Hi,
We are building an ASP.NET application with C#.net as language.
Here we are validating the form field’s data at client side using ASP.NET validation controls. Now we are planning to validate the form field’s data at the server side too, to avoid script injections by hackers.
Would you please guide me on this, if you have an idea?
If would be great if you could also provide a reference document or web references (If needed).
If you are using ASP.NET validation controls they also include server side validation.
You can check out MSDN for more information here: http://msdn.microsoft.com/en-us/library/aa479013.aspx
Straight from the MSDN page:
What makes these validation server controls effective is that when an ASP.NET page containing these controls is requested, it is the ASP.NET engine that decides whether to perform the validation on the client or on the server depending on the browser that is making the request. Therefore, your page's functionality changes depending on the requesting browser—thus enabling you to make your Web pages the best they can possibly be—rather than dummying-down your Web applications for the lowest common denominator.
The ASP.Net Validation controls actually do both client and server side validation, however this is typically for things like required fields, length, format matching and the like. The validation controls are typically not designed for preventing malicious activity.
In terms of protecting your application, two major things to look out for are script injection and SQL injection.
There is some script injection protection built into ASP.net by default but it is best to defend against attacks directly as well. Any output generated from user input should be encoded before output. You can use HttpUtility.HTMLEncode( ). There is also an AntiXss library available from Microsoft that offers enhanced protection.
Note that these measures are typically done as close to the program output as possible. This method does not reject entries containing malicious script- the script is rather encoded into harmless text output.
Of course any data stored to a database should be either parametrized or inserted via linq to prevent SQL injection- this will ensure that stored data is strongly typed and can not be executed as a query.
As Robban said, asp.net validation server controls includes server side validation. Check Page.Validate() and Page.IsValid() methods for the server side validation.