Can somebody explain what this text means

[Tony Johansson]

Hello!

I read in a book and it says the following.
The section is about Input validation
"When users enter data, it should be checked to see that data is valid. The
check can happen on the client and on the server. Checking the data on the
client can be done by using JavaScript. However, if the data is checked on
the client using Javascript, it should also be checked on the server,
because you can never fully trust the client. It is possible to disable
Jvascript in the browser, and hackers can use different javascript
functions. It is awfully necessary to check the data on the server. Checking
the data on the client as well leads to better performance, as no round trip
occurs to the server until the data is validated on the client."

I can't figure out when this text means. I mean the best is to validate on
the client if it's possible. I mean for example to validate that a control
has been filled in using the built in validators in .NET that is implemented
as javascript and send to the client and run in the browser. So if you for
some strange disable clientscript and set EnableClientScript=false all
validation will be done on the server side.

So it seems to me that the text is saying that you should validate both on
the client and on the server which sound really strange to me ?

So can somebody explain what the above text mean ?

//Tony

 

[andy]

Hello!

I read in a book and it says the following.
The section is about Input validation
"When users enter data, it should be checked to see that data is valid. The
check can happen on the client and on the server. Checking the data on the
client can be done by using JavaScript. However, if the data is checked on
the client using Javascript, it should also be checked on the server,
because you can never fully trust the client. It is possible to disable
Jvascript in the browser, and hackers can use different javascript
functions. It is awfully necessary to check the data on the server. Checking
the data on the client as well leads to better performance, as no round trip
occurs to the server until the data is validated on the client."

I can't figure out when this text means. I mean the best is to validate on
the client if it's possible. I mean for example to validate that a control
has been filled in using the built in validators in .NET that is implemented
as javascript and send to the client and run in the browser. So if you for
some strange disable clientscript and set  EnableClientScript=false all
validation will be done on the server side.

So it seems to me that the text is saying that you should validate both on
the client and on the server which sound really strange to me ?

So can somebody explain what the above text mean ?

//Tony

Seems pretty straight forward to me.

You should always validate as close to source as possible.
On the client that has to be javascript.
But the user can turn javascript off or he could be a naughty hacker.
Client side validation is not definitely going to happen.

So, as well as on the client you should also validate on the server.
Because whilst it's nice to give immediate feedback to the user and
make their experience nice, you also don't want data which would fail
validation to be written to your database.

You need server validation but client side validation improves user
experience.

 

[Arne Vajhøj]

You should always validate as close to source as possible.
On the client that has to be javascript.
But the user can turn javascript off or he could be a naughty hacker.
Client side validation is not definitely going to happen.

So, as well as on the client you should also validate on the server.
Because whilst it's nice to give immediate feedback to the user and
make their experience nice, you also don't want data which would fail
validation to be written to your database.

You need server validation but client side validation improves user
experience.

Well put.

The ultra short summary: server side validation for security,
client side validation for convenience.

Arne