Where do you do your validation? model, controller or view

Question

Where do you put user input validation in a web form application?

1. View: JavaScript client side
2. Controller: Server side language (C#...)
3. Model

Answer 1

I check in all tiers, but I'd like to note a validation trick that I use.

I validate in the database layer, proper constraints on your model will provide automatic data integrity validation.

This is an art that seems to be lost on most web programmers.

Answer 2

Simple input validation in the view. Full validation in the model. Reason? If you change your view technology, and the validation is in the view/controller, you have to rewrite your validation for the new view. This can introduce bugs. Put it in the model, and this is reused by all views...

But, as I said, simple validation in the view for speed and ease.

Answer 3

Validation must be done in the controller - it's the only place which assures safety and response.

Validation should be done in the view - it's the point of contact and will provide the best UE and save your server extra work.

Validation will be done on the model - but only for a certain core level of checks. Databases should always reflect appropriate constraints, but it's inefficient to let this stand for real validation, nor is it always possible for a database to determine valid input with simple constraints.

Answer 4

Validation can be done at all layers.

Validating the input from a web form (all strings, casting to proper types, etc) is different from validating the input from a webservice, or XML file, etc. Each has its own special cases. You can create a Validator helper class of course, thus externalising the Validation and allowing it to be shared by views.

Then you have the DAO layer validation - is there enough data in the model to persist (to meet not null constraints, etc) and so on. You can even have check constraints in the database (is status in ('N', 'A', 'S', 'D') etc).

Answer 5

Hmmmm, not sure. I would have said the Controller until I read this article re: skinny Controllers, fat Models

http://blog.astrumfutura.com/archives/373-The-M-in-MVC-Why-Models-are-Misunderstood-and-Unappreciated.html

Answer 6

All validation should happen at least one time, and this should be in the middle tier, whether it be in your value objects (in the DDD sense, not to be confused with DTO's), or through the business object of the entity itself. Client side validation can occur to enhance user experience. I tend to not do client side validation, because I can just expose all of the things that are wrong on the form at once, but that's just my personal preference The database validation can occur to insure data integrity in case you screwed up the logic in the middle tier or back ended something.