I have a Jsp which takes some form inputs from the user and sends it to a servlet. The servlet routes it to the appropriate CRUD operation depending on the button user selected. there is DAO class to create conection to the datasource. now where should the validations for the form inputs be done. 'client side' or 'server side'? and what does these terms mean.
is it true that if validations are done client side then there are chances of the browser ignoring them.
It's all about risk..
[ October 26, 2005: Message edited by: James Clinton ]
Its always safe to go with server-side validation.
The J2EE client, such as a JSP/servlet should validate the data but doesn't neccessarily have to. If the service has exactly one consumer and this consumer is completely controlle by you then you are safe to put 100% of the validation here and none in the server side. Alternatively, if you have many consumers and/or the consumers aren't controller by you such as in a web service, 100% of the validation should exist on the server irregardless of what is put here.
I've found in general the server does need to do all the validation since there are some conditions, like determining if user all ready exists before adding a new one, should only be done inside the scope of a server side transaction.
New/Old Issue related to this:
One issue that gave me a headache once was determining which level character field length should be validatd, such as name having max length of 30. If the database is set up for a max length of 30, the database is all ready validating this and will never allow the transaction to complete if name is greater than 30 so the server is safe. If the HTML form is set up to only allow 30 characters in the form, then it is validating this as well. The question becomes do any of the middle layers need to validate this thereby adding 3+ validation for the same data? Reasons why they shouldn't include that this may be database dependent, so maintainability is a problem. Reasons why they should include you want a clean message sent to the user indicating the precise problem, not some database exception or system error.
Originally posted by Stan James:
Yeah. I am using Jakarta Commons Validator with JSF framework. It is working like charm.