1

I have just finished up an online form using ASP.net MVC3 with unobtrusive. I have all the standard validation on the form fields, such as Required fields, date formats, etc. Now I am wondering if there is any recommended 'advanced' validation I should do to safeguard against SQL injection, etc. For example, I have several textareas and the only validation on them is that they are required.

Please let me know what you recommend, or even better, a link to a reference with form validation recommendations.

EDIT: I am not looking for tutorials on HOW to do validation, just looking for recommendations on WHAT to validate. For example, I have textboxes for names and dates, textareas for large comments, etc. All the basic validation is done and working great. I guess my main concern right now is guarding against SQL injection. I will look into reg ex validation for this. Thank you.

Thank you for reading.

BattlFrog
  • 3,370
  • 8
  • 56
  • 86

3 Answers3

1

The front end isn't much of the concern, its the back end data access strategy.

So - how are you doing data access? If you are using parameterized queries or an ORM (Entity Framework) and no inline sql, there is really no concern, the db drivers will do the proper escaping.

If other systems will be using your stored data and they COULD be doing inline sql (non-parameterized queries) then you'll want to regex your code to ensure that 1. Numbers are meant to be numbers 2. Text is alphanumeric only 3. If using stored procs then you need to ensure the code inside your stored procs is not vulnerable to injection via sp_executesql. Although note if you absolutely need dynamic sql on the server side, sp_executesql does support parameterized queries rather than concatenating all your strings together.

As a side note because I feel it needs mention here, note that scenarios like www.whatever.com/order/1 are generally more vulnerable to parameter tampering (not sql injection) where your QUERIES don't properly restrict the current user from access an order they don't have access to, so in general review your queries to ensure that the user has access to what they are requesting. select ShipDate from Order where OrderId=@orderId where CustomerId=@customerId where the customerId is stored ONLY on the server side and is part of your security/profile system.

If you want more in depth info on hack proofing your asp.net web forms and mvc applications,I have a five hour course on pluralsight.com

http://pluralsight.com/training/courses/TableOfContents?courseName=hack-proofing-dotnet-app&highlight=adam-tuliper_information-leakage#information-leakage

Adam Tuliper
  • 29,982
  • 4
  • 53
  • 71
0

For a stricter validation, I recommend using Regular expressions besides required fields. A link for a basic overview is here

Zafer
  • 2,180
  • 16
  • 28
0

You want to create your own custom validation attributes and then register them in the unobtrusive JavaScript validation engine. This utilises the IClientValidate interface.

Here's a tutorial on generating your own custom IClientValidate attribute and registering it in unobtrusive javascript, etc.

http://odetocode.com/Blogs/scott/archive/2011/02/21/custom-data-annotation-validator-part-i-server-code.aspx

http://odetocode.com/Blogs/scott/archive/2011/02/22/custom-data-annotation-validator-part-ii-client-code.aspx

Also here's an example of one I've done and posted on here for validating a list:

Unobtrusive validation of collection

Community
  • 1
  • 1
Liam
  • 27,717
  • 28
  • 128
  • 190