Validation, what checks do you typically perform in your web apps?

Question

I'm building a publicly available web app. Because of this, I'll be validating every field as exhaustively as I can. I mean, if someone enters something that isn't valid, they will know exactly what it was (making it clear what they need to fix).

I've followed Scott Guthrie's examples in the NerdDinner eBook. I love the idea of having all my validation in the core class files (as a partial class).

The validation I'm performing is this:

• Min value - make sure strings are at least a certain length
• Max value - make sure strings are under a maximum length (based on field properties in the DB)
• int checks - make sure integer fields can be correctly parsed to int
• file extension - make sure the uploaded file extensions are of the correct type

My question is, what are the typical validation checks you make in your web apps? Maybe I'm completely overlooking something. ;)

Thanks in advance!

Answer 1

You'll want to check for SQL injection, XSS, and CSRF. You can use these tools for Firefox to help you test those. Then there are also things like making sure that the username doesn't equal the password, login throttling, etc. Validating your CSS and XHTML isn't bad either, though I don't think that's quite what you meant.

Answer 2

You should try to use existing frameworks as much as possible for validation. Writing a comprehensive validation library is a lot of hard and time-consuming work. It's one of those things that are best left to a team of people dedicated to developing it such as the jQuery validation plugins and projects like that. There are a lot of really nice validator libraries out there already that could save you a lot of time and effort.

There is an MVC validator toolkit project on codeplex you may find helpful. CodeProject has a tutorial on it if you want to read more into it. You can also check out xVal, as one of the commenters mentioned.

If you have a specific reason you need to write validation in-house, or you aren't convinced by what I said above, a few that I find useful are:

• Required field validation, obviously. You might already have this by just checking for minimum length in your fields.
• Generic regular expression validation. Make sure you have some way to perform this kind of validation generically. This will help you in case there is some specific field that needs a unique form of validation found no where else in your site. Make sure your API is flexible enough to add specific regular expression based validation.
• Email. You'll need this.
• Phone numbers. These can be tough because of all the forms they can come in (all numeric, sometimes with alpha characters, sometimes international numbers that follow different formats)
• Dates & times are important also, however you should consider using some sort of date/time picker to reduce the possibility of error by not allowing the user to type a value.
• Make sure you include validation capabilities for non-textbox related fields, such as drop-down lists, radio buttons, check boxes, etc. I've forgotten these in the past just out of oversight, but they do become important.
• Matching fields. For example, when confirming a password, both fields should match. This won't be used in just one page. Think about password resets, administrative pages, user control panels, etc.
• Although somewhat complex, you might also want to include sequence validation. For example, perhaps some options on your site require you to select other options first. Another example is that certain options should only be selectable if you first choose some other combination of options. This is something that you may not be able to include in a generic API, but it's something to think about.

Answer 3

In addition to what others have mentioned, don't forget to validate items that depend on one another. That is, consistency of input values. If the user enters a maximum and a minimum, for example, don't just check the two values independently against their legal max and min, but also check them against each other to ensure that the values entered are logically consistent.

For hostnames, you may want to validate that DNS returns an IP address. If it does not, let the user know but don't necessarily reject the hostname for this reason. Maybe the user is pre-configuring something that doesn't exist yet. It depends on the specific application.

That is, in addition to syntactic validity, you can also check that the values entered are meaningful and consistent with each other.

Another thing you can do if you go all out is to only allow digits to be entered in numeric fields, only allow digits and "-" in credit card or phone number fields, and so on.

And always, always allow the user to enter input in the most familiar format, even if you later have to strip out extraneous data. For example, let the user (but don't require the user to) enter a phone number is 1-800-555-1212 even if you later strip out the "-" characters.

Answer 4

Not really sure what this has to do with asp.net-mvc but...

I always try to avoid over-validating (obviously you need to do the simple sanity stuff to make sure there are no db errors). It is a field by field decision according to your business rules. Some fields will need to have strict validation rules, like a credit card number. But just always think about how the validation will server the user. There is rarely a need for the regex to match all possible email addresses - it is really annoying when a site won't allow + signs in your email. In most cases, your app will be just fine if you let people put in phone numbers how they want. And always second guess yourself when you're about to put a required rule on a field.

I recommend the entlib validation application block for a easy to use and extend framework.