[thelist] Server vs. Client Validation

Ken Kogler ken.kogler at curf.edu
Thu Dec 5 14:15:01 CST 2002

> Does anyone have any thoughts on the
> cost/benefits of server side field validation
> vs. running it on the client side?

> Should both be done for security?

As a general rule, do both. But it really depends on the application.

If you're relying on client-side validation, and I turn JavaScript off,
then I can defeat any validation you've done... Not terribly important
if you're checking to make sure a phone number is entirely numeric, but
if you're validating db input, I could defeat your
"security" and do some sort of SQL injection...

On the other hand, if you're just doing server validation, and I'm using
a laptop/cellphone for internet access (at a whopping 14.4Kb/sec!), then
I'm not going to appreciate waiting for a second page to load to inform
me of a typo... I'd much rather have client side validation in that

So the short answer is: do both if you're not really really sure what
your audience will do with the form... I've got a contact form (e-mail)
on my website, and it used to come through all the time with blank email
addresses -- until I added both client and server-side validation.

So do what works for you... :)


More information about the thelist mailing list