It makes ASP. net js verification easier than server-side dual-verification. asp. netjs

It makes ASP. net js verification easier than server-side dual-verification. asp. netjs

Use JavaScript to verify security and security

Everyone knows that the answer is insecure and extremely insecure. Because the verification on the client is equivalent to "let the user verify himself", it is obviously unreliable. You cannot prevent malicious users from spoofing forms by modifying their own forms manually, or third parties from intercepting the forms before submitting them.

Therefore, from the security perspective, relying solely on js verification is not safe. Any robust system must be verified on the backend.


Double verification greatly increases the workload. How can this problem be solved?

Solution 1: write all the stupid Methods

Solution 2: the existing framework, such as built-in MVC verification, supports two-way verification. The disadvantage is that you need to write the model and attrbute, which also requires a certain amount of work.

Solution 3: Self-encapsulated


My solution: solution 3

Ideas
When a page is loaded, the table form rule is stored by the Key. The binding of foreground elements is generated by the form rule to complete foreground verification. Background functions use keys to obtain form rules for background verification. (You can use the cache to improve performance)

Implementation

Background code:

Use GetInitScript to store form rules and assign them to ViewState ["intisript"] to bind them to the foreground.




For frontend calls, you only need to bind viewState ["intiscript"] (in fact, do not write anything, ensure that the element name and viewstate are consistent ):

<Body> <form id = "form1" runat = "server" class = "contact_form"> <ul> <li> 

　　
ViewState ["intishold"] generates a script to add attributes such as pattern, placeholder, and requierd to HTML elements. With these attributes, you can easily use JS and Other plug-ins for front-end verification.

The following is the HTML generated by ViewState ["intisstate "].


 

       

The PostValidation function is used in the background for verification.





Let's take a look at the effect:

 



 
 

The submission is successful and the verification is passed. Next I will change the front-end element and use malicious parameters to submit it to the background.






Front-end verification passed:

 


The backend still needs to pull you out.




Finally, the C # verification code is attached:
Using System; using System. collections. generic; using System. linq; using System. text; using System. text. regularExpressions; namespace SyntacticSugar {// <summary> /// ** Description: it is convenient to implement dual-end and front-end verification. Based on jquery /// ** Creation Time: // ** modification time:-// ** Author: sunkaixuan // ** instructions for use: http://www.cnblogs.com/sunkaixuan/p/4550580.html /// </Summary> public class ValidationSugar {private static List <ValidationOption> ValidationOptionList = new List <ValidationOption> (); /// <summary> /// foreground injection /// </summary> /// <param name = "pageKey"> </param> /// <param name = "itemList"> </param> public static string GetInitScript (string pageKey, list <OptionItem> itemList) {// After initialization, if (ValidationOptionList. any (it => it. pageKey = pageKey) {ret Urn (ValidationOptionList. single (c => c. pageKey = pageKey ). script);} else {ValidationOption option = new ValidationOption (); string uk = Guid. newGuid (). toString (). replace ("-", ""); // unique function name string script = @ "<script> var bindValidation {1} = function (name, params) {var selectorObj = $ ("" [name = '"" + name + ""'] ""); selectorObj. after ("" <span class = \ "" form_hint \ ""> "" + params. tip + "" </span> ""); if (params. pattern! = Null) selectorObj. attr ("" pattern "", params. pattern); if (params. placeholder! = Null) selectorObj. attr ("" placeholder "", params. placeholder); if (params. isRequired = true) selectorObj. attr ("" required "", params. isRequired) ;}}{ 0} </script> "; StringBuilder itemsCode = new StringBuilder (); foreach (var item in itemList) {switch (item. type) {case OptionItemType. mail: item. pattern = @ "^ [\ w-] + (\\. [\ w-] +) * @ [\ w-] + (\\. [\ w-] +) + $ "; break; case OptionItemType. int: item. pattern = @ "^ \ d {1, 11} $ "; break; case OptionItemType. double: item. pattern = @ "^ \ d {1, 11} $"; break; case OptionItemType. idCard: item. pattern = @ "^ (\ d {15 }$ | ^ \ d {18 }$ | ^ \ d {17} (\ d | X | x )) $ "; break; case OptionItemType. date: item. pattern = @ "^ (1 [8-9] \ d {2}) | ([2-9] \ d {3 })) ([-\/]) (10 | 12 | 0? [13578]) ([-\/]) (3 [01] | [12] [0-9] | 0? [1-9]) $) | (^ (1 [8-9] \ d {2 }) | ([2-9] \ d {3}) ([-\/]) (11 | 0? [469]) ([-\/]) (30 | [12] [0-9] | 0? [1-9]) $) | (^ (1 [8-9] \ d {2 }) | ([2-9] \ d {3}) ([-\/]) (0? 2) ([-\/]) (2 [0-8] | 1 [0-9] | 0? [1-9]) $) | (^ ([2468] [048] 00) ([-\/]) (0? 2) ([-\/]) (29) $) | (^ ([3579] [26] 00) ([-\/]) (0? 2) ([-\/]) (29) $) | (^ ([1] [89] [0] [48]) ([-\/]) (0? 2) ([-\/]) (29) $) | (^ ([2-9] [0-9] [0] [48]) ([-\/]) (0? 2) ([-\/]) (29) $) | (^ ([1] [89] [2468] [048]) ([-\/]) (0? 2) ([-\/]) (29) $) | (^ ([2-9] [0-9] [2468] [048]) ([-\/]) (0? 2) ([-\/]) (29) $) | (^ ([1] [89] [13579] [26]) ([-\/]) (0? 2) ([-\/]) (29) $) | (^ ([2-9] [0-9] [13579] [26]) ([-\/]) (0? 2) ([-\/]) (29) | (0 [13578]) | ([13578]) | (1 [02]) [\-\/\ s]? (0 [1-9]) | ([1-9]) | ([1-2] [0-9]) | (3 [01]) | ([469]) | (11) [\-\/\ s]? (0 [1-9]) | ([1-9]) | ([1-2] [0-9]) | (30 ))) | (02 | 2) [\-\/\ s]? (0 [1-9]) | ([1-9]) | ([1-2] [0-9]) [\-\/\ s]? \ D {4}) (\ s (0 [1-9]) | ([1-9]) | (1 [0-2]) \: ([0-5] [0-9]) (\ s) | (\: ([0-5] [0-9]) \ s) ([AM | PM | am | pm] {2, 2 })))? $ "; Break; case OptionItemType. mobile: item. pattern = @ "^ [0-9] {11} $"; break; case OptionItemType. telephone: item. pattern = @ "^ (\ d {3, 4} \) | \ d {3, 4}-| \ s )? \ D {8} $ "; break; case OptionItemType. Fax: item. Pattern = @" ^ [+] {0, 1} (\ d) {1, 3} []? ([-]? (\ D) | []) {1, 12}) + $ "; break; case OptionItemType. regex: break;} itemsCode. appendFormat ("bindValidation {0} ('{1}', {tip: '{2}', pattern: '{3}', placeholder: '{4 }', isRequired: {5 }}) ", uk, item. formFiledName, item. tip, item. pattern, item. placeholder, item. isRequired? "True": "false"); itemsCode. appendLine ();} option. script = string. format (script, itemsCode. toString (), uk); script = null; itemsCode. clear (); option. pageKey = pageKey; option. itemList = itemList; ValidationOptionList. add (option); return (option. script );}} /// <summary> /// background verification /// </summary> /// <param name = "pageKey"> </param> /// <param name = "errorMessage"> json format </param> // <returns> </returns> Public static bool PostValidation (string pageKey, out string errorMessage) {bool isSuccess = true; errorMessage = string. Empty; if (! ValidationOptionList. any (c => c. pageKey = pageKey) {throw new ArgumentNullException ("ValidationSugar. postValidation. pageKey ");} var context = System. web. httpContext. current; var itemList = ValidationOptionList. where (c => c. pageKey = pageKey ). single (). itemList; var successItemList = itemList. where (it => (it. isRequired &&! String. IsNullOrEmpty (context. Request [it. FormFiledName]) |! It. isRequired )). where (it => Regex. isMatch (context. request [it. formFiledName], it. pattern. replace (@"\\",@"\"))). toList (); isSuccess = (successItemList. count = itemList. count); if (! IsSuccess) {errorMessage = new System. web. script. serialization. javaScriptSerializer (). serialize (itemList);} return isSuccess;} private class ValidationOption {public string PageKey {get; set;} public string Script {get; set ;} public List <OptionItem> ItemList {get; set ;}} public enum OptionItemType {Mail = 0, Int = 2, Double = 3, IdCard = 4, Date = 5, /// <summary> /// Mobile phone /// </summary> Mobile = 6, /// <summary> /// landline /// </summary> Telephone = 7, Fax = 8, /// <summary> /// no suitable, please use regular expression verification /// </summary> Regex = 1000} /// <summary> /// verification options /// </summary> public class OptionItem {/// <summary> /// verification Type /// </summary> public OptionItemType {get; set ;}//< summary> /// regular // </summary> public string Pattern {get; set ;} /// <summary> /// required? // </summary> public bool IsRequired {get; set ;} /// <summary >/// form field name (name or id) /// </summary> public string FormFiledName {get; set ;} /// <summary> /// watermark /// </summary> public string Placeholder {get; set ;} /// <summary> /// reminder /// </summary> public string Tip {get; set ;}}}}
　　



Source code download: http://pan.baidu.com/s/1mgoXpsW

Time issue only supports HTML5 verification. a later version of browser is required.