Skip to main content
Visual C++ Samples 
Input Sample: Demonstrates User Input Validation On Client And Server 

Download sample

Demonstrates validation of user input on both client and server.

The Input sample shows how to use the following classes to validate user input: CAtlRegExp, CAtlREMatchContext, CValidateContext, CHttpRequestParams.

Security noteSecurity Note

This sample code is provided to illustrate a concept and should not be used in applications or Web sites, as it may not illustrate the safest coding practices. Microsoft assumes no liability for incidental or consequential damages should the sample code be used for purposes other than as intended.


IIS 4 or later running on Windows NT 4.0 or later

Building and Running the Sample

To build and run this sample

  1. Open the solution file, Input.sln, in the Visual Studio development environment.

  2. Build the solution. This will also deploy the solution to the local Web server.

  3. Use a Web browser to view http://localhost/input/input.srf.

Concepts Presented in the Sample

Three key concepts are presented in this sample:

  • Separation of developer and designer tasks

  • User-input validation on client and server

  • Reuse of regular expression validation routines

Separation of Developer and Designer Tasks

The ATL Server architecture was designed so that the developer needs only to pass a list of the stencil tags to be used to the HTML designer. This makes it possible for the HTML designer to focus on the presentation requirements of the Web page, without having to worry about the implementation details of validation or data retrieval. The developer can then more productively spend time writing C++ code. This sample shows how to achieve a good separation of form and function using some generic stencil tags.

Validation on Client and Server

Modern browsers that support scripting can be used to enhance the user experience by validating input before it is even submitted to the server. Validation on the client provides a convenient way for the user to correct input mistakes and prevents unnecessary round trips to the server.

However, validation on the client cannot be trusted as a security measure, because it is trivial for malicious users to send an HTTP query that bypasses the validation code contained in script, so server-side validation is still essential. ATL Server request handlers should typically add validation code to the ValidateAndExchange method of the request handler.

This sample demonstrates a class that provides methods to output client validation code as well as perform server validation inside the ValidateAndExchange method of the request handler.

Regular Expression Validation Routines

The validation routines in this sample are based on the principle that it is safer to verify that input data conforms to a known good pattern than to try to catch all the bad patterns. Equivalent regular expressions are provided for CAtlRegExp on the server and JScript on the client.


See Also