Comparing Server and Client Validations

So sánh Server và Client kiểm chứng thực Xem xét các trang EmployeeForm.aspx về những trang của Honest John Web một lần nữa. Người sử dụng dự kiến sẽ nhập các chi tiết của một nhân viên: tên, nhân viên ID, vị trí và vai trò.
Nội dung trích xuất từ tài liệu:
Comparing Server and Client Validations Comparing Server and Client ValidationsConsider the EmployeeForm.aspx page of the Honest John Web site again. The user isexpected to enter the details of an employee: name, employee ID, position, and role. Allthe text boxes should be mandatory. The employee ID should be a positive integer.In a Windows Forms application, you would use the Validating event to ensure the usertyped something into the First Name and Last Name text boxes and that the employee IDvalue was numeric. Web forms do not have a Validating event, which means that youcannot use the same approach.Server ValidationIf you examine the TextBox class, you will notice that it publishes the TextChangedevent. This event runs the next time the form is posted back to the server after the userchanges the text typed in the text box. Like all Web Server control events, theTextChanged event runs at the Web server. This action involves transmitting data fromthe Web browser to the server, processing the event at the server to validate the data, andthen packaging up any validation errors as part of the HTML response sent back to theclient. If the validation being performed is complex, or requires processing that can onlybe performed at the Web server (such as ensuring that an Employee ID the user types inexists in a database) , this might be an acceptable technique. But if you are simplyinspecting the data in a single text box in isolation (such as making sure that the usertypes a positive integer into an Employee ID text box), performing this type of validationof the Web server could impose an unacceptable overhead; why not perform this check inthe browser on the client computer and save a network round-trip?Client ValidationThe Web Forms model provides for client-side validation through the use of validationcontrols. If the user is running a browser such as Microsoft Internet Explorer 4 or later,which supports dynamic HTML, these controls generate JavaScript code that runs in thebrowser and avoids the need to perform a network round-trip to the server. If the user isrunning an older browser, the validation controls generate server-side code instead. Thekey point is that the developer creating the Web form does not have to worry about this;all the browser detection and code generation features are built into the validationcontrols. The developer simply drops a validation control onto the Web form, sets itsproperties (by using either the Properties window or code), and specifies the validationrules to be performed and any error messages to be displayed.There are five types of validation controls supplied with ASP.NET: • RequiredFieldValidator Use this control to ensure that the user has entered data into a control. • CompareValidator Use this control to compare the data entered against a constant value, the value of a property of another control, or a value retrieved from a database. • RangeValidator Use this control to check the data entered by a user against a range of values, checking that the data falls either inside or outside a given range. • RegularExpressionValidator Use this control to check that the data input by the user matches a specified regular expression, pattern, or format (such as a telephone number, for example). NOTE You should be aware that if a user can type unrestricted text into a text box and send it to the Web server, they could type text that looks like HTML tags ( for example). Hackers sometimes use this technique to inject HTML into a client request in an attempt to cause damage to the Web server, or to try and break in (I am not going to go into the details here!). By default, if you try this trick with an ASP.NET Web page the request will be aborted and the user is shown the message “A potentially dangerous Request.Form value was detected from the client”. You can disable this check although it is not recommended. A better approach is to use a RegularExpressionValidator control to verify that the user input in a text box does not constitute an HTML tag (or anything that looks like it). For more information about regular expressions and how to use them, see the topic “.NET Framework Regular Expressions” in the Microsoft Visual Studio 2005 Documentation. • CustomValidator Use this control to define your own custom validation logic and attach it to a control to be validated.Although each control performs a single well-defined type of validation, you can useseveral of them in combination. For example, if you want to ensure that the user enters avalue into a text box and that this value falls within a particular range, you can attach aRequiredField Validator control and a RangeValidator control to the text box.These controls can work in conjunction with a ValidationSummary control to displayerror messages. You will use some of these controls in the following exercises.Implementing Client ValidationReturning to the EmployeeForm.aspx Web form, you can probably see thatRequiredField Validator controls will be required for the First Name, Last Name, andEmployee Id text boxes. The employee ID must also be numeric and should be a positiveinteger. In this application, you will specify that the employee ID must be between 1 and5000. This is where a Range Validator control is useful.Add RequiredFieldValidator controls 1. In the Microsoft Visual Studio 2005 programming environment, on the File menu, point to Open, and then click Web Site. In the Open Web Site dialog box,ensure the File System option is selected, and browse to Microsoft Press\Visual CSharp Step by Step\Chapter 26\HonestJohn in your My Documents folder. Click Open. NOTE You do not need to select a C# solution or proj ...