only use JavaScript to verify that security is not secure
Everyone knows that the answer is unsafe, very insecure. Because the validation at the client is the equivalent of "let the user authenticate themselves", it is obviously not reliable. You cannot avoid some malicious users who modify their own forms to deceive, or prevent third parties from intercepting the form after tampering and then committing.
so, from a security standpoint, relying solely on JS authentication is not safe, and any robust system must be validated at the backend.
Double verification greatly increases the workload, how to solve?
Scenario 1: Stupid method, write it all over again
Scenario 2: Existing frameworks, such as the MVC self-validation support two-way verification, the insufficient point is to write model plus Attrbute also have a certain amount of work
Scenario 3: Self-encapsulation
My Choice scenario: Scenario 3
Ideas
Page loading through key to store table Form rules, through form rules to generate the front element binding, complete the foreground validation. The background function passes the key to get the form rule for background verification. (Can improve performance with cache quality)
Realize
Background code:
Store form rules by Getinitscript and assign values to viewstate["Intisript" to the foreground bindings
The foreground call as long as the binding viewstate["Intiscript"] (in fact, do not write anything, to ensure that the element name and viewState consistent on it):
<body> <form id= "Form1" runat= "Server" class= "Contact_form" > <ul> <li> < ;h2> form validation <%=viewstate["Intiscript"]%></body>
viewstate["Intiscript"] will generate a script for HTML elements to add the pattern, placeholder and Requierd properties, with these properties can be very convenient to use JS and other plug-in for front-end verification
The following is the HTML generated by viewstate["Intiscript")
Background validation using the Postvalidation function
Let's look at the effect:
Submit successful verification passed, let me change the front-end elements with malicious parameters to submit the background
Foreground verification by:
Backstage, I'm going to get you out of here.
Finally, attach C # validation class code:
Using system;using system.collections.generic;using system.linq;using system.text;using system.text.regularexpressions;///<summary>///* * Description: Can be conveniently implemented both front-end double authentication, based on jquery///* * Founding Time: 2015-6-4///* * Modified time:-/// * * sunkaixuan///* Instructions for use:-///</summary>public class validationsugar{private static list<validationoption> Validationoptionlist = new list<validationoption> (); <summary>//Reception///</summary>/<param name= "Pagekey" ></param>//<param Name= "ItemList" ></param> public static string Getinitscript (String pagekey, list<optionitem> itemList) {//After initialization is not assigned if (Validationoptionlist.any (IT) Pagekey = = Pagekey) {return (Validationoptionlist.single (c = C.pagekey = = Pagekey). Script); } else {validationoption option = new Validationoption (); String UK = Guid.NewGuid (). ToString (). Replace ("-", "");//Unique function name StRing script = @ "<script>var bindvalidation{1}=function (name,params) {{var selectorobj=$ (" "[Name= '" "" +name+ ""] " "); Selectorobj.after ("<span class=\" "form_hint\" ">" "+params.tip+" "</span>" "); if (params.pattern!=null) selectorobj.attr ("pattern", params.pattern); if (params.placeholder!=null) selectorobj.attr ("" Placeholder "", params.placeholder); if (params.isrequired=true) selectorobj.attr ("" Required "", params.isrequired);}} {0}</script> "; StringBuilder Itemscode = new StringBuilder (); foreach (var item in itemList) {switch (item. Type) {case OptioItemType.Mail:item. Pattern = @ "^[\\w-]+ (\\.[ \\w-]+) *@[\\w-]+ (\\.[ \\w-]+) +$ "; Break Case OptioItemType.Int:item. Pattern = @ "^\\d{1,11}$"; Break Case Optioitemtype.double: Item. Pattern = @ "^\\d{1,11}$"; Break Case OptioItemType.IdCard:item. Pattern = @ "^ (\\d{15}$|^\\d{18}$|^\\d{17} (\\d| X|X)) $ "; Break Case OptioItemType.Date:item. Pattern = @ "^ ((1[8-9]\\d{2}) | ( [2-9]\\d{3})] ([-\\/]) (10|12|0?[ 13578]) ([-\\/]) (3[01]|[ 12][0-9]|0? [1-9]) $)| (^ (1[8-9]\\d{2}) | ([2-9]\\d{3})) ([-\\/]) (11|0?) [469]) ([-\\/]) (30| [12] [0-9]|0? [1-9]) $)| (^ (1[8-9]\\d{2}) | ([2-9]\\d{3})) ([-\\/]) (0?2) ([-\\/]) (2[0-8]|1[0-9]|0?) [1-9]) $)| (^ ([2468][048]00) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([3579][26]00) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([1][89][0][48]) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([2-9][0-9][0][48]) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([1][89][2468][048]) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([2-9][0-9][2468][048]) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([1][89][13579][26]) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([2-9][0-9][13579][26]) ([-\\/]) (0?2) ([-\\/]) (29)) | ((((0[13578) | ([13578]) | (1[02])) [\\-\\/\\s]? ((0[1-9]) | ([1-9]) | ([1-2][0-9]) | (3[01])) | (([469]) | (11)) [\\-\\/\\s]? ((0[1-9]) | ([1-9]) | ([1-2][0-9]) | (30))) | ((02|2) [\\-\\/\\s]? ((0[1-9]) | ([1-9]) | ([1-2][0-9])))) [\\-\\/\\s]?\\d{4}] (\\s (((0[1-9)) | ( [1-9]) | (1[0-2])) \:([0-5][0-9]) ((\\s) | ( \:([0-5][0-9]) \\s) ([am| pm|am|pm]{2,2})))? $ "; Break Case OptioItemType.Mobile:item. Pattern = @ "^[0-9]{11}$"; Break Case OptioItemType.Telephone:item. Pattern = @ "^ (\ \ (\\d{3,4}\\) |\\d{3,4}-|\\s)? \\d{8}$"; Break Case OptioItemType.Fax:item. Pattern = @ "^[+]{0,1} (\\d) {1,3}[]? ([-]? ((\\d) | []) {1,12}) +$ "; Break Case OptioItemType.Regex:break; } itemscode.appendformat ("bindvalidation{0} (' {1} ', {{tip: ' {2} ', Pattern: ' {3} ', placeholder: ' {4} ', isrequired : {5}}) ", UK, ITem. Formfiledname, item. TIP, item. Pattern, item. Placeholder, item. IsRequired? "True": "false"); Itemscode.appendline (); } option. Script = string. Format (script, itemscode.tostring (), UK); script = null; Itemscode.clear (); Option. Pagekey = Pagekey; Option. ItemList = ItemList; Validationoptionlist.add (option); Return (option. Script); }}///<summary>//Background verification///</summary>//<param name= "Pagekey" ></param>// <param name= "errormessage" >json format </param>///<returns></returns> public static bool Postva Lidation (String pagekey, out string errormessage) {bool issuccess = true; ErrorMessage = string. Empty; if (! Validationoptionlist.any (c = C.pagekey = = Pagekey)) {throw new ArgumentNullException ("Validationsug Ar. Postvalidation.pagekey "); } var context = System.Web.HttpContext.Current; var itemList = Validationoptionlist.where (c = = C.pagekey = = Pagekey). Single (). ItemList; var successitemlist = Itemlist.where (it. IsRequired &&!string. IsNullOrEmpty (context. Request[it. Formfiledname]) | | !it. isrequired)). Where (it = regex.ismatch (context. Request[it. Formfiledname], it. Pattern.replace (@ "\ \", @ "\")). ToList (); Issuccess = (Successitemlist.count = = Itemlist.count); if (!issuccess) {errormessage = new System.Web.Script.Serialization.JavaScriptSerializer (). Serialize (itemList); } return issuccess; } private class Validationoption {public string Pagekey {get; set;} public string Script {get; set;} Public list<optionitem> ItemList {get; set;} } public enum Optioitemtype {Mail = 0, Int = 2, Double = 3, Idcard = 4, Date = 5 ,///<summary>///Mobile phone// </summary> Mobile = 6,///<summary>//landline//</summary> telephone = 7, Fax = 8,///<summary>//////Not suitable, please use regular authentication///</summary> Regex = 1000 }//<summary>///Authentication Options///</summary> public class Optionitem {//<summary> Authentication type///</summary> public optioitemtype type {get; set;} <summary>///Regular///</summary> public string Pattern {get; set;} <summary>//whether required///</summary> public bool IsRequired {get; set;} <summary>///form field name (name or ID)///</summary> public string Formfiledname {get; set; }///<summary>//watermark///</summary> public string Placeholder {get; set;} <summary>///reminder//</summary> public string Tip {get; set;} }}
source Download:Http://pan.baidu.com/s/1mgoXpsW
Time issues only support HTML5 verification, need a high version of the browser, I will gradually improve
Make ASP. NET JS authentication and server-side double authentication simpler