Is there a security reason to validate a textbox input if you are limiting the max length of the input?

Since I'm new to coding and I'm trying to understand why here is a little more detail on the question.

If you have a text box and you are limiting the input to say 2 charactrs do you really need to validate the input further?

What I have is a text box that has a max length of 2. Is there a security reason to add a validator to 开发者_StackOverflow中文版the textbox. I should add this is in Asp.net.

Yes, you must still check. Setting the MaxLength property only sets the MaxLength attribute on the input element; a user can simply remove that value in the HTML source they are getting, or 'hack' it via any of many tools available.

Your server still needs to make sure it's only 2 characters, with server-side validation.

Are you talking about server-side validation of the input? If so, then you should validate beacuse anyone can build a HTTP POST request without passing through a browser, in which case their is no 2 character limit.

However, the security validation just depends on what you're going to accomplish with the given input. If you're constructing a database query, sending an e-mail or other such thing using the input, then you should always validate, independantly of input length.

Client-side validators (like MaxLength) can never be trusted, because the client side of your app is not under your control. If you don't believe me, take a look at what FireBug can do to alter HTML within FireFox.

Really, there's not much you can do with a 2-character string that would be a security risk, but I would, when getting this value, do some server-side validation on the length of the string, and make sure it's something you expect (like alphanumeric characters).

The maxlength attribute can be modified by the user. If they disable/change the maxlength="2" and decide to post 3 characters, can your code handle it? Truncate it, return an error, but don't just assume they've given you valid input. Always check.

Form data can be submitted by means other than a browser that will respect the maxlength attribute. A hacker may write a script that takes your your form and submits data where the submitted form data does not respect any of the client side validation rules you declared in the html or javascript.

The sole, single, only reason for any client-side validation (whether from javascript, HTML form attributes, or XForm constraints) is to make it more likely for a well-meaning user to do the right thing rather than input something that makes no sense.

On the server-side, you have to do it again for the same reasons, but also for security. You don't know that the client-side validation worked, and indeed you don't even know that the request came from a browser (it takes less than a minute to grab a form submission and then re-submit it with different values, and not much longer if you've tried to stop this by being clever about what the client sees, used nonces, etc.)

The effects of accepting invalid input may be minor, but considering that since you do have client-side validation, then if invalid input is received its more likely that you are being probed by someone with ill-intent (of course, there could just be a bug in the client-side stuff), so even if you can't predict any ill-effects in accepting such input, it's still worth blocking it.

That's before we consider whether SQL-injection, XSS, or other attacks are possible.

Always check input at the server, regardless if it was checked at the client.

For the client side, setting the max length is enough.

You mentioned the asp.net validator, if you are using those then do add it to the page to get both client and server validation (in this case you care about the server validation).

Validators run client-side using javascript so there is nothing secure about them; they can be compromised pretty easily. They are only for convenience and any user input should be sanitized for security purposes server-side.