What's the best way to validate password and confirm password fields in a strongly-typed view?
Password Field Code:
<label for="BaseUser.PasswordHash">Password</label>
<%= Html.Password("BaseUser.PasswordHash", Model.BaseUser.PasswordHash)%>
<%= Html.ValidationMessage("BaseUser.PasswordHash", "*")%>
I don't know how to deal with confirm password field in mvc's way. Or just use javascript to validate?
This kind of UI validation rule might be done in the controller (contrary to my original answer). Download the Nerddinner.com source code, look at the AccountController.Register method where the ValidateRegistration method is called to see a specific example.
There's a complete walk through of the nerddinner.com site available as a FREE PDF download at http://tinyurl.com/aspnetmvc
but it doesn't go into the detail for your specific question in the walk through so just check out the source code as indicated above.
If you want to progressively enhance the user experience then you could layer the jquery validation plugin in the view to also validate client side.
Remember the danger with only performing the validation on the client via javascript is that all someone has to do is turn off javascript to avoid your business rules and bypass one layer of your "defense in depth" at stopping security attacks such XSS and Sql Injection.
I javascript is the way to go. If you want your validation routine on the server (what is it, anyways? standard mvc?) as well, then fine.
But why force a roundtrip for something as easy as "your passwords don't match". And if somebody wants to "hack" (e.g. turn off javascript) so that they can submit two passwords that don't match, then fine.
To do it on the server, you'd have two separate fields and if they don't match then you throw the error.
Related
I want to allow users to add validation rules in the database, for example 'Password cannot be the same as username' or something like that. I know how to validate these rules server side, but I would like to have a set of validators available which can be set at runtime, and also work client-side.
I want to validation process to be handled as close to the MVC standard as possible. One thing that crossed my mind is to set attributes at runtime, but I'm not sure if this is the way to go.
For now, we have the validation working at runtime and pass validation messages back to the client using Json, which works fine, but requires a (async) postback. If we can implement client side validation, we can eliminate the validation postback which boosts the application's performance but again, i'm not sure which way to go. Anyone with some good thoughts?
did you try remote validation attribute? if you need lookup in database, you need ajax.
http://msdn.microsoft.com/en-us/library/gg508808(v=vs.98).aspx
I am using ASP.NET MVC3 with jQuery Validate + the unobtrusive validation support that comes with MVC3. Works great for almost everything, but I have one view where there is some view-wide validation that I need to do and I am not sure how to tap into the validation events that happen as part of MVC3+Validate+Unobtrusive. The actual validation will take just a few lines of code. I just don't know where to plug in that code.
I would like to tie into existing validation flow so that when the standard validation finds errors with individual fields and adds warning messages for them, my form-wide error message will also appear in the validation summary.
P.S. I am clear how to add appropriate model-level validation on the server side (Scott just blogged about it), but I feel it would be strange if some validation happened on the client and others only on the server. A user might see the client validation errors, fix them, then try to submit the form and only then get the model-level validation error message.
I would say what you are looking for is the new support for Remote Validation in Asp MVC3. Here is an article describing a common scenario, hopefully you can extend it yourself. Otherwise there are probably other articles around explaining it even better ;-)
http://www.aaronstannard.com/post/2010/12/07/remote-validation-asp-net-mvc3.aspx
/Victor
You should ALWAYS validate again on the server. Its really easy to circumvent javascript validation.
Rule #1 of Web Development: NEVER TRUST USER INPUT
We need to put a captcha image on our ASP.NET MVC 2 based website. We chose reCaptcha and built it in using the way described by Derik Whittaker. The idea there is baiscally to build some abstractions and all you need to do is decorate your Controller with a [ValidateCaptcha] attribute. This works all fine.
However, we have a lot of form-widgets in different pages and I don't want to have the captcha floating around everywhere. So I'd like to implement it the way StackOverflow does: Submit a Form -> Challenge Captcha -> Submit Captcha -> Perform Action on original form data.
Now, how do I redirect the user to the captcha page while keeping the originally submitted information?
I thought of some very ugly hacks (hidden fields w/ base64 encoded form data, etc.) but I think I'm missing something obvious. On the other hand, this sounds as if I wanted to do something in a stateful manner, and I shouldn't?
Session or persisting model state on the client comes to mind.
What advantages, if any, does MVC jQuery Validation offer over the built-in MVC client validation?
I've used the built-in validation and am just curious as to if I'm missing anything or not.
How about customisation? I'm sure not everything is covered with the standard validators.
For example, our products are meant for people over 14yo so it's be nice to validate that client side rather than tie the server up with silly requests.
You can then share this and have a standard way of validating DOB.
MVC jQuery validation is done on the front end (client side), without submitting data to the controller (Server side). So it can save you some bandwidth/processing.
If you have a slow or overloaded server, users will get a quicker response to validation errors this way as well.
Server side validation is essential/required since it makes sure you are getting good data before you save it. The client side is nice to have, but shouldn't be all you have since its possible to bypass.
If I have a search box on my page I clearly do not want the user to input any code that may be dangerous.
However, I have a lot of data entry pages and each one needs to have ValidateInput(false) on the controllers.
I don't want to allow dangerous input, but I also don't want to handle this in each and every controller.
Is there a way that the default, and ugly, error .Net error message can be overwritten, or is there a uniform way of handling this across controllers.
EDIT
I think maybe I didn't ask the question correctly.
For every data entry page I have I have to turn of Input Validation. This becomes somewhat boring and cumbersome. Each time I accept input I need to HTMLEncode and then HTMLDecode later.
Is there a way to do this in one central place and automatically?
About output:
Here's an interesting post.
And another one from Steve Sanderson.
I just read that post some time ago - haven't tried myself.
Give some feedback how it turns out.
About input:
you could try to mess around with model binder and HtmlEncode values it takes.
ASP.NET and MVC don't allow HTML submissions by default. You have to actively enable this. See the ValidateInputAttribute for more information.
Also, even more important than not allowing HTML input is not displaying user submitted HTML when you create output. That's why all of the default generated views use Html.Encode, and why you should, too.
Update in response to edited question
Yes, it's possible (though probably not advisable) to turn off ValidateInput globally. Make a parent controller type, and put
[ValidateInput(false)]
...on the class.
Also, I don't recommend encoding input. If you allow users to input HTML, I'd store that as-is. Your web app might not be the only thing which queries your DB! In terms of filtering out "dangerous" HTML, that's extraordinarily difficult. I'd use a tested, third-party sanitization library.