mvc input validation best practice question

So I was taking a look through the nerddinner source code and had some questions about input handling.

Here is the code in question:

        [HttpPost]
    [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings",
        Justification = "Needs to take same parameter type as Controller.Redirect()")]
    public ActionResult LogOn(string userName, string password, bool rememberMe, string returnUrl) {

        if (!ValidateLogOn(userName, password)) {
         开发者_运维知识库   ViewData["rememberMe"] = rememberMe;
            return View();
        }
        .....
    }

    private bool ValidateLogOn(string userName, string password) {
        if (String.IsNullOrEmpty(userName)) {
            ModelState.AddModelError("username", "You must specify a username.");
        }
        if (String.IsNullOrEmpty(password)) {
            ModelState.AddModelError("password", "You must specify a password.");
        }
        if (!MembershipService.ValidateUser(userName, password)) {
            ModelState.AddModelError("_FORM", "The username or password provided is incorrect.");
        }

        return ModelState.IsValid;
    }

What my question is, I don't see any real input validation in the above method. Yes they have some null validation, but really the input seems to being passed directly to Membership service. What are the implications of this? I know that MVC 3 seems to have pretty good default XSS protection (ie: it will throw an error if it detects xss input). What about sql injection? I guess I'm asking the following questions:

1) What does MembershipService.ValidateUser actually do?

2) Are there any input validation at that point? or is it just relying on query parameters to protect the database?

3) What is the best practice for input validation? I'm assuming it will be Whitelists applied at the point of entry, but I don't see that followed here.

1) MembershipService.ValidateUser calls microsofts default ASP.NET Membership Provider and depending on if that user is in the store it will validate the username and password. You can override the default MembershipService.ValidateUser method and call your own backend membership store.

2) I think it uses query parameters to prevent sql injection.

3) You can validate the query parameters before you send them to your membership provider to validate. If you wish to wash the data. The best way is to use Whitelists but you can also set a max length on the user input so they cant send too much information.