Windows LiveWindows Live
 
 
ProfileI may have joined the wr...BlogLists Tools Help

Blog
    June 09

    What’s wrong with ASP.NET? Validation

    ASP.NET introduced a fancy new user input validation framework that, at least at first glance, appears to be a great advance over the complete lack of built-in validation support in ASP.OLD. Declarative validation is certainly wonderful stuff, and getting client-side validation with no additional effort (at least if your clients are using supported browsers) isn’t too shabby either. Overall, using the built-in validation controls certainly seems like a good idea, particularly for those folks who wouldn’t be performing any validation otherwise because of the amount of work involved.

    But what about those of us who had been performing validation all along? Do the ASP.NET validation controls really offer equivalent protection to our former "manual" validation? Unfortunately, for many of us, the answer is probably "no". The main problem lies with the validation paradigm chosen for ASP.NET, which has the following properties:

    1. Each validation control operates independently of the others.
    2. The validation process does not output a validated value.

    So what’s wrong with that, you ask? Well, each of the validation controls needs to re-read the target control value, as does the code that will ultimately process that value. To make the problem a bit more concrete, let’s look at the example of validating a birth date provided via a text box:


    Validation rule Validation control
    1 Value is required. RequiredFieldValidator
    2 Value must be parseable to a valid date value without any time portion. CompareValidator
    3 Date may not be in the future or more than 130 years in the past. CompareValidator
    4 If the value indicates an age of less than 10 years or greater than 90 years, the user must provide confirmation that the value is correct (as opposed to a data entry error). Custom control for soft validation

    In the above example, each validation control reads the text box value independently, which means that they cannot build upon parsing and restriction steps performed by the other validators. In addition, when our code needs to process the birth date, it must go back to the text box and read the string value again. That mean that there are at least 5 reads and 4 separate parsing operations from the original text box value, each of which represents an opportunity to parse inconsistently with respect to culture and/or format. In addition, there’s no guarantee that each of those 5 reads is even accessing the same value since it’s possible for the text box’s Text property to be altered between the reads (even if this is somewhat unlikely in an ASP.NET app).

    How can we address this problem? There are plenty of workarounds, including using only custom validation controls, but that means quite a bit more work for developers. A much more reliable approach would involve reading the "raw" value from the text box only once. It would then be passed from one validator to another in a pre-defined order and would only require a single parsing. In the birth date example, the validator at step 2 would output a strongly typed DateTime value (assuming, of course, that step 2 validation passed), and that’s the value that would be passed to the validator at step 3. The output from step 5 would be the value that our code would read, rather than going back to the text box to read its Text property.

    It’s entirely feasible to develop such a framework, but it’s also quite a bit of a lot of work, particularly when one considers addition of appropriate design-time support. It’s obviously not the sort of thing on which most shops would want their developers spending time. Unfortunately, it’s also not the sort of thing that many shops would be willing to pay for as a third-party product, particularly given that most developers probably perceive themselves as getting by just fine with the existing ASP.NET validation controls.

    On the other hand, it would probably be a reasonably small project on the Microsoft scale of things, and I suspect that I’m not the only one who would sleep better if the built-in tools would help the Morts of this world develop more reliable and secure applications out of the box, particularly given that most of us use applications built on those tools sooner on a more or less regular basis.

    12:19 PM | Blog it | Other stuff

    Comments (2)

    Please wait...
    Sorry, the comment you entered is too long. Please shorten it.
    You didn't enter anything. Please try again.
    Sorry, we can't add your comment right now. Please try again later.
    To add a comment, you need permission from your parent. Ask for permission
    Your parent has turned off comments.
    Sorry, we can't delete your comment right now. Please try again later.
    You've exceeded the maximum number of comments that can be left in one day. Please try again in 24 hours.
    Your account has had the ability to leave comments disabled because our systems indicate that you may be spamming other users. If you believe that your account has been disabled in error please contact Windows Live support.
    Complete the security check below to finish leaving your comment.
    The characters you type in the security check must match the characters in the picture or audio.
    Comments have been turned off on this page.
    No namewrote:
    Seems to me that if you've got common constraints on validations, you would derive from a TextBox for the interesting data types (e.g. a DateBox, IntegerBox, etc.) which would then handle most of those validations by directly injecting the correct validators (in the standard order).

    Sure, but this isn’t really relevant to the issue that my post covered, which was the fact that the validators do not output validated values and are unable to work in concert with each other to take advantage of work done in other validation steps.  Taking the birth date example, I would like to be able to write code like the following:

    DateTime birthDate = (DateTime)birthDateValidationManager.ValidatedValue;

    where the “validation manager” would be a container control which would host several validator controls that would be responsible for the individual validation steps.  These individual controls would operate quite similarly to the current validation controls, with one important exception.  Instead of each control reading the target control’s value separately, a validation sequence would be specified, and the individual controls would read the ValidatedValue property from the prior control in the sequence.  (Obviously, the first validator  would read the target control’s value, and the ValidatedValue property of the validation manager control would be the ValidatedValue of the last validator in the sequence.)
     
     
    Then you are left with your business-rule-based validators (#3 and #4 in your example).  Those typically can be handled by an Ajax or Atlas service call-back to validate client-side.

    This has nothing to do with client-side validation, and no amount of additional client-side validation will help with server-side issues.  Amongst other problems, client-side validation is trivial to bypass by disabling client-side script, using an alternate client application, or modifying a local copy of a page.  An application that relies on client-side validation alone will be neither secure nor reliable with respect to data quality.
    June 14
    Picture of Anonymous
    Marc Brooks wrote:
    Seems to me that if you've got common constraints on validations, you would derive from a TextBox for the interesting data types (e.g. a DateBox, IntegerBox, etc.) which would then handle most of those validations by directly injecting the correct validators (in the standard order).  Then you are left with your business-rule-based validators (#3 and #4 in your example).  Those typically can be handled by an Ajax or Atlas service call-back to validate client-side.
    June 12

    Trackbacks

    Weblogs that reference this entry
    • None