Samer Ibrahim's Blog

The Samer I Warrior on battles with .NET

Lists/Forums/Etc.

Which Blogs do I read?

When using ASP.NET Validator Controls... if (Page.IsValid) { Now it's safe to go on! }

It's not often I like to display my ignorance in public but in this case it's worth it.  I've been using ASP.NET Validator controls for a while now with the knowledge that they provided me with an easy way to do both client-side and server-side validation in one step.  I never bothered to get to deeply involved in the documentation about them because I thought how difficult can they possibly be to use.  Well the truth is not difficult at all, if you know how to use them.  The implicit client-side validation that they cause fooled me into believing that the validation occured the same way on the server-side as well.  In other words, a page will not submit until the data is verified.  Then I read this today in Fritz Onion's Essential ASP.NET book:

"As soon as you place a validation control on a page, it is imperative that you check the IsValid flag of the Page class before using any of the data posted by the client.  It is a common misconception that if validation fails on a page, the code for that page will not execute.  On the contrary, the only thing that happens when server-side validation fails is that the IsValid flag of the Page class is set to false, and each validation control that failed renters itself as a visible span so that the error indicator shows up when the page is redisplayed to the user."

I was under that misconception.  Well sort of.  I thought that the page would execute but as soon as an invalid control was hit, the page would rerender to the user and the proper messages would be displayed.  Fritz Onion explains that if the client browser does not support JavaScript or a malicious user removes your JavaScript, no client side validation will occur and therefore you must ensure that IsValid == true on the server-side.  Please also be congnizant of the fact that you must wait until the Page class calls it's Validate() method, which occurs after the Page.Load event fires, or explicitly call Validate() on the page yourself prior to checking the Page.IsValid property.

I hope I help to dispel this misconception.  It's a trap that is all too easy to fall into.

Posted: Jun 15 2003, 03:33 PM by SamerEyeWarrior | with 3 comment(s)
Filed under: , ,

Comments

Andrew Hallock said:

I was ignorant of this, too. I slapped validation controls into my forms at will, unknowing that client-side validation only works in Internet Explorer. Even then, as you mentioned, the JavaScript can easily be removed. I wasn't sure when the Validate() method was called; thanks for the tip.
# February 6, 2004 9:36 AM

vic said:

this is a good tip
however i have some questions. i have been developing in c# for a while now, and just today was the first time that i experienced this behavior (my form was being submitted even when validation failed). Now, all of my previous applications have stopped the submit process when a validator failed, so my question is: is this left to chance? how is that execution is stopped sometimes but not others?
# May 3, 2004 5:15 PM

Aaron Navarro said:

Thanx for this tip it's amazing how this information is sort of hidden. I looked a lot longer than I should have to, to find this page.
# July 19, 2004 6:37 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)