• Post Reply Bookmark Topic Watch Topic
  • New Topic

Why client side verification?  RSS feed

 
Aditya pratap Singh ji
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why should we make client side verification while we can easily make server side verifications with more control and secracy? Why use Javascript rather than verifying a form with PHP??
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66304
152
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One should never forgo server-side validation. Client-side validation is for improved user experience; it should never be relied upon by the server.
 
Aditya pratap Singh ji
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why so? I mean, one can edit things on the client side. But server scripts are secured. One can simply edit the validation code on the client side and enter some wrong form data. So why should we do it on the client side?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66304
152
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As I said, to bring a better user experience to the user. And again, regardless of whether client-side validation is performed or not, server-side validation is a must.
 
Aditya pratap Singh ji
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But still the legends have it that "validation must be client side". So why is that? If we are any how gonna validate it again on the server, how would it bring a better user experience? Anyways, the user doesnt know that the data is gonna be validated. So why is that?
 
lakthiagi narayanan
Greenhorn
Posts: 3
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
client side verification - If you want to validate input on the client side first because you can give better feedback to the average user. For example, if they enter an invalid email address and move to the next field, you can show an error message immediately. That way the user can correct every field before they submit the form instead If you validate on the server, they have to submit the form to the server, wait for the response, get an error message, and try to hunt down the problem. This can avoid timing delay for beginner users.
 
Hauke Ingmar Schmidt
Rancher
Posts: 436
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Aditya pratap Singh ji wrote:But still the legends have it that "validation must be client side". So why is that?


Who says that?

Validation must be done on server side, it should be done on client side also.

The server can't trust anything and always has to validate everything for security and data sanity reasons.. The client can do anything that supports the user. Because it is nice. And it is the part that users see and may use as a differenting factor between your and a different application.

Aditya pratap Singh ji wrote:If we are any how gonna validate it again on the server, how would it bring a better user experience? Anyways, the user doesnt know that the data is gonna be validated. So why is that?


Of course the user does know that it is validated if the result is negative. This gives a direct feedback without server roundtrip, thus is faster (up to validating on every keypress), and reduces the load on the server (because it doesn't have to handle every incorrect input).
 
Aditya pratap Singh ji
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But we can do it on the server and use ajax to send the form data over to the server instead of loading the whole page. So I dont think speed is an issue. I am talking about security. A client side code can be edited. While a server script is always secure unless someone hacks it. We can have multiple servers and hence load on server isnt an issue again. But I dont think it would be good if someone edits the client side verification code and enters invalid data in our database.
 
Jaikiran Pai
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Aditya pratap Singh ji wrote: But I dont think it would be good if someone edits the client side verification code and enters invalid data in our database.


Have you read the rest of the posts in this topic? No one said server side validation has to be skipped. In fact, everyone has stressed that server side validation is necessary too.

But we can do it on the server and use ajax to send the form data over to the server instead of loading the whole page. So I dont think speed is an issue.


It doesn't matter whether you send just a part of the page or the entire page, minimizing the amount of network traffic between the server and the client always helps, especially in cases where it involves simple client side validations.
 
Hauke Ingmar Schmidt
Rancher
Posts: 436
2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Aditya pratap Singh ji wrote:But we can do it on the server and use ajax to send the form data over to the server instead of loading the whole page. So I dont think speed is an issue. I am talking about security. A client side code can be edited. While a server script is always secure unless someone hacks it. We can have multiple servers and hence load on server isnt an issue again. But I dont think it would be good if someone edits the client side verification code and enters invalid data in our database.


Ajax is a server roundtrip, even if it doesn't load the whole page. It puts load on the server (which admittedly may not be a issue for most sites with normal load except when you use schemes where you pay for processing time like Google App Engine). It is much slower, especially on mobile networks (modem times are back).

These may not be issues for a specific project. But you get it for free with an increased UX. You do have to implement the validation logic twice if you use different languages on server and client (e.g. with GWT you could reuse most Java validation on the client).

About security: That is not, in no way, the intended purpose of client side validation. It doesn't do that, and if anyone told so, he was plainly wrong. You always have to do server side validation.

Client side is an additional extra that you may or may not want. Server side is a must.
 
Aditya pratap Singh ji
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mr.Schmidt,
Thankyou for you kind, humble and informative reply.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!