Published: Wednesday, December 01, 1999
Server-Side Form Validation
By Dianna Leech
Users are irritating. They don't like filling out forms, and will tear through them as fast as they possibly
can to get to the fun part of your site. Since they are typing so fast, they probably won't read the directions
you so kindly put at the top of the form, and will put in who knows what kind of garbage just to send the
thing off and get to the next page.
Since this data is usually important to us web developers, we'd like to have it be as accurate as possible
before it's added it to our database. So, we need to do validation on the data before submitting it. There are
two places where this checking can occur: on the client or on the server. Client-side form validation is
done with a JavaScript function which fires when the user clicks the submit button. If there are errors, the
user stays on that page to fix them.
Client-side validation has a few things in its favor. It's quick, the user knows immediately that something is
wrong, and it's pretty easy to code. (Always an important consideration, for me anyway.) However it does
have a major flaw. It's not secure. At all. Anybody viewing your web page can do View>>Source and
look at your validation script. This will tell them what's being checked in your form and what's not. A
malicious person, or one who's just bored, can save your page to their computer, edit or delete your
validation code and then submit your form. Repeatedly. It's not hard to see that a security hole that big
should be patched.
The way to avoid this problem is to do server-side validation. To implement server-side validation, we
write an ASP script that handles the validation and save it as another ASP page. We put the name of this
ASP in the Action= part of the form on the first page. When the user submits the form, the validation script
page is run. If the user fails the validation routine we kick him back to the form page where we'll print out
a table of his errors, so he knows exactly what to fix.
Before going any further, let me confess up front that this script uses session variables. I agree with others
on this site who've said that session variables are evil, but they are convenient little devils. So just
remember, session variables are a type of temporary cookie and if your users surf with cookies turned off
this script won't work.
Enough description, lets see the code!
On our form page, first we create an HTML table which align our form correctly.
<HTML><HEAD></HEAD>
<BODY>
<TABLE border=0 width=500 >
<TR><TD>
<%
'ON THE FIRST TIME THAT THIS PAGE LOADS, SESSION("ERRORS") HAS NO VALUE AND SO
'EQUALS 0. ON SUBSEQUENT VISITS, SESSION("ERRORS WILL HAVE A VALUE OF 1 OR
'MORE IF ERRORS WERE MADE
if Session("Errors")=0 then
response.write "Please fill out the form"
else
'ERRORS WERE MADE SO LIST THEM IN THE REST OF THE TABLE
'reset our error counter
Session("Errors")="0"
response.write "<BR>There are errors in your data. " & _
"Please make the following changes before " & _
"clicking the submit button:<br>"
response.write"<TABLE border=0 width=' 400' align='center'>"
'THESE SESSION VARIABLES ARE SET IN THE SECOND PAGE
' IF THERE WERE ERRORS 'VALUE IS "F"
If Session("badFirstName") = "T" then
Response.write "<TR><TD><font color='red'>The First " & _
"Name field must be completed.</font>"
Response.write "</TD></TR>"
Session("badFirstName")="F"
End If
If Session("badLastName") = "T" then
Response.write "<TR><TD><font color='red'>The Last Name " & _
"field must be completed. </font>"
Response.write "</TD></TR>"
Session("badLastName")="F"
End If
If Session("badDate") = "T" then
Response.write "<TR><TD><font color='red'>Date must be " & _
"in the format mm/dd/yyyy. </font>"
Response.write "</TD></TR>"
Session("badDate")="F"
End If
'END THE ERRORS TABLE
response.write "</TD></TR></TABLE>"
End If
%>
<!--START THE FORM -->
<FORM ACTION="test.asp" NAME="frmUser" METHOD="POST">
<!--FORM IS IN A TABLE TO ALIGN THE TEXTBOXES -->
<TABLE ALIGN="" BORDER=0 ALIGN="">
<TR>
<TD align=right><B>First Name</B></TD>
<TD>
<INPUT TYPE="text" Name="FirstName" VALUE="<%=Session("FName")%>">
</TD>
</TR>
<TD align=right><B>Last Name</B></TD>
<TD>
<INPUT TYPE="text" Name="LastName" VALUE="<%=Session("LName")%>">
</TD>
</TR>
<TR><TD align="right">
<B>Date </B></td><TD><INPUT TYPE="Text" NAME="SendDate"
VALUE="<%=Session("CompletionDate") %>">
<font color="blue">(mm/dd/yyyy)</font>
</TD></TR>
</TABLE>
<!-- end table for data entry form -->
<INPUT TYPE="Submit" VALUE="Submit"> <INPUT TYPE="RESET">
</FORM>
</TD></TR></TABLE>
<!-- end table used for page alignment -->
</BODY>
</HTML>
|
OK, now the front form page is done, on to the validation code on the second page, test.asp!
<%<![CDATA[
Session("FName")=Request("FirstName")
Session("LName")=Request("LastName")
Session("CompletionDate")=Request("SendDate")
'HERE IS ONE WAY OF CHECKING FOR AN EMPTY TEXT BOX
if not len(Request("FirstName")) > 0 then
Session("badFirstName")="T"
Session("Errors")=Session("Errors") + 1
end if
'AND HERE IS ANOTHER, BOTH SHOULD WORK
if Request("LastName")= "" then
Session("badLastName")="T"
Session("Errors")=Session("Errors") + 1
end if
if not IsDate(Request("SendDate")) then
Session("badDate")="T"
Session("Errors")=Session("Errors") + 1
end if
if Session("Errors") > 0 then
‘there were errors, so send back to form
response.redirect "form.asp"
else
'there were no errors, so do the update to the database and redirect to a thank you page
response.redirect "thanks.asp"
end if
]]>%>
|
That's all there is to it! Happy Programming!
Attachments
Download the source code for the form creation web page in text format
Download the source code for the form field error checking script in text format
