I have a form that uses v validates (vue.js validation). I'm trying to implement some server side validation also, but am having trouble testing it as the client side validation kicks in before the server side does, so I'm not able to see if it's working as it should.
Instead of turning off the v validation for each individual input, is there a way I can turn it off for the whole website?
I don't think you can turn it off from your solution as per their documentation. However, You can remove data-vv-scope attribute from the form.
Related
I have read that people can remove javascript from browsers or something and the validations of client side stop working, which is important for us to have server side validation..
In .NET Core, we have data annotations, does this work for both server and client side or do we need to make a validation in server side?
Also, using [Remote] validation, is the same thing? I am using both of this, and I am not sure if i need to also make the validations on the create() action for example..
One more thing, does ModelState.IsValid() work with remote validation? Thanks for any help
Example:
public IActionResult VerifyCargo(string Descricao, int ID_Cargo)
{
var validateName = ValidateName(Descricao);
if (validateName != null)
{
return Json($"Description {Descricao} is already in use.");
}
else
{
return Json(true);
}
}
public RH_Cargos ValidateName(string Descricao)
{
return _context.RH_Cargos.FirstOrDefault(x => x.Descricao == Descricao);
}
I have those functions and in model I have a [remote] annotation that calls that first one...
It works fine, but do I need to make any validation on the Create action? Or will this remote attribute do for both server/client side? Is it safe?
In .NET Core, we have data annotations, does this work for both server and client side or do we need to make a validation in server side?
Those data annotations, i.e., [Required], would work on the server. As others might have already mentioned, the client-side validation is a bonus/nicety added only when you include jQuery Unobtrusive Validation and jQuery validation plugin (of course their dependency jQuery is also needed).
So don't need to worry if someone turns off JavaScript on the browser. You will still get the server-side validation by the MVC framework when the data posts back to the server.
That would also mean client-side validation cannot trusted. You can see it would be easy for others to by-pass the client-side validation and submit data to the server (i.e., using 3rd party tool like Postman).
Also, using [Remote] validation, is the same thing?
The [Remote] attribute will call a method defined on the server to determine whether the field is valid or not. For that to work, you need to define an action method that returns a JSON response. Anything other than true would mean invalid input.
I am not sure if i need to also make the validations on the create() action for example.
You would need to inspect ModelState.IsValid and make decisions what to do when there are errors. If you meant something other than checking the modal state, then I have no idea what you meant by making the validations.
Does ModelState.IsValid() work with remote validation?
I am not sure what you meant by that. The remote validation requires an action method defined, which either returns true to indicate the input is valid, false, undefind or null to indicate the input is not valid, or returns a string for the error message.
ModelState does get updated after the remote validation returns.
My rule of thumb
I just never trust client inputs. Even you have all the validations setup, you still need to have your domain validations in place, to make sure everything is in valid state when the information persists.
One example I can think of could be: you have a form to take user's email and create an account. The field Email uses remote validation to check if the email has been taken or not. If it just happens that right after the remote validation comes back as OK, another person just quickly registers an account with the same email before the person submits the form. Now you can't just blindly create another account with the same email address because that email has been taken.
I have a problem here. Assume there's a basic calculator implemented in javascript hosted on a website ( I have googled it and to find an example and found this one: http://www.unitsconverter.net/calculator/ ). What I want to do is make a program that opens this website, enters some value and gets the return value. So, in our website calculator, the program:
- open the website
- enters an operand
- enters an operation
- enters an operand
- retrieve the result
Note: things should be done without the need to show anything to the user ( the browser for example ).
I did some search and found about HttpWebRequest and HttpWebRespond. But I think those can be used to post data to the server, which means, The file I'm sending data to must be php, aspx or jsp. But Javascript is client side. So, I think they are kind of useless to me in this case.
Any help?
Update:
I have managed to develop the web bot using WebBrowser Control tool ( found in System.Windows.Forms )
Here's a sample of the code:
webBrowser1.Navigate("LinkOfTheSiteYouWant"); // this will load the page specified in the string. You can add webBrowser1.ScriptErrorsSuppressed = true; to disable the script in a page
webBrowser1.Document.GetElementById("ElementId").SetAttribute("HTMLattrbute", "valueToBeSet");
Those are the main methods I have used to do what I wanted to.
I have found this video useful: http://www.youtube.com/watch?v=5P2KvFN_aLY
I guess you could use something like WatiN to pipe the user's input/output from your app to the website and return the results, but as another commenter pointed out, the value of this sort of thing when you could just write your own calculator fairly escapes me.
You'll need a JavaScript interpreter (engine) to parse all the JavaScript code on the page.
https://www.google.com/search?q=c%23+javascript+engine
What you're looking for is something more akin to a web service. The page you provided doesn't seem like it accepts any data in an HTTP POST and doesn't have any meaningful information in the source that you could scrape. If for example you wanted to programmatically make searches for eBay auctions, you could figure out how to correctly post data to it eg:
http://www.ebay.com/sch/i.html?_nkw=http+for+dummies&_sacat=267&_odkw=http+for+dummies&_osacat=0
and then look through the http response for the information you're looking for. You'd probably need to create a regular expression to match the markup you're looking for like if you wanted to know how many results, you'd search the http response for this bit of markup:
<div class="alt w"><div class="cnt">Your search returned <b>0 items.</b></div></div>
As far as clientside/javascript stuff, you just plain aren't going to be able to do anything like what you're going for.
It is a matter of API: "Does the remote website expose any API for the required functionality?".
Well web resources that expose interactive API are called web service. There are tons of examples (Google Maps for istance).
You can access the API -depending on the Terms & Conditions of the service- through a client. The nature of the client depends on the kind of web service you are accessing.
A SOAP based service is based on SOAP protocol.
A REST based service is based on REST principles.
So, if there is an accessible web service called "Calculator", then you can access the service and, for istance, invoke the sum method.
In your example, the calculator is a Javascript implementation, so it is not a web service and it cannot be accessed via HTTP requests. Though, its implementation is still accessible: it is the javascript file where the calculator is implemented. You can always include the file in your website and access its functions via javascript (always mind terms and conditions!!).
A very common example is the jQuery library stored in Google Libraries.
I have modified unobtrusive validation script to replace error messages with qtips.
To do so I have modified onError method in jquery.validate.unobtrusive.js.
This works great until I submit form and model fails to validate on server side (my view models implements IValidatableObject). When this occurs, the default spans with errors are displayed but onError is no longer invoked.
Furthermore, when a field that has an error is corrected, the error message no longer disappears immediately as it did before submit...
Does anyone know how to "re-enagage" unobtrusive validation after submit?
Check this article:
ASP.NET MVC: Displaying Client and Server Side Validation Using qTip Tooltips
I've used what's described there and I got client & server (IValidatableObject) side errors displaying correctly.
IValidatableObject is server side only. If you want to support both server and client, then you need to implement a validation attribute that derives from IClientValidatable.
Which validations are preferred : client side(using Javascript) or serverside (using validation controls in C# asp.net)?
You should always validate on the server. Client-side validation is fine to enhance the user experience, but anything that has come from the client is potentially dirty and should be validated on the sever again, as your server-side code is not vulnerable to malicious user manipulations (at least, not in the same way that client-side code is).
Always finally validate on the server!!
both are good, at minimum server side validation is a must. As client might have javascript disabled on the browser
Reason you shouldn't rely on client side validation
The end user could have javascript switched off
The data could be sent directly to your server by someone who's not
even using your site, with a custom app designed to do so
A Javascript error on your page (caused by any number of things)
could result in some, but not all, of your validation running
Both.
JavaScript is important because it prevents invalid postbacks to
server.
Server-side is important if client disabled JavaScript from browser
than JavaScript validation bypass.
I also recommend you to make validation at database level also. for reliability.
You should perform validations at server side as well as client side.Client side validations increase interactivity of your applications.In other words make your application more user friendly.However client side validations may have their shortcomings , if your user disables javascript , then he could very well enter non sense data values and send them to your server.You dont want this to happen.For that purpose you need to perform server side validations.Server side validation controls filter the input and make sure proper data is entered.There are good validation controls Asp.Net offers.You could very well utilize them.
I recommend you to use both client as well as server side validation for a blend of interactivity and protection.
Thanks
The basic validation such as the emptiness of the fields, valid emails, number, strings or dates should be done at the client side, but you should always validate at the server for any potential hacking like cross site scripting or tags (php tags for example) and to make more and more secure always use stored procedures and also make sure to have a function that replaces "'" by this """ or <> by empty string and any other dangerous characters.
We currently host a lengthy form on our ASP.NET website, which makes use of a public facing facade WCF service to submit information over SSL into our network through a number of other facade services, etc.
We've experienced some issues with downtime on the service chain, and because of this some users have been very frustrated that they complete the lengthy form, only to find out after the fact that the service isn't up. Because of this, we are implementing a type of ping functionality on the form that will ping the service before the form is started, to ensure the service is up.
If the Ping() method is simply called during OnLoad of the form web page, there is potential for DOS attacks through for example a script that continually makes HTTP GET requests against the page.
My question is - From a conceptual level, what is the best way to ensure human interaction with the page while keeping it useable. For example, a CAPTCHA before the Ping() is called and form is started is way too intrusive even though it would be effective at ensuring the form is used properly. On the other hand simply allowing Ping() to fire OnLoad is far too risky for attacks.
One option I've considered is to have a button available to users which allows them to verify service availability and enable the form in one shot. This would at least be a balance between the two. I'm asking for your input on ideas for how best to balance this approach. Any asp.net, c#, or javascript/ajax based answers are fine.
Lastly - I also know there are flaws to this approach of checking service availability as there is no guarantee the service will be available by the time the form is filled out - but the decision has been made to use this approach so please keep your answers on point.
Thanks for the help and input in advance!
UPDATE 1:
In response to Josh's answer below - I should clarify that the form data submitted is sensitive and cannot be cached on the server or stored locally for later submission if the service fails. This is why it is very important to give the user a preemptive heads up. The issues we've had with the services are not intermittent so if the Ping() comes back true, there is an extremely good chance the user will not experience issues submitting the form a few minutes later.
UPDATE 2:
The Ping() Method is currently a server-side c# method, not javascript.
The public facing WCF service is IP-restricted to only allow requests from the public web server
Why don't you just call Ping() when the submit button is pressed and if the service doesn't respond then don't submit the form and show an error.
Something like this in jQuery. This assumses that Ping() returns true if the service is up, false otherwise:
$('#myformid').submit(function() {
var svcUp = Ping();
if(!svcUp)
alert("Sorry, there was an error submitting, please try again.");
return svcUp;
});
Unfortunately any public facing web service that has a low calling cost but high processing cost will be vulnerable to DOS attacks without some type of throttling.
Thankfully WCF has some useful settings for controlling throttling, take a look at MaxConcurrentCalls, MaxConcurrentInstances, and MaxConcurrentSessions
There is really no good solution on the client-side to prevent a DOS attack - I can create a script using your Ping js method that will call it a million times in a loop. You can prevent it on the server side though, by tracking calls per second form the same ip/session/user/otherclient-side identifier. If number of calls per second is over some reasonable limit, you temporarily ban that client.
You can look at http://www.codeproject.com/KB/aspnet/10ASPNetPerformance.aspx - scroll down to "Prevent Denial of Service (DOS) Attack" for an example
Call your function on page load and prior to the submit button. If you have any logging you are using you could insert into a log table for this particular aspx page view and include the IP address of the visitor. Set a threshold and if the IP makes more requests than what you required as proper usage, then put up some type of human-validation item.