Click here to Skip to main content
15,072,051 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Invalid postback or callback argument.

Event validation is enabled using pages enableEventValidation=true in configuration or %@ Page EnableEventValidation=true in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.

I have a simple program that displays a blank web page with a few buttons on it that allows a user to dynamically put functional controls on the web page. The user is allowed to add, delete and move the controls around on the web page. When the user deletes a control is when I get the error message. I can get rid of the error message by including enableEventValidation=false in my <%@ page directive

I would prefer not to do that for security reasons. Since I rebuild the page on every post back every time, i was thinking about setting all controls enableViewState to false. However, since I am going to include ajax in my next version to reduce the post backs I may not want to set viewstate to false.

Since I know which controls were deleted, is there a way I can manipulate viewstate or the request object so IIS doesn't think there is a hacker lurking in the dark?

Would appreciate some help here.

sample code showing the routing to add an ASP textbox. Most controls are attached to a panel.
public static void bText(
            ref Panel panel, ref Table tb, ref TableRow tr, ref TableCell tc, ref ControlProperties tp)
    TextBox myTB = new TextBox();
    myTB.Text = tp.displayThisText;
    myTB.CssClass = tp.cssClassName;
    myTB.ID = tp.idName;
    myTB.Attributes.Add("dir", tp.direction);
    myTB.Attributes.Add("runat", "server");
    myTB.EnableViewState = true;
    processAttributes(tp, (System.Web.UI.WebControls.WebControl)myTB);
    if (tp.bgColor != null && !tp.bgColor.Equals("NoColor"))
    {myTB.BackColor = Color.FromName(tp.bgColor);}
    if (tp.fgColor != null && !tp.fgColor.Equals("NoColor"))
    { myTB.ForeColor = Color.FromName(tp.fgColor); }
    if (tp.units == WidthUnits.pixels)
    { int temp = (int)tp.width; myTB.Width = System.Web.UI.WebControls.Unit.Pixel(temp); }
    else if (tp.units == WidthUnits.percent)
    { myTB.Width = System.Web.UI.WebControls.Unit.Percentage(tp.width); }
    if (tp.textMode.Equals("s"))
    {   // single line mode
        myTB.TextMode = TextBoxMode.SingleLine;
        { int len; if (int.TryParse(tp.maxCharacters, out len)) { myTB.MaxLength = len; } }
    {   // multi line mode
        myTB.TextMode = TextBoxMode.MultiLine;<pre></pre>
        // number of rows to dispaly on screen
        { int len; if (int.TryParse(tp.rows, out len)) { myTB.Rows = len; } }
        // number of allowable characters
        // may have to use javascript control to
        // limit characters input
        if (tp.maxCharacters != null && tp.maxCharacters != "")
    addControlToWebPage(ref panel, ref tb, ref tr, ref tc, myTB, tp.location);
Updated 12-Mar-11 19:13pm

1 solution

There are no known ways of achieving it. Asp.Net keeps a hash of all the control id's & its possible values in a hidden field named "__EVENTVALIDATION".
It cannot be meddled because it is also hashed using a server key which you will not know.

So a good workaround for you is to maintain plain html controls (which are dynamically generated / deleted / values manipulated on the client side).
You could access them using Request.Form[] collection.
Dalek Dave 13-Mar-11 8:11am
Good answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900