Should I always call Page.IsValid in ASP.NET WebForms C#?

Question

I know to never trust user input, since undesirable input could be compromise the application's integrity in some way, be it accidental or intentional; however, is there a case for calling Page.IsValid even when no validation controls are on the page (again, I know its bad practice to be trusting user input by omitting validation)? Does Page.IsValid perform any other kinds of validation? I looked at MSDN, and the docs seem to suggest that Page.IsValid is only effective if there are validation controls on the page, or the Page.Validate method has been called. A friend of mine suggested that I always check Page.IsValid in the button click handlers every time even if there are no validation controls or explicit Page.Validate calls.

Thanks for any advice!

Answer 1

You may still want to call it, because in the future their maybe validation controls. I know this kinda falls into adding functionality based on future requirements, but it is also protecting yourself against needing to know if the page is valid and not going through all the event handlers etc. to make sure that it is there if a validator does get added. We have a rule that we always add it, so we don't have that problem of not-validating in the future.

Answer 2

I would be the first to tell you that "All input is evil until proven otherwise." However, in this case, I think your friend is mistaken because by his/her logic we could probably come up with a hundred other properties that should be checked or set, even though the defaults are okay.

Checking Page.IsValid only makes sense if you have a "CausesValidation" scenario - a button that submitted the form has its CausesValidation property set to True. This would automatically call Page.Validate and all Validation controls belonging to the same ValidationGroup would be checked for validity.

Edit:

Just checked it using Reflector and the function will always return True if the Page does not have any Validators(ValidatorCollection is null).

Answer 3

You can check the validity of a Page by checking the Page.IsValid property, your purpose to check the Page.IsValid might vary like

• If you have Validators which has the EnableClientScript property set to false
• If you have a server side validated Validator.
• Before performing a critical operation in a PostBack event handler body like Save, Delete, Authenticate...
• Do/display different things depending on the validity of page...
• Any thing you can think of...

So when/where can you call Page.IsValid

1. If the page is in post back
2. If the post back is caused by an input control with the CausesValidation property set to true.
3. After a call is made to the Page.Validate, i.e after the Page.Load event.

You can check Page.IsValid in the page life cycle if the place/time invoked satisfies the above criteria; otherwise the Page.IsValid will result in the System.Web.HttpException being thrown.

You should use Page.IsValid where it makes sense; like in the postback event handlers of input controls(with CausesValidation=true) and require the state of the page to be valid to perform their task correctly. (if you have server side validated validators or validators with client side validation switched off it becomes a MUST).

   protected void btnSave_Click(object sender, EventArgs e)
    {
       //Note that there might be ServerSideValidation which evaluated to false.
       if (!Page.IsValid)  
         return;

       CurrentEntity.Save();
    }

Finally note that Page.IsValid only checks for validation errors in the validator controls on your page, it all depends on what your validator controls do.