ASP.NET 中输入验证的最佳实践?

发布于 2024-09-08 06:30:11 字数 108 浏览 7 评论 0原文

输入验证的常见做法是什么?换句话说,您是否在客户端、服务器端或两侧检查输入验证?

另外,如果性能对我来说至关重要,那么仅客户端输入验证就足以满足我的网站的需求,而不会带来任何安全风险吗?

What is the common practice of input validation? In other words do you check for input validation on client-side, on server-side or on both sides?

Also, if performance is crucial to me, would just the client-side input validation be sufficient for my website without presenting any security risks?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

凉墨 2024-09-15 06:30:11

始终至少执行服务器端验证。如果您想改善用户体验,客户端验证可能会很好。它还可以让您避免向服务器发出不必要的请求。

仅客户端验证是不够的,可以通过禁用 JavaScript 等轻松绕过。

我建议您始终从添加服务器端验证开始,一旦测试完毕,您就可以启用客户端验证。

Always perform at least server side validation. If you want to improve users experience, client side validation could be nice. It also allows you to avoid unnecessary requests to the server.

Only client side validation is not sufficient and can be easily bypassed by disabling javascript for example.

I would recommend you to always start by adding server side validation and once you've tested it, you could enable client side validation.

薯片软お妹 2024-09-15 06:30:11

不要依赖客户端验证!!!
它只适合诚实的用户。不诚实的用户可以立即绕过它。

如果我关闭 Javascript,我就可以把你的应用程序搞砸。 并不难

始终将服务器端验证放入... Web 表单

''# VB
If Page.isValid Then
    ''# submit your data
End If

// C#
if(Page.isValid) {
    // submit your data
}

MVC

''# VB
If ModelState.IsValid Then
    ''# submit your data
End If

// C#
if(ModelState.IsValid) {
    // submit your data
}

一旦服务器端验证正常运行,就可以继续添加客户端验证。它将为用户带来更好的体验

DO NOT RELY ON CLIENT SIDE VALIDATION!!!
It's just there for the honest user. The dishonest user can get around it in no time.

If I shut off Javascript, I can hammer your app to shit. Always put server side validation in... it's not that hard

Web Forms

''# VB
If Page.isValid Then
    ''# submit your data
End If

// C#
if(Page.isValid) {
    // submit your data
}

MVC

''# VB
If ModelState.IsValid Then
    ''# submit your data
End If

// C#
if(ModelState.IsValid) {
    // submit your data
}

Once your server side validation is functioning, then go ahead and add the client side validation. It will make the experience better for the user

岁月静好 2024-09-15 06:30:11

我建议的一件事是使用 FluentValidation, xValJQuery 一起执行客户端和服务器端验证基于相同的规则

FluentValidation 是一个基于规则的框架,用于在服务器端验证 .net 对象。它附带了 xVal 的规则提供程序,这是另一个允许您链接您选择的服务器的框架端和客户端验证框架。它支持在客户端生成 JQuery 验证器

One thing that I would recommend is using FluentValidation, xVal and JQuery together to perform Client and Server side validation based on the same rules.

FluentValidation is a rules-based framework that validates .net objects on the server side. It comes with a rules provider for xVal, which is another framework that allows you to link up your choice of server side and client side validation frameworks. It supports generating JQuery validators on the client side

我爱人 2024-09-15 06:30:11

一般是两侧。客户端很容易被有意或无意地绕过(随着 noscript 的流行),但出于可用性原因值得拥有。

至于是否存在安全风险。您使用用户输入的目的是什么以及验证的当前性质是什么?

如果只是检查某人是否填写了表单中的必填字段,则可能不太可能存在安全风险。

Generally on both sides. The client side one can easily be bypassed either intentionally or innocently (with the prevalence of noscript) but is worth having for usability reasons.

As to whether it presents a security risk. What are you using the user input for and what is the current nature of your validation?

If it is just checking that someone has filled out mandatory fields in a form it is perhaps unlikely that there would be a security risk.

久隐师 2024-09-15 06:30:11

至少需要使用服务器端验证,因为客户端验证很容易被绕过。

如果您想获得更好的用户体验,也可以使用客户端验证。
这也提高了性能,因为它减少了对服务器的 HTTP 请求数量,因为无效的表单不会发送到服务器。

It is required to use at lest server-side validation, because clie-side validation can be quite easily bypassed.

If you want to have a btter user exprience, use client-side validation too.
This also increases performance, since it reduces the number of HTTP requests to the server, because invalid forms won't be sent up to the server.

救星 2024-09-15 06:30:11

最常见的是同时使用客户端和服务器端验证。

仅客户端输入验证就足以满足我的网站的要求,且不会带来任何安全风险吗?

不,您也应该使用服务器端验证。使用(例如)firebug 删除客户端验证非常简单。显然,在删除客户端验证后,作恶者可以将任何数据发送到服务器。因此,服务器端验证也是非常需要的。

Most common is using both client and server side validation.

would only the client-side input validation be sufficient for my website without presenting any security risks?

No, you should use server side validation too. It's pretty simple to remove client validation with (for example) firebug. Obviously after removing client side validation evildoer can send any data to server. So server side validation is strongly needed too.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文