Skip to main content
All docs
V24.2

Validate User Input

  • 4 minutes to read

Input validation helps prevent security threats/external attacks. Always validate user input to mitigate risks, unauthorized data manipulation, and injection attacks.

DevExpress ASP.NET Web Forms controls validate user input on both the client and server.

Server-Side Validation

Server-side validation occurs once a control sends its new value to the server. DevExpress Data Editors also validate values assigned during editor initialization. If the newly assigned value is invalid, the control retains its previous valid value.

Specify the following settings to validate user input on the server:

IsRequired
Specifies whether an editor is a required field.
ValidationExpression
Specifies an editor’s value pattern.

Handle the Validation event to implement custom validation logic. The Value event argument allows you to obtain the current value. To force users to correct this value, set the IsValid argument to false.

The following code snippet implements server-side validation for TextBox controls:

<dx:ASPxTextBox runat="server" ID="NameTextBox" OnValidation="NameTextBox_Validation">
    <ValidationSettings SetFocusOnError="True" ErrorText="Name must be at least two characters long">
        <RequiredField IsRequired="True" ErrorText="Name is required" />
    </ValidationSettings>
    <InvalidStyle BackColor="LightPink" />
</dx:ASPxTextBox>
<dx:ASPxTextBox runat="server" ID="EmailTextBox">
    <ValidationSettings SetFocusOnError="True">
        <RegularExpression ErrorText="Invalid e-mail" 
                           ValidationExpression="\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" />
        <RequiredField IsRequired="True" ErrorText="E-mail is required" />
    </ValidationSettings>
   <InvalidStyle BackColor="LightPink" />
</dx:ASPxTextBox>
protected void NameTextBox_Validation(object sender, ValidationEventArgs e) {
    if ((e.Value as string).Length < 2)
        e.IsValid = false;
}

Client-Side Validation

Handle the client-side Validation event to implement custom validation logic. The value event argument allows you to obtain the current editor value. To force users to correct this value, set the isValid argument to false.

Important

You should always use client-side validation in conjunction with server-side validation. Client-side validation is designed to improve usability and optimize server load. If a threat actor manages to bypass client-side validation and sends an invalid value to the server, server-side validation helps prevent a threat actor from submitting invalid values.

The following code snippet validates user input on both the client and server:

<script type="text/javascript">
    function onNameValidation(s, e) {
        var name = e.value;
        if (name == null)
            return;
        if (name.length < 2)
            e.isValid = false;
    }
</script>
<dx:ASPxTextBox runat="server" EnableClientSideAPI="True" ID="NameTextBox" ClientInstanceName="Name"
                OnValidation="NameTextBox_Validation">
    <ClientSideEvents Validation="onNameValidation" />
    <ValidationSettings SetFocusOnError="True" ErrorText="Name must be at least two characters long">
        <RequiredField IsRequired="True" ErrorText="Name is required" />
    </ValidationSettings>
    <InvalidStyle BackColor="LightPink" />
</dx:ASPxTextBox>
protected void NameTextBox_Validation(object sender, ValidationEventArgs e) {
    if ((e.Value as string).Length < 2)
        e.IsValid = false;
}

Validate List Editor Values

Combo Box, List Box, and Token Box editors allow users to enter and select values that do not exist in the bound item collection. Set an editor’s DataSecurityMode property to Strict to prevent users from setting the editor Value to invalid values in the Items collection.

<dx:ASPxTokenBox ID="TokenBox" runat="server" DataSourceID="AddressBook" TextField="Name" ValueField="Email"
    DataSecurityMode="Strict">
</dx:ASPxTokenBox>

You can enable client-side API members for a list editor to add and remove list items on the client. For security reasons, list editors do not update their associated server-side Items collection in response to client-side item modifications. We do not recommend that you enable synchronization (set EnableSynchronization to True) to bypass this behavior as it may introduce unexpected security-related issues.

Limit User Input

In addition to validation, you can specify the following properties to limit user input options:

  • AllowGrayed
  • AllowNull
  • Mask
  • MaxLength and MinLength
  • MaxDate and MinDate
  • MaxDayCount and MinDayCount
  • MaxValue and MinValue

The following code snippet limits user input in Grid View columns:

<dx:ASPxGridView ID="grid" runat="server" DataSourceID="DataSource1" KeyFieldName="CustomerID">
    <Columns>
        <dx:GridViewCommandColumn ShowEditButton="true" />
        <dx:GridViewDataTextColumn FieldName="UserName">
            <PropertiesTextEdit MaxLength="20" />
        </dx:GridViewDataTextColumn>
        <dx:GridViewDataDateColumn FieldName="BirthDate">
            <PropertiesDateEdit MinDate="1920-01-01" MaxDate="2010-01-01" AllowNull="False" />
        </dx:GridViewDataDateColumn>
        <dx:GridViewDataSpinEditColumn FieldName="Age">
            <PropertiesSpinEdit MinValue="14" MinValue="100" AllowNull="False" />
        </dx:GridViewDataSpinEditColumn>
    </Columns>
    <SettingsEditing Mode="Batch" />
</dx:ASPxGridView>

See Also

Refer to the following topics for additional data validation-related information:

Validation does not protect your application from cross-site scripting (XSS) attacks. Refer to the following help topic to better protect your web app from XSS attacks: HTML Encoding.