application and Session
variables
SessionI
D
 Client-Side State Management
• Uses cookies to maintain state
– Persistent cookies
– Temporary/ Non-persistent cookies
• Less reliable than server-side state management options
– User can delete cookies
• Less secure than server-side state management options
• Limited amount of information
– Client-side restrictions on file sizes

Web
Web Server
Server
Client
Client Computer
Computer

Cookies
 The Global.asax File
• Only one Global.asax file per Web application
• Stored in the virtual root of the Web
application
• Used to handle application and session events
• The Global.asax file is optional
 The Global.asax File (continued)
Client
Request
Request Response
Response

ASP.NET Web Server

IIS
IIS

ASP.NET
ASP.NET HTTP
HTTP Runtime
Runtime
Application_BeginRequest
Application_BeginRequest

Application_AuthenticateRequest
Application_AuthenticateRequest

Application_AuthorizeRequest
Application_AuthorizeRequest Application_EndRequest
Application_EndRequest

Application_ResolveRequestCache
Application_ResolveRequestCache Application_UpdateRequestCache
Application_UpdateRequestCache

Application_AquireRequestState
Application_AquireRequestState Application_ReleaseRequestState
Application_ReleaseRequestState

Application_PreRequestHandlerExecute
Application_PreRequestHandlerExecute Application_PostRequestHandlerExecute
Application_PostRequestHandlerExecute

Page
Page execution
execution
Lesson: Application and Session Variables
• Initializing Application and Session
Variables
• Using Application and Session Variables
• Demonstration: Using Session Variables
• Application and Session Variable Duration
• Scalable Storage of Application and
Session Variables
• Saving Application and Session Variables
in a Database
Initializing Application and Session Variables
• Variables are initialized in Global.asax
– The Application object shares information
among all users of a Web application

protected
protected void
void Application_Start(Object
Application_Start(Object sender,EventArgs
sender,EventArgs e)
e)
{{
Application["NumberofVisitors"]
Application["NumberofVisitors"] == 0;
0;
}}

– The Session object stores information for a

particular user session
Using Application and Session Variables
• Set session and application variables
Session["BackColor"]
Session["BackColor"] == "blue";
"blue";
Application.Lock();
Application.Lock();
Application["NumberOfVisitors"]
Application["NumberOfVisitors"] ==
(int)Application["NumberOfVisitors"]
(int)Application["NumberOfVisitors"] ++ 1;
1;
Application.UnLock();
Application.UnLock();

• Read session and application variables

strBgColor
strBgColor == (string)Session["BackColor"];
(string)Session["BackColor"];
lblNbVisitor.Text
lblNbVisitor.Text == Application["NumberOfVisitors"].ToString();
Application["NumberOfVisitors"].ToString();
 Application and Session Variable Duration

• Session variables have a set duration after last

access
– Default is 20 minutes
• Session duration can be changed in Web.config:

<configuration>
<configuration>
<system.web>
<system.web>
<sessionState
<sessionState timeout="10"
timeout="10" />
/>
</system.web>
</system.web>
</configuration>
</configuration>
• Application variables persist until the
Application_End event is fired
Scalable Storage of Application and Session Variables

• By default, the session state is managed in process

• Disadvantage of in process storage:
– Not Scalable
• ASP.NET provides out of process storage of session state
– State can be stored in a SQL Server database or a state
server
• Advantages of out of process storage:
– Scalable
State
server
Web
farm
Session and Application
variables
-Or-

SQL
Client

Session and Application

variables
Securing a Microsoft
ASP.NET Web
Application
 Overview
• Web Application Security Overview
• Working with membership Security.
Lesson: Web Application Security Overview

• Authentication vs. Authorization

• What Are ASP.NET Authentication Methods?
• Multimedia: ASP.NET Authentication Methods
• Comparing the ASP.NET Authentication Methods
• What Are the IIS Authentication Mechanisms?
• Demonstration: Using IIS Authentication
Mechanisms
• What Is Secure Sockets Layer?
Authentication vs. Authorization
• Authentication
– Accepts credentials from a user
– Validates the credentials
• Authorization
– Given the authentication credentials supplied,
determines the right to access a resource
– Can be assigned by user name or by role
 What Is Secure Sockets Layer?
• SSL is a protocol used for transmitting data
securely across a network. SSL secures data
through:
– Data encryption
• -Ensures that the data sent is read only by a secure target server
– Server authentication
• -Ensures that data is sent to the correct server
• -Uses the server and client certificates
– Data integrity
• -Protects the integrity of the data
• -Includes a message authentication code that detects whether a
message is altered
• Uses Hypertext Transfer Protocol Secure to retrieve an ASP.NET Web page
 Reading User Information
• After authentication, the Web server can read
the user identity

lblAuthUser.Text
lblAuthUser.Text == User.Identity.Name;
User.Identity.Name;
lblAuthType.Text = User.Identity.AuthenticationType;
lblAuthType.Text = User.Identity.AuthenticationType;
lblIsAuth.Text
lblIsAuth.Text == User.Identity.IsAuthenticated;
User.Identity.IsAuthenticated;
 Overview of Forms-Based Authentication
11 22 ASP.NET Forms
IIS Authentication

Client requests page

Not
Authenticated

Usernam
 Authenticated

66 eSomeone 44 Authorized
Access Denied


Password Logon Page
******* (Users enter
**** their credentials)
Not Submit
Submit
Authenticated 33
Authenticated

Authentication Authorized
Cookie 77 Requested
55 Secure Page
Accessing Relational Data
Using Microsoft .NET
 Overview
• Overview of ADO.NET
• Creating a Connection to a Database
• Displaying a DataSet in a List-Bound Control
 Lesson: Overview of ADO.NET
• What is ADO.NET?
• Using Namespaces
• The ADO.NET Object Model
• What is a DataSet?
• Accessing Data with ADO.NET
• Practice: Identifying ADO.NET Components
 What is ADO.NET?
ADO.NET provides a set of classes for working with
data. ADO.NET provides:
 An evolutionary, more flexible successor to ADO
 A system designed for disconnected environments
 A programming model with advanced XML support
 A set of classes, interfaces, structures, and
enumerations that manage data access from within
the .NET Framework
 Using Namespaces
• Use the Imports or using statement to
import namespaces
using
using System.Data;
System.Data;
using
using System.Data.SqlClient;
System.Data.SqlClient;

• Namespaces used with ADO.NET include:

– System.Data
– System.Data.SqlClient
– System.Data.OleDb
 The ADO.NETDataSet
Object Model
DataTable
DataTable

SqlDataAdapter
SqlDataAdapter
OleDbDataAdapter
OleDbDataAdapter

SQL Server .NET OLE DB .NET

Data Provider Data Provider
OleDbConnection
OleDbConnection
SqlConnection
SqlConnection

SQL Server 7.0 OLEDB sources

(and later) (SQL Server 6.5)
 What is a Dataset?
DataSet
DataTable
DataTable

DataTable

SqlDataAdapter
SqlDataAdapter
Web server memory
SqlConnection
SqlConnection
Physical storage
OleDbDataAdapter
OleDbDataAdapter

OleDbConnection
OleDbConnection
SQL Server 2000 OleDb Database
 Accessing Data with ADO.NET
1.11 Client makes request
Database
2.22 Create the SqlConnection and SqlDataAdapter objects
Fill the DataSet from the Web
Web SqlConnection
33 DataAdapter and close the server
server
connection
4.44 Return the DataSet to the Client SqlDataAdapte
r
55 Client manipulates the data
5.
66
6. Update the DataSet
7.
77 Use the SqlDataAdapter to
open the SqlConnection,
update the database, and DataSet
close the connection

List-Bound
List-Bound

Control
Control
Client
Client
The DataAdapter Object Model
DataSet
DataSet

DataAdapter
SelectCommand UpdateCommand InsertCommand DeleteCommand

DataReader
DataReader

Command
Command Command
Command Command
Command Command
Command

Connection
Connection

sp_SELECT sp_UPDATE sp_INSERT sp_DELETE

Database
What are List-Bound Controls?
 Controls that connect to a data source and display
the data
 List-bound controls include the following:
 DropDownList  DataGrid
 ListBox  DataList
 CheckBoxList  Repeater
 RadioButtonList
Multimedia: The ADO.NET Object Model
 Creating the Connection
• Using SqlConnection

string
stringstrConn
strConn=="data
"datasource=localhost;
source=localhost;""++
"initial
"initialcatalog=northwind;
catalog=northwind;integrated
integratedsecurity=true";
security=true";
SqlConnection
SqlConnectionconnconn==new
newSqlConnection(strConn);
SqlConnection(strConn);

• Setting connection string parameters

– Connection timeout
– Data source  Password
– Initial catalog  Persist security info
– Integrated security  Provider
 User ID