[thelist] Data validation (Best Practice) - asp/sql server

Ken Schaefer Ken at adOpenStatic.com
Thu Nov 18 17:20:26 CST 2004


Validation on the client-side is for the user's benefit (to improve
responsiveness). 

Validate all data at the server again (I'd do this in your business logic
someplace). 

Then use Command+Parameter ADO objects to interface with SQL Server stored
procedures, to move your data into your database. This gives you an added
defence against SQL Injection attacks that your validation code might miss.

If you want a methodology for implementing this fairly quickly, check out a
rather dated article I have:
www.adopenstatic.com/resources/code/uivalidation.asp

Cheers
Ken

: -----Original Message-----
: From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On
: Behalf Of Michael Pack
: Sent: Friday, 19 November 2004 2:05 AM
: To: thelist at lists.evolt.org
: Subject: [thelist] Data validation (Best Practice) - asp/sql server
: 
: Hi all, I'm back to collect some more information from all the gurus out
there. This
: time around I'm curious about best practice for data validation.
: 
: My current practice is to check against required fields before submit using
: javascript. I then add an additional line of defense for required fields
with ASP
: conditional statements and perform all data validation through vbscript as
well. If all
: checks out I run the transaction.
: 
: I became a bit curious yesterday when I ran into a "Best Practice for
Validating
: User Input" article at MSDN that points out...
: 
: *> Use stored procedures to validate user input.
: 
: I'm wondering the cons and pros of using the database for validation versus
: vbscript?
: 
: Thanks for any information.



More information about the thelist mailing list