|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here. ArchiveDisclaimer|
Introduction to Validating User Input in Web Forms
You can add input validation to Web Forms pages by using validation controls. Validation controls provide an easy-to-use mechanism for all common types of standard validation — for example, testing for valid dates or values within a range — plus ways to provide custom-written validation. In addition, validation controls allow you to completely customize how error information is displayed to the user.
Validation controls can be used with any controls that are processed in a Web Forms page's class file, including both HTML and Web server controls. For more information, see Introduction to ASP.NET Server Controls.
Security Note By default, the Web Forms page automatically validates that malicious users are not attempting to send script to your application. For more information, see Scripting Exploits.
Using Validation Controls
You enable validation of user input by adding validation controls to your form as you would other server controls. There are controls for different types of validation, such as range checking or pattern matching. A complete list appears in the topic Types of Validation for ASP.NET Server Controls.
Each validation control references an input control (a server control) elsewhere on the page. When the user's input is being processed (for example, when the form is submitted), the ASP.NET page framework passes the user's entry to the appropriate validation control or controls. The validation controls test the user's input and set a property to indicate whether the entry passed the test. After all validation controls have been called, a property on the page is set; if any of the controls shows that a validation check failed, the entire page is set to invalid.
You can test the state of the page and of individual controls in your own code. For example, you would test the state of the validation controls before updating a data record with information entered by the user. If you detect an invalid state, you bypass the update. Typically, if any validation checks fail, you skip all your own processing and return the page to the user. Validation controls that detect errors then produce an error message that appears on the page.
When Validation Occurs
Validation occurs after page initialization (that is, after view-state and postback data have been processed) but before Change or Click event handlers are called.
You can perform the validation procedure earlier by calling the control's Validate method, for example during page load. For more details, see Validating Programmatically for ASP.NET Server Controls.
Validating for Multiple Conditions
Generally speaking, each validation control performs just one test. However, frequently you want to check for multiple conditions. For example, you might want to establish that a field is required and that it is limited to accepting dates within a specific range.
You can attach more than one validation control to an input field on a form. In that case, the tests performed by the controls are resolved using a logical AND. The data input by the user must pass all the tests in order to be considered valid.
In some instances, entries in several different formats might be valid. For example, if you are prompting for a phone number, you might allow users to enter a local number, a long-distance number, or an international number. This situation arises primarily when checking for specific patterns of numbers or characters. To perform this type of test — a logical OR — you use the pattern-matching validation control and specify multiple valid patterns within the control. Using multiple validation controls would not work in this instance because they are tested with a logical AND.
Displaying Error Information
Validation controls are normally not visible in the rendered form. However, if the control detects an error, it produces error message text that you specify. The error message can be displayed in a variety of ways, as listed in the following table.
|In place||Each validation control can individually display an error message or glyph in place (usually next to the control where the error occurred).|
|Summary||Validation errors can be collected and displayed in one place — for example, at the top of the page. This strategy is often used in combination with displaying a glyph next to the input fields with errors. If the user is working in Internet Explorer 4.0 or later, the summary can be displayed in a message box.|
|In place and Summary||The error message can be different in the summary and in place. You can use this option to show a shorter error message in place with more detail in the summary, or to show an error glyph next to the input field and an error message in the summary.|
|Custom||You can create custom error display by capturing the error information and designing your own output.|
If you use the in-place or summary display options, you can format the error message text using HTML.
Security Note If you create custom error messages, be sure you do not display information that might help a malicious user compromise your application. For details, see Displaying Safe Error Messages.
Server-Side and Client-Side Validation
Validation controls perform input checking in server code. When the user submits a form to the server, the validation controls are invoked to review the user's input, control by control. If an error has occurred in any of the input controls, the page itself is set to an invalid state so you can test for validity before your code runs.
If the user is working with a browser that supports DHTML, the validation controls can also perform validation using client script. This can substantially improve response time in the page; errors are detected immediately and error messages are displayed as soon as the user leaves the control containing the error. If client-side validation is available, you have greater control over the layout of error messages and can display an error summary in a message box. For more details, see Client-Side Validation for ASP.NET Server Controls.
The page framework performs validation on the server even if the validation controls have already performed it on the client, so that you can test for validity within your server-based event handlers. In addition, it helps prevent users from being able to bypass validation by disabling or changing the client script.
Validation Object Model
You can interact with validation controls using the object model exposed by individual validation controls and by the page. Each validation control exposes its own IsValid property that you can test to see if a validation test has passed or failed for that control.
At the page level you have access to another IsValid page property that summarizes the IsValid state of all the validation controls on the page. This property makes it easy to do a quick test to see if you can safely proceed with your own processing.
The page also exposes a Validators collection containing a list of all the validation controls on the page. You can loop through this collection to examine the state of individual validation controls.
Note There are a few differences in the object model for client-side validation. For details, see Client-Side Validation for ASP.NET Server Controls.
You can customize the validation process in a number of ways:
- You have complete control over the format, text, and location of error messages, and you can specify whether they appear individually or in summary form.
- You can create custom validation using a special control. The control calls your logic but otherwise works the same as other validation controls in setting error state, displaying error messages, and so on. This provides an easy way to create custom validation logic but still participate in the validation framework of the page.
- If you have specified client-side validation, you can intercept the validation call and substitute or add your own validation logic.
By default, validation controls perform their checks when the Click events are processed. However, you can perform validation at any time in your code by calling a validation control's Validate method. Calling this method allows you to evaluate the validity of property settings made programmatically. For example, you might gather data from a user by a method other than a Web Forms page, and then set properties of server controls programmatically.
For more details, see Validating Programmatically for ASP.NET Server Controls.