100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
.NET Framework

Validation Controls

Explore how ASP.NET Web Forms validator controls enforce input rules on both the client and the server before data is processed.

Web Forms ControlsIntermediate9 min readJul 10, 2026
Analogies

Validating User Input with Validation Controls

ASP.NET Web Forms provides a family of validator server controls — RequiredFieldValidator, RangeValidator, RegularExpressionValidator, CompareValidator, CustomValidator, and ValidationSummary — that attach to an input control via ControlToValidate and automatically render both client-side JavaScript checks and server-side re-validation before Page_Load logic runs. Each validator sets Page.IsValid to false when its condition fails, letting code-behind check a single flag rather than manually inspecting every field.

🏏

Cricket analogy: A RequiredFieldValidator is like the third umpire refusing to confirm a run-out review until the on-field umpire submits a decision, blocking the process until the required input is present.

Built-in Validator Controls

RequiredFieldValidator ensures a field isn't left at its InitialValue (typically empty), RangeValidator checks that a numeric, date, or currency value falls between MinimumValue and MaximumValue, RegularExpressionValidator matches input against a ValidationExpression pattern such as an email or phone format, and CompareValidator either compares two controls' values (e.g., password confirmation) or validates a single value's data type. Each validator control also renders an ErrorMessage that ValidationSummary can collect and display in one place, typically at the top of the form.

🏏

Cricket analogy: RegularExpressionValidator checking a jersey number format is like the scorer's software rejecting '7a' as an invalid over count, insisting the entry matches a strict numeric pattern like a legal delivery count.

aspx-csharp
<asp:TextBox ID="txtEmail" runat="server" />
<asp:RequiredFieldValidator ID="rfvEmail" runat="server"
    ControlToValidate="txtEmail" ErrorMessage="Email is required." Display="Dynamic" />
<asp:RegularExpressionValidator ID="revEmail" runat="server"
    ControlToValidate="txtEmail" ErrorMessage="Enter a valid email address."
    ValidationExpression="^[^@\s]+@[^@\s]+\.[^@\s]+$" Display="Dynamic" />

<asp:TextBox ID="txtAge" runat="server" />
<asp:RangeValidator ID="rvAge" runat="server" ControlToValidate="txtAge"
    Type="Integer" MinimumValue="18" MaximumValue="99"
    ErrorMessage="Age must be between 18 and 99." />

<asp:ValidationSummary ID="valSummary" runat="server" HeaderText="Please fix the following:" />
<asp:Button ID="btnSubmit" runat="server" Text="Submit" OnClick="btnSubmit_Click" />

<script runat="server">
protected void btnSubmit_Click(object sender, EventArgs e)
{
    if (Page.IsValid)
    {
        SaveRegistration(txtEmail.Text, int.Parse(txtAge.Text));
    }
}
</script>

CustomValidator and Client vs. Server Validation

When built-in validators can't express a business rule, CustomValidator lets you supply both a server-side OnServerValidate handler and, optionally, a ClientValidationFunction written in JavaScript, giving identical logic on both tiers. Validation runs client-side first for instant feedback via the WebForms validation JavaScript library, but the server-side check is not optional: because client script can be disabled or bypassed entirely, every validator also re-runs on the server, and Page.IsValid must always be checked in code-behind before touching the database, regardless of what the client reported.

🏏

Cricket analogy: Relying only on client-side validation is like trusting a fan's phone app for the DRS decision instead of the official third umpire, since the phone app can be spoofed while the official review cannot.

Never rely on client-side validation alone for security or data integrity. A user can disable JavaScript or submit a crafted POST request directly, bypassing all client checks entirely. Always check Page.IsValid in the server-side event handler before processing input.

  • Validator controls attach to an input via ControlToValidate and set Page.IsValid when their condition fails.
  • RequiredFieldValidator, RangeValidator, RegularExpressionValidator, and CompareValidator cover the most common built-in rules.
  • ValidationSummary aggregates every validator's ErrorMessage into a single summary display.
  • CustomValidator supports both a server-side OnServerValidate handler and an optional client-side ClientValidationFunction.
  • Client-side validation improves user experience but can be bypassed, so server-side re-validation always occurs automatically.
  • Page.IsValid must be checked explicitly in code-behind before performing any data-modifying operation.
  • Display="Dynamic" vs "Static" controls whether space for the error message is reserved even when no error is shown.

Practice what you learned

Was this page helpful?

Topics covered

#NETFramework#ClassicASPNETWebFormsWebPagesStudyNotes#MicrosoftTechnologies#ValidationControls#Validation#Controls#Validating#User#StudyNotes#SkillVeris