>Should both be done for security? Server-side should be done for security (since some users won't have JavaScript enabled). Client-side should be done because it can save trips to the server, so it can be more user-friendly. I try to always do both. Scott Brady