[thelist] Data validation (Best Practice) - asp/sql server
Robert Gormley
robert at pennyonthesidewalk.com
Thu Nov 18 10:49:06 CST 2004
> I became a bit curious yesterday when I ran into a "Best Practice for
> Validating User Input" article at MSDN that points out...
>
> *> Use stored procedures to validate user input.
>
> I'm wondering the cons and pros of using the database for validation
> versus vbscript?
Without any further context - I can only presume that the logic thus is that
by checking in the database, you could implement a single consistent point
for data validation, and that you have a reasonable chance that it'll be
valid for the DBMS, too.
I don't like it, even remotely. Though there's a duplicity, I'd recommend:
Low level validation client side (is number, is phone number, email)
Business (Can this order be delivered to this address?) /and/ low level on
application/web server.
If you only deliver data to your DBMS that you know to be valid, it's less
back and forth - not to mention the overhead brought about by data going
from client to webserver > app server (if separated) > database server, only
to /then/ be declared invalid, and that invalidity be bubbled back through
that chain to the client.
More information about the thelist
mailing list