[removed] client-side vs. server-side validation

后端 未结 13 762
余生分开走
余生分开走 2020-11-21 11:58

Which is better to do client side or server side validation?

In our situation we are using

  • jQuery and MVC.
  • JSON data to pass between our Vi
相关标签:
13条回答
  • 2020-11-21 12:07

    The benefit of doing server side validation over client side validation is that client side validation can be bypassed/manipulated:

    • The end user could have javascript switched off
    • The data could be sent directly to your server by someone who's not even using your site, with a custom app designed to do so
    • A Javascript error on your page (caused by any number of things) could result in some, but not all, of your validation running

    In short - always, always validate server-side and then consider client-side validation as an added "extra" to enhance the end user experience.

    0 讨论(0)
  • 2020-11-21 12:07

    Well, I still find some room to answer.

    In addition to answers from Rob and Nathan, I would add that having client-side validations matters. When you are applying validations on your webforms you must follow these guidelines:

    Client-Side

    1. Must use client-side validations in order to filter genuine requests coming from genuine users at your website.
    2. The client-side validation should be used to reduce the errors that might occure during server side processing.
    3. Client-side validation should be used to minimize the server-side round-trips so that you save bandwidth and the requests per user.

    Server-Side

    1. You SHOULD NOT assume the validation successfully done at client side is 100% perfect. No matter even if it serves less than 50 users. You never know which of your user/emplyee turn into an "evil" and do some harmful activity knowing you dont have proper validations in place.
    2. Even if its perfect in terms of validating email address, phone numbers or checking some valid inputs it might contain very harmful data. Which needs to be filtered at server-side no matter if its correct or incorrect.
    3. If client-side validation is bypassed, your server-side validations comes to rescue you from any potential damage to your server-side processing. In recent times, we have already heard lot of stories of SQL Injections and other sort of techniques that might be applied in order to gain some evil benefits.

    Both types of validations play important roles in their respective scope but the most strongest is the server-side. If you receive 10k users at a single point of time then you would definitely end up filtering the number of requests coming to your webserver. If you find there was a single mistake like invalid email address then they post back the form again and ask your user to correct it which will definitely eat your server resources and bandwidth. So better you apply javascript validation. If javascript is disabled then your server side validation will come to rescue and i bet only a few users might have accidentlly disable it since 99.99% of websites use javascript and its already enabled by default in all modern browsers.

    0 讨论(0)
  • 2020-11-21 12:13

    Yes, client side validation can be totally bypassed, always. You need to do both, client side to provide a better user experience, and server side to be sure that the input you get is actually validated and not just supposedly validated by the client.

    0 讨论(0)
  • 2020-11-21 12:19

    I will suggest to implement both client and server validation it keeps project more secure......if i have to choose one i will go with server side validation.

    You can find some relevant information here https://web.archive.org/web/20131210085944/http://www.webexpertlabs.com/server-side-form-validation-using-regular-expression/

    0 讨论(0)
  • 2020-11-21 12:20

    JavaScript can be modified at runtime.

    I suggest a pattern of creating a validation structure on the server, and sharing this with the client.

    You'll need separate validation logic on both ends, ex:

    "required" attributes on inputs client-side

    field.length > 0 server-side.

    But using the same validation specification will eliminate some redundancy (and mistakes) of mirroring validation on both ends.

    0 讨论(0)
  • 2020-11-21 12:24

    You must always validate on the server.

    Also having validation on the client is nice for users, but is utterly insecure.

    0 讨论(0)
提交回复
热议问题