Scribd
Upload
49 views

Form Validation Techniques: Don Edlin, MRSC

This document discusses techniques for validating web forms to ensure security, data integrity, and usability. It recommends combining client-side validation using JavaScript with server-side validation for security. Client-side validation improves the user experience, while server-side validation is necessary to prevent attacks, as client-side scripts can be disabled. Regular expressions and limiting input lengths can help prevent SQL and cross-site scripting attacks. Both client-side and server-side validation should be used to validate forms on both the user interface and server.

Uploaded by

myacscribd
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
49 views

Form Validation Techniques: Don Edlin, MRSC

This document discusses techniques for validating web forms to ensure security, data integrity, and usability. It recommends combining client-side validation using JavaScript with server-side validation for security. Client-side validation improves the user experience, while server-side validation is necessary to prevent attacks, as client-side scripts can be disabled. Regular expressions and limiting input lengths can help prevent SQL and cross-site scripting attacks. Both client-side and server-side validation should be used to validate forms on both the user interface and server.

Uploaded by

myacscribd
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 18

Form Validation

Techniques

Don Edlin, MRSC


[email protected]

1
Why Validate?

 Usability
 Frustrating for the user
 Data Integrity
 Ensure your getting data in the format you expect
 Security
 Keeping your forms from being used against you or your users
 Assume all input is evil

2
SQL Injection Attacks

 Not limited to SQL Server – Oracle, MySQL, DB2, Sybase, etc.


 It’s suggested that you take a layered approach to preventing these
attacks.
 Can be executed in form fields and in querystrings.
 First layer of protection:

Principle Implementation

Never trust user input Validate all textbox entries using validation
controls, regular expressions, code, and so on

3
Cross Site Scripting Attack

 Cross-site scripting allows hackers to run malicious script


in a client’s Web browser
 Any Web page that renders dynamic HTML based on
content that users submit is vulnerable
 That script can then be executed by the browser of an
unsuspecting user. The browser has know way of
knowing that the script shouldn’t be executed.

4
Approaches to Form Validation

 Disallow incorrect input


 You have to know what to disallow
 May be other ways to represent certain characters.
 Allow a small number of required input characters
 Requires more code, but allows for much tighter code
 (Either way or both ways - limit entry length)
 Many injection attacks require a large number of characters

5
Where to Validate

 Server Side
 CGI, ASP, .Net, Coldfusion, etc.
 Pros

 Ensures that every time the form is submitted, the validation will
run.
 Allows for validation against other server resources, such as a
backend database and business rules.
 Cons
 Puts more load on the server.
 Slower

6
Where to Validate

 Client Side
 JavaScript
 Pros

 Processing is done on the client computer


 Faster
 Cons
 Will not work if the user has it disabled
 Not a solution for security.
 Not a good solution for data integrity.

7
The Answer

 Most likely you will want a combination of client side and server side
validation.*
 Consider JavaScript validation as adding usability, not providing security.
 Never use client side validation for security.
 Do include a maximum length on your input tags.
 Encode input from users and querystrings.

*Some validation will run on both the client and on the server.
.Net validation controls for example

8
When Server Side is also Client Side
 Many server side controls will produce JavaScript for validation
when the page is served.
 Asp.net form field with validation
<form runat="server">
Email:<asp:textbox id="txtEmail" size="20" runat="server"/><br>
<ASP:RequiredFieldValidator ControlToValidate="txtEmail" Display="Static"
ErrorMessage="*Email is a required field."
runat="server" />

 Resulting form on Page


<form name="_ctl0" method="post" action="name_email1.aspx"
language="javascript" onsubmit="ValidatorOnSubmit();" id="_ctl0">
<script language="javascript" type="text/javascript"
src="/aspnet_client/system_web/1_0_3705_6018/WebUIValidation.js"></
script>

9
JavaScript for Usability

 What can you do with JavaScript?


 Check required fields
 Compare one input value against another.
 Set a field based on user input.
 Check substrings entered by the user.
 Combine with Regular Expressions to perform more
detailed string matching validation

10
JavaScript Zip Code Example
function validateZIP(field) {
var valid = "0123456789-";
var hyphencount = 0;

if (field.length!=5 && field.length!=10) {


alert("Please enter your 5 digit or 5 digit+4 zip code.");
return false;
}
for (var i=0; i < field.length; i++) {
temp = "" + field.substring(i, i+1);
if (temp == "-") hyphencount++;
if (valid.indexOf(temp) == "-1") {
alert("Invalid characters in your zip code. Please try again.");
return false;
}
if ((hyphencount > 1) || ((field.length==10) && ""+field.charAt(5)!="-")) {
alert("The hyphen character should be used with a properly formatted 5 digit+four zip code, like
'12345-6789'. Please try again.");
return false;
}
}
return true;
}
11
Regular Expressions

 A powerful tool used in pattern-matching and substitution


 Included in JavaScript 1.2

12
Some of The Special Characters

 Always begin and end with a slash.


/regular expression is in here/
 \ Toggles between literal and special characters.
 $ - end of a string. \$ - ignore the special character and use the
$.
 w – literal character. \w – matches any letter, number, or the
underscore

13
Example

 Validate a zip code.


 Want to allow for 5 or 10 digit zip code.
 Make sure the “–” is in the correct position.
 Don’t allow a “–” for 5 digit zip.

14
Regular Expression Code

re = /(^\d{5}$)|(^\d{5}-\d{4}$)/

function validateZIP(field) {
if (re.test(field)) {
return true
}
alert("Invalid Zip Code")
return false }

15
Regular Expression Code

/(^\d{5}$)|(^\d{5}-\d{4}$)/
/ - start and end of regular expression
() - used for grouping
\d – matches any digit 0 through 9
{5} – at least 5 occurrences of the previous character
$ - end of string
| - alternation - or

16
Conclusion

 Provide JavaScript client side validation for the primary


purpose of usability and formatting.
 Perform server side validation for security purposes.
 Regular expressions can be used on client and server
side to validate data and reduce coding.
 Test client side scripting, then turn off active scripting in
your browser and test again.

17
Resources
Security
 http://www.owasp.org/index.jsp
 http://www.cgisecurity.com/articles/xss-faq.shtml#whatis
 http://www.technicalinfo.net/papers/CSS.html
 http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx

JavaScript and Regular Expressions


 http://javascript.internet.com/forms/
 http://www.webdevtips.com/webdevtips/js/validform/index.shtml
 http://www.webreference.com/js/column5/
 http://javascriptkit.com/javatutors/re.shtml

18

You might also like