1

Currently I have a website with a simple signup form in html, this is the code:

<div class="grid_6 push_3 block alpha">

        <div class="grid_6 form_block alpha  omega">
            <label>שם משתמש</label>
        </div>

        <div class="grid_6 form_block alpha  omega">
            <input type="text" id="username" name="username" pattern="^\S{4,}$" required />
        </div>


        <div class="grid_6 alpha omega  form_block">
            <label>סיסמא</label>
        </div>

        <div class="grid_6 form_block alpha  omega">
            <input type="password" id="password" name="password" pattern="^\S{6,}$" required title="סיסמא צריכה להכיל לפחות 6 תווים" />
        </div>


        <div class="grid_6 alpha omega  form_block">
            <label>וודא סיסמא</label>
        </div>

        <div class="grid_6 form_block alpha  omega">
            <input type="password" id="password2" pattern="^\S{6,}$" required />
        </div>


        <div class="grid_6 alpha omega  form_block">
            <label>כתובת אימייל</label>
        </div>

        <div class="grid_6 form_block alpha  omega">
            <input id="email" name="email" type="email" required pattern="[^@]+@[^@]+\.[a-zA-Z]{2,6}" />
        </div>


        <div class="grid_6 alpha omega  form_block">
            <label>וודא כתובת אימייל</label>
        </div>

        <div class="grid_6 form_block alpha  omega">
            <input type="email" id="email2" required pattern="[^@]+@[^@]+\.[a-zA-Z]{2,6}" />
        </div>

        <div class="grid_6 form_block alpha  omega">
            <input name="submit" type="submit" onclick="return validateForm()" value="שלח" />
        </div>

    </div>

(Its actually being wrapped in tags from the master page, this is the master:

<%@ Master Language="C#" AutoEventWireup="true" CodeFile="MasterPage.master.cs" Inherits="MasterPage" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
    <link href="css/reset.css" rel="stylesheet" />
    <link href="css/text.css" rel="stylesheet" />
    <link href="css/963_9_10_10.css" rel="stylesheet" />
    <link href="css/style.css" rel="stylesheet" />
    <asp:ContentPlaceHolder ID="head" runat="server">
    </asp:ContentPlaceHolder>
</head>
<body dir="rtl">
<form runat="server">
        <div class="container_9">

            <div class="header grid_9">
                <a href="Default.aspx"><h1>סיכומים.נט</h1></a>
            </div>
            <!-- END HEADER -->

            <nav>
                <ul class="clearfix grid_6 push_3">
                   <a href="literature.aspx"> <li class="grid_1 alpha literature">ספרות</li></a>
                   <a href="language.aspx"> <li class="grid_1 language">לשון</li></a>
                    <a href="civics.aspx"><li class="grid_1 civics">אזרחות</li></a>
                    <a href="history.aspx"><li class="grid_1 history">היסטוריה</li></a>
                   <a href="bible.aspx"> <li class="grid_1 bible">תנך</li></a>
                   <a href="english.aspx"> <li class="grid_1 omega english">אנגלית</li></a>
                </ul>
            </nav>

            <div class="grid_3 pull_6" id="search">

            <input type="text" id="search_box" placeholder="הקלד מילות חיפוש"/>
            <input type="submit" value="חפש" id="search_button"/>
            </div> 

            <asp:ContentPlaceHolder ID="ContentPlaceHolder1" runat="server">
            </asp:ContentPlaceHolder>

            <footer class="grid_9">
              2013 © כל הזכויות שמורות לסיכומים.נט
            </footer>

        </div>
        <!-- END CONTAINER -->
 </form>   
</body>
</html>

I also have a signup.aspx.cs file that inserts the signup information into the database as follows:

public partial class signup : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (Request.Form["submit"] != null) {
            register1();
        }

    }

    public void register1()
    {     
      string sql = "INSERT INTO [userinfo] ([username], [password], [email]) VALUES (N'" + Request.Form["username"] + "', N'" + Request.Form["password"] + "', N'" + Request.Form["email"] + "')";
        Database.UpdateData(sql);
    }
}

I think i'm doing everything right so far (I'm a beginner in anything beyond html/css) but correct me if I've made any errors.

What I want to do now is validate my form input server-side before I insert it into my database. I want to check that it obeys all my rules, char-lengths, matching fields and so forth - and also that the username/email isn't taken already.

I'm currently doing some basic javascript validation but I understand that isn't sufficient security wise.

an explanation (as simple as possible) as to what I have to go about doing now, would be great. Ideally i would like to return to the signup page and list the errors at the top of the form in a customizable way.

thanks

Improve this question

2 Answers 2

Reset to default
3

The RegularExpressionValidator and CompareValidator are going to be your friends here.

For example:

<asp:RegularExpressionValidator id="valEmail" ControlToValidate="email" 
ValidationExpression="[^@]+@[^@]+\.[a-zA-Z]{2,6}" 
EnableClientScript="false" ErrorMessage="The email is invalid!" 
runat="server" />

And:

<asp:CompareValidator id="valEmails"
ControlToValidate="email" ControlToCompare="email2" Type="String"
EnableClientScript="false" Text="The email addresses must match!" 
runat="server" />

Optionally, you can wrap them all neatly in a ValidationSummary control.

Finally, check Page.IsValid in your codebehind.

protected void Page_Load(object sender, EventArgs e)
{
    if (Request.Form["submit"] != null && Page.IsValid) 
    {
        register1();
    }
}

You can read about the other validation controls here.

Finally, fix your SQL so it's not vulnerable to SQL Injection:

string sql = "INSERT INTO [userinfo] ([username], [password], [email]) VALUES (N'" + Request.Form["username"].Replace("'","''") + "', N'" + Request.Form["password"].Replace("'","''") + "', N'" + Request.Form["email"].Replace("'","''") + "')";
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This doesn't work on my current inputs, do I have to use asp inputs instead?
When trying to use your code to fix the SQL injection I'm getting an error saying the replace() function does not exist
1

You may want to use Asp.net server validation controls and Validation Summary Control

By using this control you can be sure that all rules will be followed. You can check it server side by using 

if(page.IsValid)
{
  //Code goes here

}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.