You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Trieu, Danny" <DT...@downeysavings.com> on 2003/04/15 20:53:03 UTC
RE: Why validate on the server side and not on the client side us
ing JavaScript???? help
I guess what I need is a list of all the convincing fact to make suggestion
to my peers to do validation on the server side and not the on the client
side, and not even on both the server and the client side.
Thanks,
danny
-----Original Message-----
From: David Graham [mailto:dgraham1980@hotmail.com]
Sent: Tuesday, April 15, 2003 11:47 AM
To: struts-user@jakarta.apache.org
Subject: Re: Why validate on the server side and not on the client side
using JavaScript???? help
One thing you can do is to setup your non validating app in a test
environment. Prepare a program that hacks your webapp and corrupts your
data and demonstrate it in a meeting. Or, even easier, just turn off your
javascript and submit a form with bad data.
David
>From: "Trieu, Danny" <DT...@downeysavings.com>
>Reply-To: "Struts Users Mailing List" <st...@jakarta.apache.org>
>To: "'struts-user@jakarta.apache.org'" <st...@jakarta.apache.org>
>Subject: Why validate on the server side and not on the client side using
>JavaScript???? help
>Date: Tue, 15 Apr 2003 11:14:07 -0700
>
>Hi all,
>
>Can you help point out references to materials that will convince people to
>validate inputs on the server side.
>
>Thanks,
>
>danny
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Why validate on the server side and not on the client side using JavaScript???? help
Posted by Ian Hunter <ih...@hunterweb.net>.
I recommend both -- let the client developers do their validation, and let
the "model" / business object developers do *their* validation -- typically
different conditions are being checked for, with some overlapping.
----- Original Message -----
From: "Trieu, Danny" <DT...@downeysavings.com>
To: "'Struts Users Mailing List'" <st...@jakarta.apache.org>
Sent: Tuesday, April 15, 2003 2:53 PM
Subject: RE: Why validate on the server side and not on the client side
using JavaScript???? help
> I guess what I need is a list of all the convincing fact to make
suggestion
> to my peers to do validation on the server side and not the on the client
> side, and not even on both the server and the client side.
>
> Thanks,
>
> danny
>
> -----Original Message-----
> From: David Graham [mailto:dgraham1980@hotmail.com]
> Sent: Tuesday, April 15, 2003 11:47 AM
> To: struts-user@jakarta.apache.org
> Subject: Re: Why validate on the server side and not on the client side
> using JavaScript???? help
>
>
> One thing you can do is to setup your non validating app in a test
> environment. Prepare a program that hacks your webapp and corrupts your
> data and demonstrate it in a meeting. Or, even easier, just turn off your
> javascript and submit a form with bad data.
>
> David
>
>
> >From: "Trieu, Danny" <DT...@downeysavings.com>
> >Reply-To: "Struts Users Mailing List" <st...@jakarta.apache.org>
> >To: "'struts-user@jakarta.apache.org'" <st...@jakarta.apache.org>
> >Subject: Why validate on the server side and not on the client side using
> >JavaScript???? help
> >Date: Tue, 15 Apr 2003 11:14:07 -0700
> >
> >Hi all,
> >
> >Can you help point out references to materials that will convince people
to
> >validate inputs on the server side.
> >
> >Thanks,
> >
> >danny
>
>
> _________________________________________________________________
> Protect your PC - get McAfee.com VirusScan Online
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: client- vs. server-side validation
Posted by Robert Sartin <sa...@navanax.org>.
--- Mark Galbreath <ma...@qat.com> wrote:
> validation. No user turns off JavaScript anymore and, in fact, I
> doubt there are more than a handful of developers on this list that
> even knows HOW to turn it off in IE 6.0.
This is simply not true. I know a lot of non-developer users (primarily
people with limited vision or mobility, but also others) who routinely
disable JavaScript. I (a developer) usually run with JavaScript turned
off in IE 6.
Regards,
Rob
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: client- vs. server-side validation
Posted by Mark Galbreath <ma...@qat.com>.
This is a perennial issue on this list and has evoked more than a couple of
religious wars. The best practice is to use both client- and server-side
validation. No user turns off JavaScript anymore and, in fact, I doubt there
are more than a handful of developers on this list that even knows HOW to
turn it off in IE 6.0. In short, both have there advantages and
disadvantages and are not mutually exclusive. Further, judging from the
number of questions regarding the Struts Validator (see archive),
client-side validation may be necessary; on my last gig I wrote my own
server-side validator because I couldn't get Validator to work properly.
Mark
-----Original Message-----
From: Roberto Amorim [mailto:roberto@edsonqueiroz.com.br]
Sent: Wednesday, April 16, 2003 8:17 AM
To: Struts Users Mailing List
Subject: Re: Why validate on the server side and not on the client side us
ing JavaScript???? help
IMHO you can include some validation in client side to increase
performance, some validations like not null attributes are easily
detected in client side and you wouldn't need submit a page to check
these problems. But, you should repeat that validations in server side too.
Regards Roberto
Trieu, Danny wrote:
> I guess what I need is a list of all the convincing fact to make
> suggestion to my peers to do validation on the server side and not the
> on the client side, and not even on both the server and the client
> side.
>
> Thanks,
>
> danny
>
> -----Original Message-----
> From: David Graham [mailto:dgraham1980@hotmail.com]
> Sent: Tuesday, April 15, 2003 11:47 AM
> To: struts-user@jakarta.apache.org
> Subject: Re: Why validate on the server side and not on the client side
> using JavaScript???? help
>
>
> One thing you can do is to setup your non validating app in a test
> environment. Prepare a program that hacks your webapp and corrupts your
> data and demonstrate it in a meeting. Or, even easier, just turn off your
> javascript and submit a form with bad data.
>
> David
>
>
>
>>From: "Trieu, Danny" <DT...@downeysavings.com>
>>Reply-To: "Struts Users Mailing List" <st...@jakarta.apache.org>
>>To: "'struts-user@jakarta.apache.org'"
>><st...@jakarta.apache.org>
>>Subject: Why validate on the server side and not on the client side using
>>JavaScript???? help
>>Date: Tue, 15 Apr 2003 11:14:07 -0700
>>
>>Hi all,
>>
>>Can you help point out references to materials that will convince
>>people to validate inputs on the server side.
>>
>>Thanks,
>>
>>danny
>
>
>
> _________________________________________________________________
> Protect your PC - get McAfee.com VirusScan Online
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Why validate on the server side and not on the client side us
ing JavaScript???? help
Posted by Roberto Amorim <ro...@edsonqueiroz.com.br>.
IMHO you can include some validation in client side to increase
performance, some validations like not null attributes are easily
detected in client side and you wouldn't need submit a page to check
these problems. But, you should repeat that validations in server side too.
Regards
Roberto
Trieu, Danny wrote:
> I guess what I need is a list of all the convincing fact to make suggestion
> to my peers to do validation on the server side and not the on the client
> side, and not even on both the server and the client side.
>
> Thanks,
>
> danny
>
> -----Original Message-----
> From: David Graham [mailto:dgraham1980@hotmail.com]
> Sent: Tuesday, April 15, 2003 11:47 AM
> To: struts-user@jakarta.apache.org
> Subject: Re: Why validate on the server side and not on the client side
> using JavaScript???? help
>
>
> One thing you can do is to setup your non validating app in a test
> environment. Prepare a program that hacks your webapp and corrupts your
> data and demonstrate it in a meeting. Or, even easier, just turn off your
> javascript and submit a form with bad data.
>
> David
>
>
>
>>From: "Trieu, Danny" <DT...@downeysavings.com>
>>Reply-To: "Struts Users Mailing List" <st...@jakarta.apache.org>
>>To: "'struts-user@jakarta.apache.org'" <st...@jakarta.apache.org>
>>Subject: Why validate on the server side and not on the client side using
>>JavaScript???? help
>>Date: Tue, 15 Apr 2003 11:14:07 -0700
>>
>>Hi all,
>>
>>Can you help point out references to materials that will convince people to
>>validate inputs on the server side.
>>
>>Thanks,
>>
>>danny
>
>
>
> _________________________________________________________________
> Protect your PC - get McAfee.com VirusScan Online
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Why validate on the server side and not on the client side using JavaScript???? help
Posted by Mike Jasnowski <mj...@bea.com>.
Do you have a security officer at your company? They should be able to
present the reasons why it's a bad idea to not do validation in the server
code from a security perspective. Security aside, what if the client
manages to pass bad data despite client validation? Many bugs/holes in
security are found simply by trying random variations of input data until
they get the desired effect.
-----Original Message-----
From: Trieu, Danny [mailto:DTrieu@downeysavings.com]
Sent: Tuesday, April 15, 2003 2:53 PM
To: 'Struts Users Mailing List'
Subject: RE: Why validate on the server side and not on the client side
using JavaScript???? help
I guess what I need is a list of all the convincing fact to make suggestion
to my peers to do validation on the server side and not the on the client
side, and not even on both the server and the client side.
Thanks,
danny
-----Original Message-----
From: David Graham [mailto:dgraham1980@hotmail.com]
Sent: Tuesday, April 15, 2003 11:47 AM
To: struts-user@jakarta.apache.org
Subject: Re: Why validate on the server side and not on the client side
using JavaScript???? help
One thing you can do is to setup your non validating app in a test
environment. Prepare a program that hacks your webapp and corrupts your
data and demonstrate it in a meeting. Or, even easier, just turn off your
javascript and submit a form with bad data.
David
>From: "Trieu, Danny" <DT...@downeysavings.com>
>Reply-To: "Struts Users Mailing List" <st...@jakarta.apache.org>
>To: "'struts-user@jakarta.apache.org'" <st...@jakarta.apache.org>
>Subject: Why validate on the server side and not on the client side using
>JavaScript???? help
>Date: Tue, 15 Apr 2003 11:14:07 -0700
>
>Hi all,
>
>Can you help point out references to materials that will convince people to
>validate inputs on the server side.
>
>Thanks,
>
>danny
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org