tags:

views:

1851

answers:

1
+1  Q: 

ClientScriptManager.RegisterForEventValidation with HiddenField

I am trying to use to use ClientScriptManager.RegisterForEventValidation to register a hidden field and value that I am adding with ClientScriptManager.RegisterHiddenField. I doing this during the Render event. I get no error, but ASP.NET 2.0 does not appear to be validating the field. I can change the value or delete the entire field clientside using Firefox and Firebug, and ASP.NET will not throw an error like it should.

Sample code from a custom Page class:

protected override void Render(HtmlTextWriter writer)
{
    ClientScript.RegisterHiddenField("stuff", "things");
    ClientScript.RegisterForEventValidation("stuff", "things");
    base.Render(writer);
}

The hidden field is added to the page, but ASP.NET does not validate the field or value on postback. What am I missing?

+2  A: 

I understand what you are trying to do, but using the Event Validation API is not really appropriate, as it is intended for validating that postback or callback events raised by the client are correct for the target server control, eg, making sure that a click is handled by the correct button, or checking that a change event on a drop down list is not for a value that wasn't originally 'known' to the server.

In your code, you are generating a hidden field directly to the client, so there is no control for the server to reference on a postback. Even if you used a hidden field control on the server page, you still wouldn't be able to validate the field value because the control doesn't generate postback events (there is no way for the user to interact with it, and therefore no events for the server to validate).

The simplest solution is to use ViewState to store the value of the field, then on postback verify that the posted value of the field equals the value stored in ViewState. ViewState is encrypted by default so it's a secure place to store data that shouldn't change on the client.

Sam  2009-04-09 03:58:41
Thanks for clearing this up. I can't use viewstate this time because I am storing page states in a database instead of sending them to the client, and this hidden value is the GUID for the page state. I was just making sure I was doing everything possible to secure this functionality.
 2009-04-15 22:43:20

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?