Reputation: 12437
MVC3 Registration Form best practices
I am creating a simple register form and I wanted to know if anyone could give me a list of some best practices. I understand it may differ between registration forms, but maybe some guidelines or things to watch out for like vulnerabilities. My data access layer will be using Entity FrameWork and linq in order to handle the queries.
Practices that I would think make sense:
- Validate form when the model is binded to the business object (whats the best way to accomplish this?)
- Server-side validation AND client side validation
- Checking for SQL injection? (Any best practices on this?)
- Use dependency injection for my account manager object
My registration fields are going to be the following:
- First Name
- Last Name
- Email (must be an email that HAS to be an email from a select few sites i.e. @gmail.com, @yahoo.com, @live.com)
- School
- Password
- Status (static drop down of 3 or so options)
I would also really like email activation as well where the user would have to go to his or her email in order to make their account active.
Upvotes: 2
Views: 341
Answers (2)
Reputation: 218842
Use client side and Serverside validation.Never trust on Client side validation only.
Use DataAnnotations and jQuery validate pluggin. You do not need to write client side validation function. MVC will do it when you use the HTML Helper methods to render the HTML elements.
Entity Framwork will build parameterized queries. So you do not need to worry about SQL Injection. But if you are manually executing an SQL statement / Stored proc using Entity framework, It is your responsibility to make it parameterized.
Upvotes: 2
Reputation: 8756
- Use the
System.ComponentModel.DataAnnotationsnamesapce for validating your view models. - Yes, do server and client side validations
- Entity Framework already handles SQL injection
- Consider using a "captcha" if you're worried about bots spamming your form submissions
For the email part:
In the past, I've created a database table that maps emails to random generated strings. When you send the complete registration email, provide a link that uses that random string or guid or whatever:
mydomain/completeregistration/7593098573903 whatever
now, once the client follows that link, and you handle that request, mark their registration as complete in the database. (this should also have the effect preventing subsequent requests to that URL)
Upvotes: 2
Related Questions
- What's the best practice or design pattern for user registration?
- Best way to register different types of users asp.net mvc
- ASP.NET user login best practices
- Registration Form using AccountModel.cs with another models MVC3
- Analyze this user registration approach
- MVC3 Registration form and model
- How should I setup Registration controller action?
- working with forms in mvc3
- ASP.NET MVC 3 best practice / design
- form validation ASP.net MVC 3 best practices