Validating data without client-side scripting

We live in a world that recognizes the open source, performance-oriented, single page applications (reducing server round trips) as professional applications. Microsoft was too comfortable to move beyond server-side development. Later, they started experimenting client-side validations mainly, thanks to MVC2. Now, with MVC Core, they're back in the game!

This brings us to the million dollar question—is the client-side programming really safe? How long will it take for the hacker to break the client-side validation and get into the server? In today's world, even a dummy who has just started to learn how to hack could do that in minutes. To be blunt, we have no control on the client, and we cannot blindly trust the data we receive from the client (which could be hacked/injected by anybody using tools such as Fiddler, REST Client, and many more).

Knowing that the data we receive may not be authentic, why do we still need client-side validation? Simple. We need better user experience, and we cannot simply ignore a mechanism that will provide us with a mechanism to achieve it. Not only authenticity, but also if somebody disables the JavaScript in their client, then we may be processing unsafe data (not validated) received from the client.

The JavaScript could be disabled using the browser settings. The following screenshot shows how that can be performed using Chrome settings (Content | JavaScript):

It will enable users to submit any form without client-side validation, so the following form will be submitted without any issues despite not having values in Title, Content, Summary, and so on:

The model that reaches the server without validation is still processed, which opens up security issues. However, we have additional control over the model at the web server. We could see that the values in Title, Content, and Summary were bound as null at the server:

The model needs to be validated before we persist the data back to the data store, and the validation of the posted model is performed by the MVC engine while model binder performs its operation. We should make sure that the model state is IsValid and then proceed with the data persistence; it ensures that invalid data doesn't get persisted in the system:

We have figured out how the data is validated without client-side validation; now let's look at the server-side validation in the next section.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset