The purpose of EnableEventValidation and how does it work

asp.net

    <asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="false" onrowediting="GridView1_RowEditing">
        <Columns>
            <asp:TemplateField>
                <ItemTemplate>
                    <asp:Button ID="btnEdit" runat="server" Text="Edit" CommandName="Edit" />
                    <asp:Label ID="lblFirstColumn" runat="server" Text='<%# Eval("FirstColumn") %>'></asp:Label>
                </ItemTemplate>
                <EditItemTemplate>
                    <asp:Label ID="lblEditMode" runat="server" Text="This is Edit mode"></asp:Label>
                </EditItemTemplate>
            </asp:TemplateField>
        </Columns>
    </asp:GridView>


protected void Page_Load(object sender, EventArgs e)
{
    DataTable dt = new DataTable();
    dt.Columns.Add("FirstColumn", typeof(int));
    dt.Rows.Add(100);

    GridView1.DataSource = dt;
    if (!IsPostBack)
        GridView1.DataBind();
}

protected void GridView1_RowEditing(object sender, GridViewEditEventArgs e)
{
    GridView1.EditIndex = e.NewEditIndex;
    GridView1.DataBind();

}

If I change if (!IsPostBack) GridView1.DataBind(); to GridView1.DataBind(); and try to put GridView into Edit mode by clicking btnEdit, then I get the exception:

Invalid postback or callback argument.
Event validation is enabled using

in configuration or <%@ Page
EnableEventValidation="true" %> in a
page. For security purposes, this
feature verifies that arguments to
postback or callback events originate
from the server control that
originally rendered them. If the data
is valid and expected, use the
ClientScriptManager.RegisterForEventValidation
method in order to register the
postback or callback data for
validation.

But if I set EnableEventValidation to false, then GridView1 won’t enter edit mode ( ie – GridView1_RowEditing doesn’t get called ).

BTW – same problem also occurs with other databound controls ( DataList, DetailsView )

Page. EnableEventValidation gets or
sets a value indicating whether the
page validates postback and callback
events. When the EnableEventValidation
property is set to true, ASP.NET
validates that a control event
originated from the user interface
that was rendered by that control. A
control registers its events during
rendering and then validates the
events during postback or callback
handling.

a) Why must postback and callback events be evaluated? and how exactly does evaluation happen?

b) Why would calling GridView1.Databind() on each postback cause exception when trying to put it into edit mode?

c) I also don’t see any reasons why disabling EnableEventValidation prevents GridView from entering edit mode?! Thus why did

thank you

Best Answer

There is a good article about how and why you would want to use EventValidation here:

http://odetocode.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx

and MSDN:

http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableeventvalidation.aspx

The short answer is event validation is designed to protect the web site from having values injected into the page that can be used to exploit your application in some way.

Related Topic