Do you use both Client-side and Server-side validation techniques side by side when validating input from a user, e.g. via a contact form?
If so, is it really necessary? Are you over engineering?
Asked
Active
Viewed 1.0k times
10
-
This is interesting: http://www.smashingmagazine.com/2009/07/07/web-form-validation-best-practices-and-tutorials/ – TeaDrinkingGeek Mar 01 '11 at 11:44
5 Answers
27
Yes, and you should.
This maintains instant user feedback without wasted postbacks whilst also guarding against users disabling JavaScript.
This is how the ASP.NET Validation Controls work.
It is certainly not over-engineering as using one without the other has drawbacks.
billy.bob
- 6,549
- 4
- 29
- 45
-
8
-
12Server side is necessary, client side is convenience. In web applications you can't count on client side validation. – BillThor Mar 01 '11 at 15:58
-
-
intelligent users can definitely abuse your app if you do not have client side validation – Umair Ayub Apr 12 '19 at 07:35
6
If so, is it really necessary?
Yes.
Are you over engineering?
No.
Front-end validation can give immediate feedback if it's a rich interface.
Back-end can be used by multiple front-ends. And it's the only validation for the HTML-only (no javascript) fall-back plan.
S.Lott
- 45,264
- 6
- 90
- 154
6
One of the first fundamentals that I learnt about security was that hackers will never use your UI.
Any client side validation can normally be easily bypassed in web apps if they have their own local version of your form and then submit it back to your server.
Client side validation is great though for improving your user experience and reducing unnecessary round trips to the server to perform validation.
Bruce McLeod
- 281
- 2
- 4
-
+1, I've seen to many examples where validation was done entirely on the client side – Karl Mar 01 '11 at 14:16
2
Server side validation should be the bare minimum.
And for input that is likely to be wrong, you should also add a client side check..
For example: check if the email is correctly formatted on both the client and server side but checking if it's unique could be a server side check.
Carra
- 4,261
- 24
- 28
-
1"Checking it's unqiue" is verification NOT validation so this doesn't apply. [Understand the difference.](http://www.matthewedmondson.info/2010/08/difference-between-validation-and.html) – billy.bob Mar 01 '11 at 11:37
-
2Did you even read what you post? Checking that email is unique **is** validation. Cheking, say, that email and password are valid credentials is verification. In any case, it is just a terminology issue. – Andrea Mar 01 '11 at 13:57
1
Yes, It's not a bad idea to use both. If simple user input errors can be caught on client side then it makes sense to tell user about those errors before sending data and bugging down your server. For example if user entered something that does not look like an email address in the 'email' field or entered a string of only 5 chars long in the password field and you know your site required the password to be at least 6 chars long, then you should tell the user about it before sending anything to the server.
It's important to also duplicate exact same validation on the server for 2 reasons: 1) what if user has Javascript disabled?
2) User maliciously tried to bypass your client-side validation, which is really easy.
Dmitri
- 181
- 4