ASP.NET MVC:是数据注解验证就够了吗? [英] ASP.NET MVC: Is Data Annotation Validation Enough?
问题描述
我使用的数据注释验证广泛的ASP.NET MVC 2的这一新功能已经节省大量的时间,因为我现在可以在一个地方来定义客户端验证和服务器端验证这两个。然而,当我在做一些详细的测试,我意识到,这是很容易有人绕过服务器端验证,如果我独自在数据标注的验证依据。例如,如果我通过注解与[必需]属性的属性定义必填字段,并在一个形式放置一个文本框为必填字段,用户可以简单地从DOM中删除的文本框(可以很容易地通过Firebug的完成)而现在的数据注释验证将不能在该属性的控制器内ModelBinding时触发。为确保必需的验证被触发,我可以重复验证ModelBinding发生后,但随后我会重复我的验证逻辑。
I'm using the Data Annotation validation extensively in ASP.NET MVC 2. This new feature has been a huge time saver, as I'm now able to define both client-side validation and server-side validation in one place. However, while I was doing some detailed testing, I realized that it's quite easy for someone to bypass the server-side validation if I relied on Data Annotation validation alone. For example, if I defined a required field by annotating the property with the [Required] attribute and placed a textbox for that required field in a form, a user could simply remove the textbox from the DOM (which can easily be done through Firebug) and now the Data Annotation validation will not be triggered on that property during ModelBinding inside of a Controller. To ensure that the "required" validation is triggered, I can repeat the validation after ModelBinding happens, but then I'd be repeating my validation logic.
什么是大家对验证建议?是数据验证注释不够?还是重复验证需要确保验证获得在所有情况下触发?
What is everyone's recommendation on validation? Is Data Annotation validation enough? Or does the validation need to be repeated to ensure that validations get triggered in all situations?
后续评论:
基于下面的答案,看来我不能单独依靠模型绑定和数据注释验证。由于我们得出结论认为,额外的服务器端验证是必需的,是有一个简单的方法为我服务层的基础上什么在数据注释被定义触发验证?看来,这将得到我们最好的两个词......我们将不再需要重复验证code,但我们仍然会确保即使模型绑定不触发它验证被执行。
Follow-up comment: Based on the answers below, it seems that I can't rely on the Model Binder and Data Annotation validation alone. Since we're concluding that additional server-side validation is required, is there an easy way for my Service layer to trigger validation based on what's been defined in the Data Annotations? It seems that this will get us the best of both words...we won't need to repeat the validation code, but we'll still ensure that the validation gets executed even if Model Binder doesn't trigger it.
我要发布此后续作为一个单独的问题发表评论,因为它带来了比原来的一个不同的问题。
推荐答案
我觉得要提高警惕关于安全性,您应该选择您的服务器验证的优先级,并确保这一直是你的后备。您的服务器的验证应该没有客户端验证。客户端验证更多UX和寿这是极为重要的设计,这是次要的安全性。考虑到这一点,你会发现自己重复你的验证。一个目标是经常试图设计应用程式,使服务器和客户端的验证可以集成尽可能减少以验证服务器和客户端上所需要的工作。不过放心,你必须两者都做。
I think to be vigilant concerning security you should choose to you make server validation the priority and ensure that this is always your fallback. Your server validation should work without the client validation. Client validation is more for UX and tho that is paramount to your design, it is secondary to security. With this in mind you will find yourself repeating your validation. A goal is often trying to design your app so that the server and client validation can be integrated as much as possible to reduce the work required to validate on the server and the client. But be assured you must do both.
如果绕过客户端验证(通过DOM操作的装置)是避免在服务器验证(这似乎要表示),则此实例的服务器验证可能不能适当地使用。你应该在你的控制器动作或一个服务层再次调用您的服务器验证。您所描述的情况不应该是打败你的服务器验证。
If bypassing the client validation (by means of DOM manipulation) is avoiding the server validation (which it seems you are indicating) then your server validation for this instance may not be employed appropriately. You should be invoking your server validation again in your controller action or in a service layer. The scenario you describe should not be defeating your server validation.
通过您所描述的情况下,DataAnnotation属性方法应该是足够了。看来你只需要进行一些code修改,以确保提交表单的时候,你的服务器的验证也被调用。
With the scenario you describe, the DataAnnotation attributes method should be sufficient. It seems that you simply need to make a few code changes to ensure that your server validation is invoked also when submitting the form.
这篇关于ASP.NET MVC:是数据注解验证就够了吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
