[thelist] Data validation (Best Practice) - asp/sql server

Robert Gormley robert at pennyonthesidewalk.com
Thu Nov 18 10:49:06 CST 2004


> I became a bit curious yesterday when I ran into a "Best Practice for
> Validating User Input" article at MSDN that points out...
> 
> *> Use stored procedures to validate user input.
> 
> I'm wondering the cons and pros of using the database for validation
> versus vbscript?

Without any further context - I can only presume that the logic thus is that
by checking in the database, you could implement a single consistent point
for data validation, and that you have a reasonable chance that it'll be
valid for the DBMS, too.

I don't like it, even remotely. Though there's a duplicity, I'd recommend:

Low level validation client side (is number, is phone number, email)

Business (Can this order be delivered to this address?) /and/ low level on
application/web server.

If you only deliver data to your DBMS that you know to be valid, it's less
back and forth - not to mention the overhead brought about by data going
from client to webserver > app server (if separated) > database server, only
to /then/ be declared invalid, and that invalidity be bubbled back through
that chain to the client.



More information about the thelist mailing list