How Not To Validate Form Data

This code has been floating around for the better part of 10 years in numerous sites that I’ve had to work on. I figure I’ve encountered it, and replaced it, enough times that I should share my pain and show how you shouldn’t try to validate login form data for malicious injections, whatever that means.

private bool ValidateInputFields()
{
    // ...

    // check for malicious injections...
    if (Username.Text.Length > 255)
    {
        ErrorMessage.Text = ResourceManager.GetString(SelectedCulture, "MSG_INVALID_USERNAME");
        return false;
    }

    return true;
}

How Not To Validate Form Data

Tagged