Validating User Input

Article
11/03/2006

When constructing an application that accesses data, you should assume all user input to be malicious until proven otherwise. Failure to do so can leave your application vulnerable to attack. The .NET Framework contains classes to help you enforce a domain of values for input controls, such as limiting the number of characters that can be entered, and provides event hooks for writing code to check the validity of values. Data can be validated and strongly typed, as discussed in Mapping .NET Framework Data Provider Data Types to .NET Framework Data Types. In addition, the .NET Framework contains classes to help you evaluate string data from input controls.

Using Regular Expressions

The Regex class can be used to check the validity of user input in your applications by validating user input against a particular pattern. In addition, code can use regular expressions to transform invalid text into valid text. The CleanInput method defined here takes an input string and strips all non-alphanumeric characters except the following:

@
-
.

Function CleanInput(strIn As String) As String
    ' Replace invalid characters with empty strings.
    Return Regex.Replace(strIn, "[^\w\.@-]", "")
End Function

String CleanInput(string strIn)
{
    // Replace invalid characters with empty strings.
    return Regex.Replace(strIn, @"[^\w\.@-]", ""); 
}

.NET Framework Regular Expressions has links to additional samples that illustrate the use of the Regex class to validate user input.

ASP.NET Validation Controls

An important aspect of creating secure ASP.NET applications is being able to validate the information users enter on a form. ASP.NET has validation controls that provide an easy-to-use and powerful way to check for errors and, if necessary, display messages to the user. You can find links to validation control topics in Validating User Input in ASP.NET Web Pages and Validation Controls.