tags:

views:

238

answers:

2
+3  Q: 

How reliable is the MaxLength property of the TextBox-Control?

The TextBox control offers a MaxLength property, which allows the insertable text into that TextBox be clientside limited to the specified amount of chars.

My questions:

  • Is this property only client-side and therefore browser-pedendent?
  • Can I rely on the fact, that the Text property contains no text longer than MaxLength is set (only for the DisplayModes named in the MSDN article) or do I manually have to perform a TextBox.Text.SubString(0, DesiredMaxLength) ?
  • How does all this behave with disabled java-script?
+6  A: 

It does not depend on javascript but that does not make it safe.

Anyone can still post a request using javascript (XmlHttpRequest for example) or just craft a request to send more data than the max-length specification. It's a good way to stop a normal user from over populating a field but it is something you need to double check on the server anyway.

Locksfree  2010-03-10 10:59:17
Meaning the TextBox-Control does not server-side security to limit the MaxLength Property? If I understand you correctly, you are telling me, that with "normal" usage from within my webapp I can rely that a normal user can't bypass the specified maxlength?
citronas  2010-03-10 11:04:58
The text box will not check on the server side AFAIK. And I am saying that for a normal user not trying to do anything wrong it would work but that it not safe to rely on it.
Locksfree  2010-03-10 11:43:20
I was pretty disturbed how easily one could get around the MaxLength limitation if they really wanted to. The way I went around fixing this(instead of attaching a million validators) was to extend the TextBox class and override the Text Property. In the getter, if the MaxLength value is greater than 0, I trim the value to the MaxLength value.
rossisdead  2010-07-23 18:38:27
+2  A: 

Can I rely on the fact, that the Text property contains no text longer than MaxLength ?

No. Consider it a user-friendliness feature. You will have(as always) re-check on the server. And maybe also check in JavaScript, depending on what its for.

Henk Holterman  2010-03-10 11:03:12

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?