I'm really glad you wrote about this. I've seen your past articles on
validation, which have typically been javascript, and always thought that they
are nice thing but miss the point.
There are so many ways to hack a web page and avoid javascript validation that
its almost not worth doing in my mind. I've seen lots of developers say how
much better it is because of saving the roundtrip and processing on the server,
and those are the developers I think that must spend their day weedling muck
out of their databases due to hack attempts etc. or they are very lucky.
For me, server side validation is a must. And not just relying on database
validation or whatever, but proper validation with user friendly markup
returned to the user to help them complete the process. Adding javascript
later as a double layer and to prevent the need and delay of a round trip is a
bonus, but doesn't get away from the need for server side in the first place.
I've taken this approach with my recent PHP efforts. I've built a validation
class that can be applied to the input fields, and the validation is run on the
server side in every case. As needed, I'm planning on supplementing the
validation class with client side code insertion so that certain validations
can be pushed out to the client, but with the server still validating on the
post.
Jake,
I'm really glad you wrote about this. I've seen your past articles on validation, which have typically been javascript, and always thought that they are nice thing but miss the point.
There are so many ways to hack a web page and avoid javascript validation that its almost not worth doing in my mind. I've seen lots of developers say how much better it is because of saving the roundtrip and processing on the server, and those are the developers I think that must spend their day weedling muck out of their databases due to hack attempts etc. or they are very lucky.
For me, server side validation is a must. And not just relying on database validation or whatever, but proper validation with user friendly markup returned to the user to help them complete the process. Adding javascript later as a double layer and to prevent the need and delay of a round trip is a bonus, but doesn't get away from the need for server side in the first place.
I've taken this approach with my recent PHP efforts. I've built a validation class that can be applied to the input fields, and the validation is run on the server side in every case. As needed, I'm planning on supplementing the validation class with client side code insertion so that certain validations can be pushed out to the client, but with the server still validating on the post.
Cheers Dave