Validating User Input
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 2/48
Overview
Overview of User Input Validation
Using Validation Controls
Page Validation
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 3/48
Lesson: Overview of User Input
Validation What Is Input Validation?
Client-Side and Server-Side Validation
ASP.NET Validation Controls
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 4/48
What Is Input Validation?
Verifies that a control value is correctly
entered by the user
Blocks the processing of a page until all
controls are valid
Avoids spoofing
or the addition of
malicious code
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 5/48
Client-Side and Server-Side Validation
ASP.NET can createboth client-side andserver-sidevalidation
Client-side
validation ± Dependent on browser
version ± Instant feedback ± Reduces postback cycles
Server-side
validation ± Repeats all client-side
validation ± Can validate against stored
data
Valid?
Valid?
User Enters
Data
No
No
Yes
Yes
Error
Message
Client
Server
Web Application
Processed
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 6/48
ASP.NET Validation Controls
ASP.NET provides validation controls to:
Compare values
Compare to a custom formula Compare to a range
Compare to a regular expression pattern
Require user input
Summarize the validation controls on a page
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 7/48
Lesson: Using Validation Controls Adding Validation Controls to a Web
Form
Positioning Validation Controls on a
Web Form Combining Validation Controls
Input Validation Controls
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 8/48
Adding Validation Controls to a Web
Form1. Add a validation control2. Select the input control to validate
3. Set validation properties
<asp:Type_of_Validator id="Validator_id "runat="server"
ControlToValidate="txtName"ErrorMessage="Message_for_error_summary "Display="static|dynamic|none"Text="Text_to_display_by_input_control">
</asp:Type_of_Validator>
<asp:TextBox id="txtName" runat="server" />
11
22
33
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 9/48
Positioning Validation Controls on a
Web Form Create error
messages Select display
mode ±
Static
± Dynamic
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 10/48
Combining Validation Controls
Can have multiple validation controls on a single input control
Only the RequiredFieldValidator checks empty controls
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 11/48
Input Validation Controls
RequiredFieldValidator ± InitialValue
CompareValidator ± ValueToCompare or ControlToCompare ± Type ± Operator
RangeValidator ± MinimumValue
± MaximumValue ± Type
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 12/48
Lesson: Page Validation
Using the Page.IsValid Property
Using the ValidationSummary Control
Demonstration: Using the Page.IsValid
Property and the ValidationSummary
Control
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 13/48
Using the Page.IsValid Property
Polls all validation controls
private void cmdSubmit_Click(object s, System.EventArgs e)
{ if (Page.IsValid)
{ Message.Text = "Page is Valid!";
// Perform database updates or other logic here
}
}
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 14/48
Using the ValidationSummary Control
Collects error messages from all validation
controls on the page
Can display text and error messages Use Text="*" to indicate the location of the
error
<asp:ValidationSummary id="valSummary"runat="server"HeaderText="These errors were found:"ShowSummary="True" DisplayMode="List"/>
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 17/48
Overview
State Management
Application and Session Variables
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 18/48
Lesson: State Management
What is State Management?
Types of State Management
Server-Side State Management
Client-Side State Management
The Global.asax File
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 19/48
What is State Management?
First Name
Last Name
Please enter yourlogon information:
John
Submit
Chen
Web Server
Login.aspx Login.aspx
Web Server
Hello John Chen
Greetings.aspx
Please enter yourlogon information:
John
Submit
Chen
Hello
Greetings.aspx
I forget who you
are!!
First Name
Last Name
Without StateManagement
With StateManagement
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 20/48
Types of State Management
Server Server--Side StateSide StateManagementManagement
ClientClient--Side StateSide StateManagementManagement
Application state
Information is available to allusers of a Web application
Cookies
Text file stores information tomaintain state
Session state
Information is available only to auser of a specific session
The ViewState property
Retains values between multiplerequests for the same page
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 21/48
Server-Side State Management
Application state is a global storage mechanismaccessible from all pages in the Web application
Session state is limited to the current browser
session
± Values are preserved through the use of application and
session variables
± Scalability
ASP.NET session is identified by the SessionID string
Web Server Client Computer
Application and Session
variables
SessionI
D
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 22/48
Client-Side State Management
Uses cookies to maintain state ± Persistent cookies
± Temporary/ Non-persistent cookies
Less reliable than server-side state management options
± User can delete cookies
Less secure than server-side state management options
Limited amount of information
± Client-side restrictions on file sizes
Web Server Client Computer
Cookies
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 23/48
The Global.asax File
Only one Global.asax file per Web application
Stored in the virtual root of the Web
application Used to handle application and session events
The Global.asax file is optional
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 24/48
The Global.asax File (continued )
ASP.NET Web Server
Client
ASP.NET HTTP Runtime
IIS
Application_BeginRequest
Application_AuthenticateRequest
Application_AuthorizeRequest
Application_ResolveRequestCache
Application_AquireRequestState
Application_PreRequestHandlerExecute
Application_EndRequest
Application_UpdateRequestCache
Application_ReleaseRequestState
Application_PostRequestHandlerExecute
Page execution
Request Response
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 25/48
Lesson: Application and Session
Variables Initializing Application and Session
Variables
Using Application and Session Variables
Demonstration: Using Session Variables
Application and Session Variable Duration
Scalable Storage of Application and
Session Variables Saving Application and Session Variables
in a Database
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 26/48
Initializing Application and Session Variables
Variables are initialized in Global.asax ± The Application object shares information
among all users of a Web application
±
The Session object stores information for aparticular user session
protected void Application_Start(Object sender,EventArgs e){Application["NumberofVisitors"] = 0;
}
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 27/48
Using Application and Session
Variables Set session and application variables
Read session and application variables
Session["BackColor"] = "blue";Application.Lock();Application["NumberOfVisitors"] =
(int)Application["NumberOfVisitors"] + 1;
Application.UnLock();
strBgColor = (string)Session["BackColor"];lblNbVisitor.Text = Application["NumberOfVisitors"].ToString();
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 28/48
Application and Session Variable
Duration
Session variables have a set duration afterlast access ± Default is 20 minutes
Session duration can be changed in
Web.config:
Application variables persist until theApplication_End event is fired
<configuration><system.web>
<sessionState timeout="10" /></system.web>
</configuration>
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 29/48
Scalable Storage of Application and
Session Variables
By default, the session state is managed in process Disadvantage of in process storage:
± Not Scalable ASP.NET provides out of process storage of session state
± State can be stored in a SQ L Server database or a stateserver
Advantages of out of process storage: ± Scalable
SQL
Session and Application
variables
Client
Web
farm
Session and Application
variables
-Or-
State
server
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 30/48
Securing aMicrosoftASP.NET Web
Application
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 31/48
Overview
Web Application Security Overview
Working with membership Security.
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 32/48
Lesson: Web Application Security
Overview
Authentication vs. Authorization
What Are ASP.NET Authentication Methods?
Multimedia: ASP.NET Authentication Methods Comparing the ASP.NET Authentication Methods
What Are the IIS Authentication Mechanisms?
Demonstration: Using IIS Authentication
Mechanisms
What Is Secure Sockets Layer?
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 33/48
Authentication vs. Authorization
Authentication
± Accepts credentials from a user
± Validates the credentials
Authorization ± Given the authentication credentials supplied,
determines the right to access a resource
± Can be assigned by user name or by role
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 34/48
What Is Secure Sockets Layer?
SSL is a protocol used for transmitting datasecurely across a network. SSL secures datathrough:
± Data encryption -Ensures that the data sent is read only by a secure target
server
± Server authentication -Ensures that data is sent to the correct server
-Uses the server and client certificates
± Data integrity -Protects the integrity of the data -Includes a message authentication code that detects whether
a message is altered
Uses Hypertext Transfer Protocol Secure to retrieve an ASP.NET Webpage
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 35/48
Reading User Information
After authentication, the Web server can read
the user identity
lblAuthUser.Text = User.Identity.Name;lblAuthType.Text = User.Identity.AuthenticationType;lblIsAuth.Text = User.Identity.IsAuthenticated;
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 36/48
Overview of Forms-Based Authentication
Client requests page
Authorized
ASP.NET FormsAuthentication
NotAuthenticated
Authenticated
Logon Page(Users entertheir credentials)
Authenticated
Authentication
Cookie
Authorized
NotAuthenticated
Access Denied
RequestedSecure Page
IIS
Username
Password
Someone
***********
Submit
11 22
33
4466
55
77
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 37/48
Accessing Relational Data
UsingMicrosoft .NET
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 38/48
Overview
Overview of ADO.NET
Creating a Connection to a Database
Displaying a DataSet in a List-Bound Control
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 39/48
Lesson: Overview of ADO.NET
What is ADO.NET?
Using Namespaces
The ADO.NET Object Model What is a DataSet?
Accessing Data with ADO.NET
Practice: Identifying ADO.NET Components
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 40/48
ADO.NET provides a set of classes for working withdata. ADO.NET provides:
An evolutionary, more flexible successor to ADO
A system designed for disconnected environments A programming model with advanced XML support
A set of classes, interfaces, structures, andenumerations that manage data access from within
the .NET Framework
What is ADO.NET?
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 41/48
Using Namespaces
Use the Imports or using statement toimport namespaces
Namespaces used with ADO.NETinclude: ±
System.Data ± System.Data.SqlClient ± System.Data.OleDb
using System.Data;using System.Data.SqlClient;
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 42/48
DataSet
SQL Server .NET
Data Provider
OLE DB .NET
Data Provider
SQL Server 7.0
(and later)
OLEDB sources
(SQL Server 6.5)
OleDbConnection
OleDbDataAdapter
SqlDataAdapter
SqlConnection
DataTableDataTable
The ADO.NET Object Model
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 43/48
SQL Server 2000
DataSet
DataTable
DataTable
Physical storage
OleDb Database
SqlDataAdapter
SqlConnection
DataTable
Web server memory
OleDbDataAdapter
OleDbConnection
What is a Dataset?
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 44/48
Accessing Data with ADO.NET
DatabaseDatabase
4. Return the DataSet to the Client
5. Client manipulates the data
2. Create the SqlConnection and SqlDataAdapter objects
Fill the DataSet from the
DataAdapter and close the
connectionSqlDataAdapte
r
SqlConnection
List-Bound
Control
1. Client makes request11
22
33
44
55
6. Update the DataSet
7. Use the SqlDataAdapter to
open the SqlConnection,
update the database, and
close the connection
66
77
Client
Web
server
DataSet
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 45/48
The DataAdapter Object Model
sp_SELECT
Command
SelectCommand UpdateCommand InsertCommand DeleteCommand
DataAdapter
Command Command Command
Connection
sp_UPDATE sp_INSERT sp_DELETE
Database
DataSet
DataReader
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 46/48
What are List-Bound Controls?
Controls that connect to a data source and displaythe data
List-bound controls include the following:
DropDownList
ListBox
CheckBoxList
RadioButtonList
DataGrid
DataList
Repeater
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 47/48
Multimedia: The ADO.NET Object
Model
8/8/2019 IP Final Review
http://slidepdf.com/reader/full/ip-final-review 48/48
Creating the Connection
Using SqlConnection
Setting connection string parameters ± Connection timeout
± Data source
± Initial catalog
± Integrated security
Password
Persist security info
Provider
User ID
string strConn = "data source=localhost; " +
"initial catalog=northwind; integrated security=true";
SqlConnection conn = new SqlConnection(strConn);