Search code examples
c#asp.netvalidationrequiredfieldvalidator

Is using asp.net validators enough?

i am using asp.net validation like Required field validator etc. I am wondering is it enough to put these validators or something in backend should be done also ? I mean that it's working absolutely fine but i used to hear that validation should also be done in backend etc because client side validation can be turned off which will cause application to crash ? so is it true ?

e.g.

<asp:TextBox ID="txtFrom" runat="server"></asp:TextBox>
    <asp:RequiredFieldValidator ID="RequiredFieldValidator1" runat="server" 
                                ControlToValidate="txtFrom" Display="None" ErrorMessage="" 
                                ForeColor="Red" >
     </asp:RequiredFieldValidator>
    &nbsp; To :
    <asp:CalendarExtender ID="Calender" Format="dd/MMM/yyyy" runat="server" TargetControlID ="txtFrom"></asp:CalendarExtender>
    <asp:TextBox ID="txtTo" runat="server"></asp:TextBox>
      <asp:CalendarExtender ID="CalendarExtender1" Format="dd/MMM/yyyy" runat="server" TargetControlID ="txtTo"></asp:CalendarExtender>
    <asp:RequiredFieldValidator ID="RequiredFieldValisdator9" runat="server" 
                                ControlToValidate="txtTo" Display="None" ErrorMessage="" 
                                ForeColor="Red" >
     </asp:RequiredFieldValidator>

Guys thanks for kind replies i tried to validate page on submission button, like this, is it correct ?

protected void btnGenReport_Click(object sender, EventArgs e) { //This Event Generates Report of Complaints Between Specific Dates.

    try
    {
       //my report binding code

    }
    catch (Exception ex)
    {
        Response.Write(ex.Message.ToString());
    }

    Page.Validate();
    if (Page.IsValid)
    {
        txtFrom.Text = "Validated";
    }
    else 
    {
        txtFrom.Text = "NOT VALIDATED";
    }

}
Solution

  • When there is no javascript on the client (unlikely but possible) you could end up with your validations turned off. Also, someone could try to circumvent your checks by posting the data directly to your website.

    For these situations you always need server side validation.

    According to MSDN: Validating ASP.NET Server Controls (emphasis mine):

    What makes these validation server controls effective is that when an ASP.NET page containing these controls is requested, it is the ASP.NET engine that decides whether to perform the validation on the client or on the server depending on the browser that is making the request.

    It seems the validation uses one, not both.

    You can ensure that the data is valid by calling Page.Validate() as suggested by Tim Schmelter.