ADO.NET 2.0 Security Guidelines - Input / Data Validation

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe


Use Regular Expressions to Validate Input by Comparing with Expected Patterns

Use regular expressions to constrain the acceptable range of input characters and to check lengths. For pattern-based fields, such as tax identification numbers, ZIP codes, or postal codes, use expressions to validate the input with the expected pattern of acceptable characters.

In your data access routines, use the instance or static IsMatch method of the System.Text.RegularExpressions Regex class to validate input, as shown in the following example.

using System.Text.RegularExpressions;
// Instance method:
Regex reg = new Regex(@"^[a-zA-Z'.]{1,40}$");

// Static method:
if (!Regex.IsMatch(name, 
 // Name does not match schema

For performance reasons, you should use the static IsMatch method where possible, to avoid unnecessary object creation. For more information, see "How To: Use Regular Expressions to Constrain Input in ASP.NET" at

If You Use ASP.NET, Use ASP.NET Validator Controls

If you are using ASP.NET, use the ASP.NET validator controls to constrain and validate input in the presentation layer of your application. ASP.NET validator controls validate the associated control on the server and they provide a client-side implementation to perform validation on the client.

  • Use RegularExpressionValidator to constrain text input.
  • Use RangeValidator to check the ranges of numeric, currency, date, and string input.
  • Use CustomValidator for custom validation, such as ensuring that a date is in the future or in the past.

For more information, see "How To: Use Regular Expressions to Constrain Input in ASP.NET," at

Do Not Rely on ASP.NET Request Validation

The ASP.NET request validation feature performs basic input validation. Do not rely on it. Use it as an extra precautionary measure in addition to your own input validation. Only you can define what constitutes good input for your application.

Request validation is enabled by default. You can see this by examining the validateRequest attribute, which is set to True on the <pages> element in the Machine.config.comments file. Make sure that it is enabled for all pages except those that need to accept a range of HTML elements.

Validate Untrusted Input Passed to Data Access Methods

If your data access code cannot trust the data passed to it, your data access code should validate the input. Two common situations where you need to provide validation in your data access code are the following:

  • Untrusted clients. If data can come from an untrusted source or you cannot guarantee how well the data has been validated and constrained, add validation logic that constrains input to your data access routines.
  • Library code. If your data access code is packaged as a library designed for use by multiple applications, your data access code should perform its own validation, because you can make no safe assumptions about the client applications.

For performance reasons, you might not want to duplicate validation logic in your data access code and in your application's presentation or business layers. However, you should only omit validation from your data access methods after carefully considering your application's trust boundaries. Omit the additional layer of validation only if you can be sure that the data passed to your data access code comes from a source inside the same trust boundary and has previously passed through validation code.

Personal tools