aspnet2securityfaq0076

Cancel Edit [WikiEntry.PreviewButtonText] Save
Return to
HomePage
ASPNET2SecurityFAQs

Question: How do I validate input in HTML controls, QueryString, cookies, and HTTP headers?

Answer:

Use regular expression with Regex class for validating input in HTML controls, Query Strings, Cookies and Http header.
Regular expressions are a good way to validate text fields such as names, addresses, phone numbers, and other user information. If inputs are not validated appropriately it makes your application vulnerable to injection attacks like SQL Injection and Cross-Site Scripting.
If your web application obtains input through HTML controls, QueryString, Cookies or Http Headers you cannot use the ASP.NET validator controls. Instead, you can validate your web page's content in the Page_Load event handler using the System.Text.RegularExpression.Regex class as follows:
		 using [System.Text.RegularExpressions;]
		 ….
		 private void Page_Load(object sender, [System.EventArgs] e)
		 {
// Note that IsPostBack applies only for
// server forms (with runat="server")

if ( Request.RequestType == "POST" ) // non-server forms
{
// Validate the supplied email address
if( !Regex.Match(Request.Form"email",@"\w(-+.\w)@\w(-.\w)\.\w(-.\w)*",RegexOptions.None).Success)
{
// Invalid email address
}
}
		 }

More Information

For more information on validating server-side controls and HTML controls in ASP.NET, see “How To: Protect from Injection attacks in ASP.NET” at http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000003.asp and "How To: Use Regular expressions to constrain input in ASP.NET" http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000001.asp

Return to
HomePage
ASPNET2SecurityFAQs
Cancel Edit [WikiEntry.PreviewButtonText] Save
Microsoft Communities