Validate model regular expression in controller in asp.net MVC 4 - asp.net-mvc-4

I am using ASP.Net MVC 4 and created model and validation like this
[Required]
[Display(Name = "Full Name")]
[StringLength(50)]
[RegularExpression("^[a-zA-Z0-9 -']+$", ErrorMessage = "Invalid {0}")]
public String FullName { get; set; }
It is validating properly on clint side.
I am already checking
if(!ModelState.IsValid)
return View(Model);
But when validating with IBM AppScan, it posts data directly like John' or 1 = 1 -- and shows issue of Blind Sql Injection.
Debug the code and try to change the full name value to John' or 1 = 1 -- and ModelState is still showing valid.
I want to validate the model RegEx in controller, is there any way to validate it in controller?

Blind SQLi testing is often a hit & miss in terms of automated application security test tools. Try to do a retest in appscan using a single thread on the Blind SQLi issue and see if it'd just simply be removed as false positive.

Related

why does a nullable datetime trying to validate the date, when it is empty?

I am building an MVC 4 application. I have the following property
[Display(Name = "ExpiryDateLabel", ResourceType = typeof(Resources.Manage.PrereqDetail))]
public DateTime? ExpiryDate { get; set; }
in my View when i post it back with an empty value it says
The field Expiry Date: must be a date
why is that happening?
Looks like you are doing localization on ExpiryDate property and if you are using jQuery validation, you might wanna check following post explaining the solution to same problem.
How to fix regional settings for jQuery datepicker so it works in Firefox and IE7?

ASP.Net MVC validation message localization

I have an application that I use for localization. I have added the necessary resource files for the different languages and I get the localized string for labels based on the current culture. So that's fine. I have also added the DataAnnotations for Required like below :
[Display(Name = "Date_Of_Birth", ResourceType = typeof(i18n.Resources.Generic))]
[Required(ErrorMessageResourceType = (typeof(i18n.Resources.Generic)), ErrorMessageResourceName = "InvalidDate")]
[DataType(DataType.Date)]
public DateTime Date_Of_Birth { get; set; }
I have localized the error message and have the corresponding values stored against "InvalidDate". However, I do not get the correct full error message. I get the default "required" message which is a mix of English and the current culture.For example, I get, The field XXXX is required where XXXX is the name of the field in the localized format.
Why is the localized error message not being picked up from the correct localized files?
Thanks in advance for any help.

Required attribute in Data Annotations

I'm using MVC 4 and Entity Framework 5 to build my website. To validate data in client side, I use Data Annotations. Here is my property in View Model:
public int Salary { get; set; }
As you can see, I don't put any annotation there. Also, in my database, the Salary column was marked as Allow null.
My problem is whenever I submit my form, the ModelState is invalid because of this property. It thinks that this property is required and display error on client side.
Do you know what causes the problem? Please help me. Thanks a lot.
The issue you are having is because the default constructor initializes the property to 0. If you want to allow nulls do this:public int? Salary { get; set; }

JsonConvert.DeserializeObject - Handling Empty Strings

I am using Json.NET to serialize an object to be sent to a compact framework 3.5 device (lucky me).
My class on the compact device is:
public class Specification
{
public Guid Id { get; set; }
public String Name { get; set; }
public String Instructions { get; set; }
}
The Json being returned sent to the device is (notice the null for instructions):
string json = #"{""Name"":""Test"",""Instructions"":null,""Id"":""093a886b-8ed4-48f0-abac-013f917cfd6a""}";
...and the method being used to deserialize the json is...
var result = JsonConvert.DeserializeObject<Specification>(json);
On the server I'm using the following to create the Json:
var serializer = new JsonSerializer();
serializer.Formatting = Formatting.None;
serializer.Serialize(context.HttpContext.Response.Output, this.Data);
The problem is that on the compact framework, it's failing to put a value into result.Instructions which is causing a null reference when it is referenced later in the code.
I'm using Newtonsoft.Json.Compact v3.5.0.0 (I think that's the latest version), and on the server I'm using Newtonsoft.Json 4.5.0.0.
Question
How can I either:
a) Change the server code to stick a "" instead of a null value in where a string is null.
or
b) Change the compact framework code to be able to handle null value strings.
Things I've tried
I've been looking through the documentation/examples of Json.Net and have tried a multitude of things like a implementing a DefaultContractResolver, and a custom JsonContract. Maybe the answer lies within those but my lack of understanding of Json.Net at this level isn't helping!!
Further info
I was using System.Runtime.Serialization.Json.DataContractJsonSerializer for the server side serialisation, which did generated quotes in the event of empty strings. Unfortunately, I need more flexibility with the serialization which is why I've started using Json.Net.
Any hints/tips appreciated.
OK - no answers, but having search all yesterday afternoon I went to bed, and search again this morning to find: Serializing null in JSON.NET, which pretty much answers my question.

Getting the message from jquery validation when using UnobtrusiveJavaScript

Hey there StackOverflow enthusiasts.
I am attempting to update an old site of mine to the newest edition of Asp.net MVC4. It was previously on MVC2, and on MVC2 it allowed me to pretty much separate my jquery and client side stuff from any of the backend stuff. But I guess with MVC4 they want you to have a lot of your validation stuff tied directly to your models and so on.
But I have a client side jquery validation script that was working pretty well before, and I was wondering, how can I get it to work again. Specifically, I had a field that would not be validated if the user entered in more than 4000 characters. Otherwise it would not be required. Here is the client side code that worked before in MVC2....
Comment: {
required: function (element) {
return $(element).val().length > 4000;
},
maxlength: 4000
}
and the message that would be displayed if validation was not passed...
messages: {
...
Comment: 'Why dont you stop attempting to put in more than 4000 characters? Thanks...'
}
How can I do that with MVC four? To get anything to display in another field I noticed I needed to put a required over the field in my model...
[Required(ErrorMessage = "Please select an Admit Date")]
public DateTime? AdmitDate { get; set; }
Is there a way to write a requirement function so that it is only required under certain circumstances? I would prefer to keep it client side to keep my concerns separate if you know what I mean. Any help would be appreciated.
You can use [Required] and [StringLength] to constrain the input on your Comment.
[Required(ErrorMessage = "Please fill in a comment")]
[StringLength(4000, ErrorMessage = "Why dont you stop attempting to put in more than 4000 characters? Thanks...")]
public string Comment { get; set; }
Conditional required constraints are not covered by default data annotations. The default way of handling 'complex' validations is by implementing the IValidatableObject interface on your model.
However, since you are looking for a client-side solution, we can look at other frameworks that may solve this problem for you. For instance, MVC Foolproof Validation supports a [RequiredIf] attribute that also works client-side.