I have a text box开发者_如何学JAVA on a page, and when the user clicks "Submit" I grab the text field and post it with jQuery like this:
$("#text_submit").submit(function(event)){
user_text = $("input#user_text").val();
$.post("/create/", { text : user_text }, function(data){
//display response from server on the page;
});
event.preventDefault();
});
Then on the server side I'll validate the text (it's supposed to be a URL) and return a response.
Is it safe to post whatever the user puts in the text box to the server? Do I need to do any client-side validation of the user's text?
I disagree with the above posts that server side is a double check or a secondary measure. Server side validation is the only measure. Client-side validation can be bypassed. Javascript can be disabled.
I think of client-side validation as more helpful for the user. It prevents having to POST for simple malformed data errors and provides instant feedback to the user on mistakes.
For security though, server-side validation is all you can rely on.
Also see: JavaScript: client-side vs. server-side validation
It depends on what the content and how you want to validate it. I would always validate first on the client and validate on the server as a secondary measure if javascript is turned off.
As a general rule of thumb (at least in security) you should trust no user, so I think it would be the wise choice to validate the data client-side (it's also faster) and then, if the first validation passed, validate it server-side, to "double-check" (or to have a safety net if the user has Javascript turned off, something you don't see THAT often).
精彩评论