[thelist] Client-side or Server-side Form Validation?

Ken Schaefer ken at adOpenStatic.com
Tue Oct 12 17:39:44 CDT 2004


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Rob Smith" <rob.smith at THERMON.com>
Subject: [thelist] Client-side or Server-side Form Validation?


: Which do you prefer? Client-side or Server-side
: form validation? All languages/platforms are up for
: grabs here. This is general web development
: preference.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Client-side script is for the benefit of the user only. You need server-side 
validation of all input for the purposes of protecting your app. There is no 
way you can validate anything by running code on a machine that is 
completely controlled by the attacker. Because the attacker controls their 
machine, they can do anything they want and as a consequence anything that 
comes from that machine needs to be treated as untrusted until you validate 
it server-side.

Cheers
Ken 



More information about the thelist mailing list