Geek Answers Handbook

Why do we need client-side and server-side validation?

The argument for using both client-side validation (JavaScript) and server-side validation using the validator is as follows: if the client browser does not support JavaScript, then the user cannot use client-side validation.

My question is: how good is this argument in practice? Theoretically, this makes sense, but in practice, if JavaScript is disabled in the browser, then most of the functions of the website do not even work. The user probably cannot even load the page without JavaScript, not to mention the provision of the form.

+7
source share
5 answers

Checking on the client side just allows you to avoid the client’s transition, but I filled it all out and he didn’t tell me anything! "It’s not really necessary, and actually checking on the client side is a very new thing (read: 5 years or less). In practice, everything that it does does not allow your client (with JS support) to find out whether the form is good before reloading the page. If AJAX is in the game, it is different - it allows you to save bandwidth and provide the user with feedback before submitting. Finally, if you create strictly client, peer-to-peer exchange applications (think about games), you want to check on the client side so that customers do not cheat.

Server-side validation is also crucial because client-side validation can be completely bypassed by disabling JavaScript. In a sense, JS-driven validation is a convenience and aesthetic / cosmetic enhancement that cannot be relied on. It’s also trivial to edit the page source locally to disable or bypass even the most complex JS check.

What can a user do if you do not check the server side? Everything, depending on how you use your data. You can let users drop entire databases (or, even worse, console them), change whatever they like (or, worse, read everything they like). Directory traversal errors are very common entry points for naughty people) and, if necessary, increase their privileges. Do you want to manage this risk? Not confirming user input is like trusting people, and not setting locks in your home.

+29
source

Validation should always be done on the server side — you cannot trust client-side validation.

Client-side validation is always in the sense of providing a better user experience (UX), so the user does not need to send and reload the page simply because the value in the form is unacceptable - it makes things more dynamic.

As you don’t even need the browser to make queries, no matter how your site relied on JS to function correctly, you will need server-side checks and disinfection of all users if you do not care that your databases are not exposed .

Now it's up to you whether you want to provide an interface with dynamic client-side validation hints or not.

+7
source

Always protect your logins on the server. This does not always apply to users who have JavaScript disabled, or that they can break the server.

For example, if the site has a maximum JavaScript length check on <input> , the user can disable this check, thereby sending more data than your server and / or database expect. This can lead to server overload with a large POST that will occupy the server thread for a long time, it can reveal a weakness in the database, for example, violating the database restriction, potentially revealing details about any information about the storage. Even worse, if there are no restrictions, the user can perform injection attacks.

Another example is using an external HTTP tool to send requests to your server, completely bypassing any JavaScript. I use the REST Advanced Client for Chrome all the time in development to test the JSON API.

Client side validation using JavaScript is just a way to provide faster feedback to the person using the site for any information about their interaction with the site. In a traditional client-server communication, it should not be the only check for the reasons stated above.

+2
source

If the user has disabled JavaScript, this is a problem for himself, and he decided to disable javascript for some reason ... For this, when creating a website, you should always keep in mind that your website should be valid for users with javascript and without it. Variation of both sides is necessary for a number of reasons: some of them:

  • User has disabled javascript
  • Evil user intended to delete javascript to use system
  • With javascript validation, you reduce data traffic between the site and the client.
  • And, of course, when checking the server, you will make sure that all the data is correctly specified

Perhaps for a website using both javascript and “older” ones, the website may be valid for every user and every browser.

+1
source

Client-side validation is a solution for highly interactive forms with field validation on the fly, but this will not prevent an attacker from entering and sending invalid formatted data to the server. It is important that your server side script checks everything that the user does, otherwise you will expose your site to SQL injection attacks, XSS attacks, users who should not, etc.

0
source

More articles:


All Articles