I have read from one of the blog, for security reasons, its suggested to do the input data validation at the server side not the client side.
From the above statement, My mind started to ask then 1) what kind 开发者_C百科of validation i can do with JS in the client side. 2) Is there any rule where any programmers can decide where the validation needs to be performed, whether at the client side or the Server side?
I am building Java based web application
You can do any kind of validation on the client, but you must never rely on that validation.
For UI purposes it is often a good idea to validate on the client since the response time is faster. But since the user can always turn off client side validation (e.g. by turning off JavaScript), you must never rely on it to actually have been performed and re-validate your input on the server.
In general, if the checks are critical to security, don't do it on a system the user can control.
Well,What happens when a hacker replaces your javascript with one of their liking, or just plain submit POSTs and GETs as if it were your code?
Validating at the client is a usability issue.
Validating at the point of USAGE is a security issue.
For instance, you validate data against SQL injection before storing in a SQL database -- the library will do that for you if you choose a good one. You validate data against CSS when you display it as HTML. But if you expose the data it as XML, RSS or JSON, then the validation is different -- if you validated it just at input, you wouldn't prevent exploits for the other formats, AND your input routine would be tied to the output formats you choose.
THE RULE:-- Client validation can be circumvented easily. You should always validate sensitive data on server, regardless of client validation. Validating them on client too is just a matter of improved user experience.
If the user disables javascript your validation will not take place on the client side, on the other side having only server side validation means that the user has to wait for the call to end (client to server and then back), it can become frustrating for him.
The client side validation is there to keep the user happy, so that he does not have to wait too much to see that he misspelled the mail address.
I think the main point is that you should be paranoid on the server side, not assuming that data passed to you has been correctly validated by the client. The client may be an older version which does not properly validate something, or validation may be disabled - or the request may be even coming from a cracker, attempting to break the system.
Of course, part (or all) of the validation can be performed on the client side too, to avoid useless network traffic and cut down latency.
Client side validation is only there to save the client time, so when they input and invalid value it says "Bad value" without the page needing to reload.
Client side validation though should be treated as NO validation, as clients can disable this validation and input bad values.
The server should always validate entered data. Client validation is only for usability.
精彩评论