Geek Answers Handbook

Best practice for validating input for a layered application

In our application we have different layers. The service level, level and actions of the DAO (location applications).

Data is transferred from one layer to another.

Where should we ideally enter an input confirmation?

Say userid, the phone number comes from the user interface, they are required. Therefore, we are already doing a client-side check.

Now, in my opinion, all you need. No where else should it be checked.

But one of my colleagues claims that if the client makes a request directly. Therefore, we need to add Actions.

Now, in Dao also, the same method is used in some other actions, and tht has no verification.

Or, say, a service level, it can be set as, say, a web service, so you also have validation.

So essentially, He offers ... we have all the validations. That doesn't make sense to me. Its duplication by layer.

What is the ideal approach for this? Let's say a check can be a simple zero check or some kind of complex validation.

+7
source share
3 answers

Agree with Pangea, you must have validations at the endpoints of the client and service.

I would add that the concept of validation should be "unsuccessful." You add checks to each level so that the user or the caller receives immediate feedback on why the call will fail and not potentially trigger the transaction by making complex queries and recording only to find that the field is too short.

On the client side, you want to check as much as possible so as not to waste time on the user, bandwidth and server resources (which in many cases have approvals). However, you usually cannot do all checks on the client side (for example, to check if there is such a username to use during registration), so you want this checkbox checked and the proper error message returned as only you click on the service level.

At the server level, you want to assume that all inputs are potentially dangerous and incorrect (and they are often at times). I really believe that it is better to be more comprehensive and aggressive when checking input at the service level, as this is your last line of defense. If you leave a validation or two on the client side, you just need a good error handling mechanism so that users know what is wrong. If you missed something from the service side and hit, it could mean hours or days of debugging and attempts to restore database backups.

There are some checks that are performed at the database level, which provide functions such as referential integrity, etc. I usually try to test them as much as possible before trying to write, as interpreting various RDBMS error messages and trying to convert them into a clear user language is often difficult, if not impossible.

+10
source

If your application provides multiple entry points (an interface or system for system interfaces or batch systems), you must clear (zero checks, format checks, required, etc.) your data in all of these and before it reaches the service level . But this does not mean that you need to replicate the validation logic. You can use frameworks that centralize your check. Some sample validation frameworks can be found in this post.

However, there are business checks that must belong to your domain layer, and they must remain at the domain level of the domain or domain objects.

I do not agree that you should perform validation in the DAO. The DAO should simply be responsible for CRUD operations. If they do more, then you have leaking layers. If you need to process the material in batch mode, you must make sure that the package goes through the service layer so that your party also passes the same checks.

+4
source

The only wisdom I can add to the conversation never trusts the client. Regardless of whether your client is in HTML, Flash / Flex or something else, there is a chance that someone will hack it and try to do what you do not want them to do. The following is here, if there is a chance that someone is going to hack it, we, as software developers, should assume that it will be hacked, so that the front-side checks are good and can help to use your applications, you MUST check all your inputs on the rear panel, even if this leads to duplicate checks.

+1
source

More articles:


All Articles