Geek Answers Handbook

Where do you check in webapp (backend)?

Where do you check in webapp (backend)?

Option number 1: Service level?

UserService.validate(FORM); // verify and returns struct of errors

Option number 2: Object layer, on the setter? eg

 user.setEmail(email); // throws invalid/used e-mail

Option # 3: Object Level, validate ()? eg.

 user.init(FORM); // accept any values, no type checking user.validate(); // returns struct of errors

What do you take? Thanks!

+4
source share
4 answers

I usually keep my form at the service level, and not with the objects themselves. I do not do this because I do not agree that the objects are fully encapsulated, I do it because it conforms to the methodology / design template that I choose to use on my sites for processing form submissions.

I think that frameworks such as Transfer recommend that you keep checking objects inside objects where, as engines / frameworks like Alegad Validat , they are meant to be checked outside of it. I don’t think that any approach is wrong, it’s really just a matter of what you prefer (and what is suitable for the application).

Of the 3 options, however, option number 2 skips exception handling for situations in which you expected results. Having a validation method (whether on site or in the service), you can more effectively manage error checking situations than to catch exceptions and pass them through passively (to capture and return a structure with information about the failure) or explicitly (revert, ect ..).

0
source

You perform a test in each phase, but for several reasons.

You check when the user sets a value to provide immediate feedback to the user about whether the input is valid. This verification should only be used to improve the user experience. You can check while the user is typing, if necessary, but do not forget that the user enters an invalid partial input, as more may appear, and you do not want validation to interfere.

You check before the user submits the form to make sure that the submission is valid without resorting to the full cost of a full trip to the server. This will be mainly for things that were not or cannot be confirmed at the time of user input, and this may be due to some communication with the server to check if the username is available without reloading the page. This step also mainly relates to user benefit. Regardless of whether you check each item while recording or sending, it is up to you and should depend on what provides the best user interface and better matches the mental model of the user.

Finally, you need to check everything when it returns to the server, because you cannot trust the browser. This check is mainly for security. You can never assume that any data coming from your client is clean, because it may not be from your client. It may come from a hostile agent who imitates your client. Therefore, fully check everything, for all potential exploits and other unacceptable conditions, regardless of whether it was confirmed on the client.

Hope this helps.

+4
source

First of all, +1 from me for jborque.

I would like to add that input type checks are very repeatable, for example.

UI: do not allow a name longer than 30 characters BIZ: throw an exception / create a broken rule if the name is longer than 30 characters DB: Enter a column name 30 characters wide UNIT TEST: test names <30,> 30, exactly 30 characters

This is a BIG candidate for creating code. If 30 suddenly changes to 40, and you use code generation, this makes it as simple as restarting the code generator (and creating scripts to update the database for any production data).

In the past, I did this with a UML modeling tool to capture input rules and partial classes in C # to separate code generated from a UML model from my own handwritten code. The same concept can be easily applied in a number of development environments.

0
source

+1 for jbourqu. Good answers. Everywhere you can without any unreasonable operating costs. I quite often check the inputs for functions in the backend that are not directly displayed if some other code calls them with unexpected values ​​or mixes the order of the parameters up.

0
source

More articles:


All Articles