Home/ Questions/Q 8385697
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T17:44:21+00:00

I am confused between ASP.NET Request validation and server-side validation. If we set ValidateRequest=false,

  • 0

I am confused between ASP.NET Request validation and server-side validation.
If we set ValidateRequest=”false”, as follows.

<%@ Language="C#" ValidateRequest="false" %>
<html>
  <script runat="server">
   void btnSubmit_Click(Object sender, EventArgs e)
   {
      // If ValidateRequest is false, then 'hello' is displayed
      // If ValidateRequest is true, then ASP.NET returns an exception
      Response.Write(txtString.Text);
   }
  </script>
<body>
  <form id="form1" runat="server">
    <asp:TextBox id="txtString" runat="server" 
             Text="<script>alert('hello');</script>" />
    <asp:Button id="btnSubmit" runat="server" OnClick="btnSubmit_Click" 
             Text="Submit" />
  </form>
</body>
</html>

Then can we use server-side validation such as RequiredFieldValidator Control?

Are they different things? But they both have validate key words.

Thanks for explaining them.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, they are different.

    ValidateRequest causes an error to be thrown and aborts the request if any of the submitted form field values contain “dangerous” values, such as that script tag you have there, to prevent script injection attacks.

    The validator controls such as RequiredFieldValidator do not stop page processing if they fail. They are to help you process your rules and typically have nothing to do with protecting the server or application from attack.

    • 0