Data annotations in ASP.NET MVC

Question

ASP.NET MVC provides data annotations features. So if we specify the required decorators in the mdoels the validation is taken care of.

If so then why should we still be checking for ModelState.IsValid() in our controller. Obviously only when all the data is valid in the view will the action be called in the controller.

Is this done to double-check the user input?

How does it work?

Answer 1

The first rule of web security is "never trust the client". Just because you have client side validation (which MVC provides by default) doesn't mean that it's impossible for something to get past it.

For instance, a user can disable JavaScript, or you might have a sneaky user who is trying to pull a fast one, and send data themselves, bypassing your form.

The [Required] attribute does two things. First, it sets up client-side validation if it's enabled. In this case, the form isn't submitted if the form is invalid. It also provides server side validation (which is what sets the IsValid flag on the ModelState.

If JavaScript is disabled, or someone tries to submit data manually, then you need the server side check as a last line of defense.

Answer 2

When you use the decorators in the model, two types of validation are available to you. The first one is client side validation - this is when your model has a property called 'name', and you use something like @Html.TextBoxFor(m => m.name) in your .cshtml file, this puts a textbox on your page with client side javascript. You are not writing this javascript yourself, it is being added to your page by asp.net mvc. You can see it if you view the source code of your page.

The good thing about this is that the client side checking happens before the form gets posted, so the user is not waiting for it to get posted and come back with a validation error. The bad thing is that client side validation can be circumvented. If the user has JavaScript disabled, then it won't happen. Alternatively a malicious user can do a post request himself, rather than filling out your form and pressing submit, so the post is going through without client side validation.

Therefore you need to use the second type of validation available to you - server side validation. When you do ModelState.IsValid(), that is when you are performing server side validation, and it is using your decorators as the basis for this validation. If you don't have this statement here, then you are not performing any server side validation and a relying solely on client side validation (which as I just mentioned is a bad idea as it can be circumvented). My rule of thumb is to always use this for any post requests.

Answer 3

The controller will still be called even with invalid input. Perhaps you have Java Script validation that stops the request from firing. You should still check on the server though since users can disable Java Script