• Post Reply Bookmark Topic Watch Topic
  • New Topic

Right way for input validation?

 
Alex Turbado
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When you've got a Servlet as a Controller in the MVC model, what is the best way for validating user input? To create an special class (something like "Validator") invoked by the Controller that implements all the user input validation before calling the model, or directly call the model and let the new bean validation do its job, and then handle the errors on the Controller?

Thank you!!
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As usual, there's no one "right" way.

The questions to ask are:

Where is the knowledge? What layer knows what the validation rules should be? Is it the controller? Or is it the model?

The model should be independent of the controller, right? So if you take the controller away, can the model stand on its own? Or is it implicitly depending upon things that are happening in the controller?
 
Alex Turbado
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you for the reply

Following that logic, it seems the validation has to be in both the Controller and the Model, because the model for example always has a background storage (DB or others) with a limited length for all the fields, and for this fact it has to control that lengths, but the Controller has to control things like not receiving XSSed input and others...

Am I right?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Explain why you feel that data cleansing "needs" to happen in the controller. (I'm not saying it can't, but you made an assertion without backing it up.)
 
Alex Turbado
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As I said, with things that are protocol-dependent, for example search for XSS, search for forbidden HTTP protocols, search for unexpected parameters on the HTTP request...thing that the model doesn't have to be aware of.

I don't know if I'm right or not
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
OK, but the point I'm making is that you need to make sure that the model can operate independently from the controller. So, for example, if the controller handles sanitizing HTML characters for protecting against script injection, will the model fail, or be subject to attacks, if the controller goes away?
 
Alex Turbado
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, ok, I understand now.

My last question is: is it correct to duplicate validation? For example, as we've talked, I understand that a length test of a field necessarily has to be enforced on the model, but is it correct to do it also on the controller?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Double edged sword:

One edge: If validation happens in more than one place, they all need to be kept in sync as to what the validation is to be.

Other edge: It's good to report failures at the highest level where more information as to the environment of the error is available.

So, as with almost everything else, it's an engineering balancing act.

Third edge (of a sword?): It's very common for web apps to perform client-side validation so that bad data never gets submitted in the first place. This validation can never be counted upon, so the server must validate the input regardless. So, validation already frequently occurs on at least two levels in many web apps.

For what it's worth, my apps frequently perform validation at multiple levels: client, controller (limited), and model (thorough).
 
Alex Turbado
Greenhorn
Posts: 14
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Understood. Many thanks for the answers!!
 
Poonam zara
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am looking for this type of post about servlet.
 
Ekene Wisdom
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
what i do is: client(little), control(thorough) and model(none). Is this ok? If not, what's wrong with it?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65522
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In practical terms, as the model is designed to work separately from the other layers, if it performs no validation, any other user interface that uses the same model needs to repeat the validations performed in the controller of the original application.

From the architectural point of view, it violates Separation of Concerns as you have the controller making decisions on behalf of the model.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!