Geek Answers Handbook

Why do we need the server side, as well as client-side validation for web applications?

Is there any high-level reason for checking both client and server side for a web application?

+6
validation server-side client-side-validation
source share
8 answers

Because your client-side validation may be undermined.

For example, on the Internet, if you use javascript for validation, it is very simple to either disable javascript or change its operation using tools such as FireBug.

An event with other client / server methods, it is possible that the data transmission channel will be distorted, and the "verified" data can be changed along the path to the server ( Person in the center ).

In general, maxim “never trust the client” is the reason why you should always check on the server.

You may ask in this case, why validation on the client? To provide immediate feedback.

+8
source share

The user can change the localization of the javascript check locally (save the page and do something with it), or javascript can be disabled in the browser. Therefore, in this case, client-side validation is useless. Therefore, you should also check on the server

+3
source share

Client-side validation gives the user immediate feedback without waiting for the page to load. However, if the client has disabled scripts on the client side (for example, JavaScript has been disabled), the check will not work, so you will also need a server to check the values.

+2
source share

The client side will remove (theoretically) most of the problems of checking before reaching the server (although this is not always the case when JavaScript is disabled / edited, etc.). This will eliminate any “warping” / unnecessary processing from the server by putting a firewall on the client device to perform the check.

The server side will catch any validation problems that for some reason were not detected during the client-side verification.

+2
source share

Client-side validation is a plus, but not required. You MUST use server side validation (ssv) because when you accept user information, you should always consider it “hostile”. If this data is also uploaded to the database, ssv is your last line of defense because you do not want unwanted or invalid data in your database.

Checking on the client side is not proof of the bullet, so if something is checked on the client side, this does not mean that it will be valid when it arrives at your server.

+2
source share

Client side validation is used for the following
1) data conformation by length and format restrictions
2) instant indication or user feedback

Server side validation
1) more advanced checks against business logic
2) check for any changes to the criteria. for example, you order a book from Amazon, and after you make an order, you get an indication that the book is not in stock, because someone else bought it just a few minutes before
3) Check if the intended user has entered the data. Client-side things, such as cookies and javascript, can be processed, so the server needs to authenticate and verify the data passing through.

Thus, server-side verification is required as the main line of defense against malicious data, as well as for checking data using advanced business logic.

+2
source share

The goal of real-time verification on the client side (i.e. when the user moves from field to field, and not after the user presses SUBMIT), should give the user feedback as soon as possible. If for a social security number, for example, 9 digits are required and the user dialed 8, you do not want to wait until the user completes the rest of the form, and press "SUBMIT" to indicate an error, even if the check occurs on the client side. Waiting until SUBMIT makes almost no sense to check the client side - all it does is your server and your bandwidth. Indication of errors as they are created usually leads to a higher speed of filling out the form, because for the user it is a simpler experience - the list of errors will not be: "Please correct all errors below." But to ensure data integrity in any case, you still need to have server-side validation. A bouncer nightclub is standing in front of the club door not parked across the road.

+2
source share

If you have an application with multiple tables in a database, server-side validation can be just a bunch of constraints (part of the design of your data table). We might think that we do not have any kind of check on the server side, because this is not the average server level, but the database level restrictions.

Then we can say, having the advantage of a relational database - based on Integrity (we know that our data structure is safe). In most cases, we can only use client-side validation to provide the client with feedback on an instance of his actions. Perhaps it is not an important issue to not have additional verification at the server level, in the controllers in any code on the server side.

Thus, we can say that for some / most cases we can only use client-side validation. Server-side validation is a special case, for example: checking that something has already been purchased when a customer submits a purchase form.

It is not a bad idea not to repeat yourself with confirmation from both sides.

Of course, there are applications that require a lot of attention to their data, then not only server-side validation is important (for example, part of the security of the business model, but also testing coverage for most use cases) for client input.

But if this is just a site with several forms ... Then I believe that database restrictions and client-side validation are a good choice.

0
source share

More articles:


All Articles