Geeks With Blogs
Blog Moved to Blog Moved to
In a previous lesson, I talked about preventing Cross-Site Scripting (XSS) as part of a security strategy.  Today, I will cover another topic in the security strategy and implementation.  I also want to talk about basic validations and where they should be done.
As a secure programmer and architect, you should realize that data validation needs to be done at every layer.  The .NET framework provides us with many tools for us to accomplish that goal.  We do not want to assume since the user interface is supposed to validate the data, that we can expect the data to be clean by the time it gets to the Business Controller/Business Layer.  This violates the main rule which is to NEVER TRUST USER INPUT. 
Regular Expressions can be a powerful tool for data validation.  They can also be quite complex and mind boggling as you get into exceptions for every rule.  The regular expression syntax can be quite obtuse.  Luckily, there are many sites and utilities to create these on the fly without having a deep knowledge of the syntax.  We can use regular expressions to constrain input, apply formatting, pattern matching, and even check the length of input.
Here are some examples of regular expression tools:
RegExDesigner .NET (free)
RegExBuddy ($29.95)
Now if you wish of course to learn about the whole regular expression syntax, here is a link to provide you with some guidance:
Now that we have some of the basics out of the way, let's dive deeper into what .NET has to offer with regards to regular expressions.  We will look in two separate areas, one for ASP.NET and the other using the System.Text.RegularExpressions namespace.
Built-in to ASP.NET, there are several Validator classes that are available.  The RegularExpressionValidator class allows the implementer to validate a particular control on the page. 
In an example of how to implement a regular expression validation, let's do one for US zip code:
1.  Add the TextBox control for the zip code to the page and call it txtZipCode.
2.  Add the RegularExpressionValidator to the page.
3.  Set the ControlToValidate property on the RegularExpressionValidator to txtZipCode.
4.  Set the ValidationExpression to "(?<zip>\d{5})(?:-(?<suffix>\d{4}))?"
5.  Set the ErrorMessage to show a message such as "Invalid Zip Code."
Below is the finished example of how the above solution:
<asp:TextBox ID="txtZipCode" runat="server" />
<asp:RegularExpressionValidator ID="regexZipCode" runat="server"    
     ErrorMessage="Invalid Zip Code."
     ValidationExpression="(?<zip>\d{5})(?:-(?<suffix>\d{4}))?" />
In other instances, you can make use of the power of regular expressions through the System.Text.RegularExpressions namespace.  The Regex class can be used to match certain patterns as well as doing replace functionality.  If you know regular expressions, this class can become very powerful. 
Now let's take the example from above and use the Regex class instead.  Here is the basic code:
if(!Regex.IsMatch(txtZipCode.Text, "(?<zip>\d{5})(?:-(?<suffix>\d{4}))?"))
     // Handle error
For performance reasons, use the static Regex.IsMatch method when possible.
Best Practices
When dealing with input validation, it is a best practice to have validation functions in a centralized area for re-use purposes.  For my purposes, I usually use an internal sealed class called ArgumentValidation which take in my arguments and throw exceptions should there be a violation of the rules. 
Another best practice is to have a set of regular expression constants for your application.  I find it best to have constant strings for such types as:
*  Phone Number - ((\(\d{3}\) ?)|(\d{3}-))?\d{3}-\d{4}
*  Email - \w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*
*  Social Security Number - \d{3}-\d{2}-\d{4}
And the list could go on and on from there.  These are just a few of the simple examples on how we can validate more of the information going into our application.  We want to make our applications more secure and get better data as well by using the power of regular expressions.
Posted on Wednesday, May 24, 2006 1:14 PM Microsoft , .NET , C# , ASP.NET | Back to top

Comments on this post: .NET Code Access Security - Regular Expression Input Validation

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Matthew Podwysocki | Powered by: