When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles
ASPFAQs.com
Message Board
Related Web Technologies
User Tips!
Coding Tips

Sections:
Sample Chapters
Commonly Asked Message Board Questions
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Security
Stump the SQL Guru!
XML Info
Information:
Feedback
Author an Article
ASP ASP.NET ASP FAQs Message Board Feedback
Print this page.
Published: Wednesday, December 01, 1999

Server-Side Form Validation

By Dianna Leech


Users are irritating. They don't like filling out forms, and will tear through them as fast as they possibly can to get to the fun part of your site. Since they are typing so fast, they probably won't read the directions you so kindly put at the top of the form, and will put in who knows what kind of garbage just to send the thing off and get to the next page.

- continued -

Since this data is usually important to us web developers, we'd like to have it be as accurate as possible before it's added it to our database. So, we need to do validation on the data before submitting it. There are two places where this checking can occur: on the client or on the server. Client-side form validation is done with a JavaScript function which fires when the user clicks the submit button. If there are errors, the user stays on that page to fix them.

Client-side validation has a few things in its favor. It's quick, the user knows immediately that something is wrong, and it's pretty easy to code. (Always an important consideration, for me anyway.) However it does have a major flaw. It's not secure. At all. Anybody viewing your web page can do View>>Source and look at your validation script. This will tell them what's being checked in your form and what's not. A malicious person, or one who's just bored, can save your page to their computer, edit or delete your validation code and then submit your form. Repeatedly. It's not hard to see that a security hole that big should be patched.

The way to avoid this problem is to do server-side validation. To implement server-side validation, we write an ASP script that handles the validation and save it as another ASP page. We put the name of this ASP in the Action= part of the form on the first page. When the user submits the form, the validation script page is run. If the user fails the validation routine we kick him back to the form page where we'll print out a table of his errors, so he knows exactly what to fix.

Before going any further, let me confess up front that this script uses session variables. I agree with others on this site who've said that session variables are evil, but they are convenient little devils. So just remember, session variables are a type of temporary cookie and if your users surf with cookies turned off this script won't work.

Enough description, lets see the code!

On our form page, first we create an HTML table which align our form correctly.

<HTML><HEAD></HEAD>
<BODY>
<TABLE border=0 width=500 >
<TR><TD>
<%
'ON THE FIRST TIME THAT THIS PAGE LOADS, SESSION("ERRORS") HAS NO VALUE AND SO 
'EQUALS 0.  ON SUBSEQUENT VISITS, SESSION("ERRORS WILL HAVE A VALUE OF 1 OR 
'MORE IF ERRORS WERE MADE  

if  Session("Errors")=0 then 
  response.write "Please fill out the form"
else
  'ERRORS WERE MADE SO LIST THEM IN THE REST OF THE TABLE
  'reset our error counter
  Session("Errors")="0"
  response.write "<BR>There are errors in your data.  " & _
          "Please make  the following  changes before " & _
          "clicking the submit button:<br>"
  response.write"<TABLE border=0 width=' 400' align='center'>"

  'THESE SESSION VARIABLES ARE SET IN THE SECOND PAGE
  ' IF THERE WERE ERRORS 'VALUE IS "F"  
  If Session("badFirstName") = "T" then 
     Response.write "<TR><TD><font color='red'>The First " & _
                    "Name field must be completed.</font>" 
     Response.write "</TD></TR>"
     Session("badFirstName")="F"
  End If 


  If Session("badLastName") = "T" then
    Response.write "<TR><TD><font color='red'>The Last Name " & _
                   "field must be completed. </font>" 
    Response.write "</TD></TR>"
    Session("badLastName")="F"
  End If 

  If Session("badDate") = "T" then
    Response.write "<TR><TD><font color='red'>Date must be " & _
                   "in the format mm/dd/yyyy. </font>" 
    Response.write "</TD></TR>"
    Session("badDate")="F"
  End If 

  'END THE ERRORS TABLE
  response.write "</TD></TR></TABLE>"
End If
%>	

<!--START THE FORM -->
<FORM ACTION="test.asp" NAME="frmUser" METHOD="POST">

<!--FORM IS IN A TABLE TO ALIGN THE TEXTBOXES -->
<TABLE ALIGN="" BORDER=0 ALIGN="">
<TR>
<TD align=right><B>First Name</B></TD>
<TD>
  <INPUT TYPE="text" Name="FirstName" VALUE="<%=Session("FName")%>">
</TD>
</TR>

<TD align=right><B>Last Name</B></TD>
<TD>
  <INPUT TYPE="text" Name="LastName" VALUE="<%=Session("LName")%>">
</TD>
</TR>

<TR><TD align="right">
  <B>Date </B></td><TD><INPUT TYPE="Text" NAME="SendDate" 
             VALUE="<%=Session("CompletionDate") %>"> 
             <font color="blue">(mm/dd/yyyy)</font>
</TD></TR>
</TABLE>
<!-- end table for data entry form -->

<INPUT TYPE="Submit" VALUE="Submit">  <INPUT TYPE="RESET">
</FORM>

</TD></TR></TABLE>
<!-- end table used for page alignment -->
</BODY>
</HTML>

OK, now the front form page is done, on to the validation code on the second page, test.asp!

<% Session("FName")=Request("FirstName") Session("LName")=Request("LastName") Session("CompletionDate")=Request("SendDate") 'HERE IS ONE WAY OF CHECKING FOR AN EMPTY TEXT BOX if not len(Request("FirstName")) > 0 then Session("badFirstName")="T" Session("Errors")=Session("Errors") + 1 end if 'AND HERE IS ANOTHER, BOTH SHOULD WORK if Request("LastName")= "" then Session("badLastName")="T" Session("Errors")=Session("Errors") + 1 end if if not IsDate(Request("SendDate")) then Session("badDate")="T" Session("Errors")=Session("Errors") + 1 end if if Session("Errors") > 0 then ‘there were errors, so send back to form response.redirect "form.asp" else 'there were no errors, so do the update to the database and redirect to a thank you page response.redirect "thanks.asp" end if %>

That's all there is to it! Happy Programming!


Attachments

  • Download the source code for the form creation web page in text format
  • Download the source code for the form field error checking script in text format


  • ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article