Home > Article > Backend Development > Several methods of ASP.NET MVC background parameter verification
Several methods of ASP.NET MVC background parameter verification
- 高洛峰Original
- 2016-12-24 13:27:071529browse
Foreword
Parameter verification is a common problem. Whether it is the front-end or the back-end, user input needs to be verified to ensure the correctness of the system data. For the web, some people may want to just verify it on the front end as a matter of course, but this is a very wrong approach. The front-end code is transparent to users, and people with a little bit of technology can bypass this verification and submit data directly. Go backstage. Whether it is the interface submitted by the front-end web page or the interface provided to the outside, parameter verification can be seen everywhere and is essential. In short, all user input is untrustworthy.
There are many ways to verify parameters. Let's take mvc as an example to list several common verification methods. Suppose there is a user registration method
[HttpPost] public ActionResult Register(RegisterInfo info)
1. Judge through if-if
if(string.IsNullOrEmpty(info.UserName))
{
return FailJson("用户名不能为空");
}
if(string.IsNullOrEmpty(info.Password))
{
return FailJson("用户密码不能为空")
}
Verify the parameters one by one. This method is the crudest, but it was indeed used under WebForm at the time. It's okay for the method with few parameters. If there are more parameters, you have to write n more if-ifs, which is quite tedious. More importantly, this part of the judgment cannot be reused. Another method makes the same judgment.
2. Through DataAnnotation
mvc provides DataAnnotation to verify the Action Model. In the final analysis, DataAnnotation is a series of characteristics that inherit ValidationAttribute, such as RangeAttribute, RequiredAttribute, etc. The virtual method IsValid of ValidationAttribute is used to determine whether the marked object conforms to the current rules. When asp.net mvc performs model binding, it will obtain the marked ValidationAttribute through reflection, and then call IsValid to determine whether the current parameters comply with the rules. If the verification fails, error information will also be collected. This is why we can Use ModelState.IsValid to determine whether the Model verification passes, and use ModelState to obtain the reason for the verification failure. For example, the above example:
public class RegisterInfo
{
[Required(ErrorMessage="用户名不能为空")]
public string UserName{get;set;}
[Required(ErrorMessage="密码不能为空")]
public string Password { get; set; }
}
In fact, this process can also be implemented on webform by referring to the implementation principle of mvc. The advantage of this method is that it is very elegant and flexible to implement. If there are multiple Actions sharing a Model parameter, it is enough to write it in one place. The key is that it makes our code look very concise.
However, this method also has shortcomings. Usually our projects may have many interfaces, such as dozens of interfaces. Some interfaces only have two or three parameters. It is a bit luxurious to define a class packaging parameter for each interface, and in fact it is Naming this class is also a very headache.
3. DataAnnotation can also be marked on parameters
You can see through the AttributeUsage of the verification feature that it can be marked not only on attributes and fields, but also on parameters. In other words, we can also write like this:
public ActionResult Register([Required(ErrorMessage="用户名不能为空")]string userName, [Required(ErrorMessage="密码不能为空")]string password)
It’s OK to write like this, but obviously, it will make the method parameters look ugly, especially when there are multiple parameters, or the parameters have multiple validation rules when.
4. Customize ValidateAttribute
We know that we can use filters to do some processing before the execution of mvc's Action, such as authentication and authorization processing. In the same way, it can also be used to verify parameters. FilterAttribute is a common filter that allows us to do some operations before and after the Action is executed. What we have to do here is to verify the parameters before the Action. If the verification fails, it will no longer be executed.
Define a BaseValidateAttribute base class as follows:
public class BaseValidateAttribute : FilterAttribute
{
protected virtual void HandleError(ActionExecutingContext context)
{
for (int i = ValidateHandlerProviders.Handlers.Count; i > 0; i--)
{
ValidateHandlerProviders.Handlers[i - 1].Handle(context);
if (context.Result != null)
{
break;
}
}
}
}
HandleError is used to handle the results when validation fails. Here ValidateHandlerProviders mentions IValidateHandler for processing the results, which can be registered externally. IValidateHandler is defined as follows:
public interface IValidateHandler
{
void Handle(ActionExecutingContext context);
}
ValidateHandlerProviders is defined as follows, it has a default processor.
public class ValidateHandlerProviders
{
public static List<IValidateHandler> Handlers { get; private set; }
static ValidateHandlerProviders()
{
Handlers = new List<IValidateHandler>()
{
new DefaultValidateHandler()
};
}
public static void Register(IValidateHandler handler)
{
Handlers.Add(handler);
}
}
The purpose of this is that since we may have many specific ValidateAttributes, we can separate this module and leave the final processing to external decisions. For example, we can define a processing in the project Device:
public class StanderValidateHandler : IValidateHandler
{
public void Handle(ActionExecutingContext filterContext)
{
filterContext.Result = new StanderJsonResult()
{
Result = FastStatnderResult.Fail("参数验证失败", 555)
};
}
}
Then register when the application starts: ValidateHandlerProviders.Handlers.Add(new StanderValidateHandler());
ValidateRegexAttribute:
public class ValidateNullAttribute : BaseValidateAttribute, IActionFilter
{
public bool ValidateEmpty { get; set; }
public string Parameter { get; set; }
public ValidateNullAttribute(string parameter, bool validateEmpty = false)
{
ValidateEmpty = validateEmpty;
Parameter = parameter;
}
public void OnActionExecuting(ActionExecutingContext filterContext)
{
string[] validates = Parameter.Split(',');
foreach (var p in validates)
{
string value = filterContext.HttpContext.Request[p];
if(ValidateEmpty)
{
if (string.IsNullOrEmpty(value))
{
base.HandleError(filterContext);
}
}
else
{
if (value == null)
{
base.HandleError(filterContext);
}
}
}
}
public void OnActionExecuted(ActionExecutedContext filterContext)
{
}
}
More verifications can be implemented in the same way.
In this way, our above writing method becomes:
public class ValidateRegexAttribute : BaseValidateAttribute, IActionFilter
{
private Regex _regex;
public string Pattern { get; set; }
public string Parameter { get; set; }
public ValidateRegexAttribute(string parameter, string pattern)
{
_regex = new Regex(pattern);
Parameter = parameter;
}
public void OnActionExecuting(ActionExecutingContext filterContext)
{
string[] validates = Parameter.Split(',');
foreach (var p in validates)
{
string value = filterContext.HttpContext.Request[p];
if (!_regex.IsMatch(value))
{
base.HandleError(filterContext);
}
}
}
public void OnActionExecuted(ActionExecutedContext filterContext)
{
}
}
On the whole, it seems ok, and the above DataAnnotation can be weighed and used. Here we can expand more useful information, such as error descriptions, etc. wait.
Summary
Of course, each method has its shortcomings. This choice depends on the specific situation. Generally, if there are too many parameters, it is recommended to wrap them with an object.
For more related articles on several methods of ASP.NET MVC background parameter verification, please pay attention to the PHP Chinese website!