[Sigia-l] UI Design Question - Client Versus Server Side Validation
MJJAIXEN at up.com
MJJAIXEN at up.com
Wed Feb 26 11:47:11 EST 2003
Any client-side validation generally must be repeated on the server-side,
mostly because JavaScript can be easily disregarded. Frequently, this is
less a usability concern than a security concern. A hacker could bypass
your UI completely, and try to submit data directly to your web site. This
is one of the easiest ways to hack a site. Client-side validation should
be performed with the sole objective of making the site easier to use by
catching an error without having to wait for a submit.
"Jon Hanna" <jon at spin.ie> wrote
> On most the sites I work with, we >always< do server side,
> because some of the users may have their javascript turned off.
As well as that, and I think this is what Simon was getting at, you can't
trust clients.
Only server-side validation can protect you from people deliberately
sending
invalid data (the number of sites out there that will let you mess up their
databases, obtain passwords, run arbitrary code, or send emails on your
behalf is pretty scary).
More information about the Sigia-l
mailing list