Aditya pratap Singh ji wrote:But still the legends have it that "validation must be client side". So why is that?
Who says that?
Validation must be done on server side, it should be done on client side also.
The server can't trust anything and always has to validate everything for security and data sanity reasons.. The client can do anything that supports the user. Because it is nice. And it is the part that users see and may use as a differenting factor between your and a different application.
Aditya pratap Singh ji wrote:If we are any how gonna validate it again on the server, how would it bring a better user experience? Anyways, the user doesnt know that the data is gonna be validated. So why is that?
Of course the user does know that it is validated if the result is negative. This gives a direct feedback without server roundtrip, thus is faster (up to validating on every keypress), and reduces the load on the server (because it doesn't have to handle every incorrect input).
Aditya pratap Singh ji wrote: But I dont think it would be good if someone edits the client side verification code and enters invalid data in our database.
Have you read the rest of the posts in this topic? No one said server side validation has to be skipped. In fact, everyone has stressed that server side validation is necessary too.
But we can do it on the server and use ajax to send the form data over to the server instead of loading the whole page. So I dont think speed is an issue.
It doesn't matter whether you send just a part of the page or the entire page, minimizing the amount of network traffic between the server and the client always helps, especially in cases where it involves simple client side validations.
Aditya pratap Singh ji wrote:But we can do it on the server and use ajax to send the form data over to the server instead of loading the whole page. So I dont think speed is an issue. I am talking about security. A client side code can be edited. While a server script is always secure unless someone hacks it. We can have multiple servers and hence load on server isnt an issue again. But I dont think it would be good if someone edits the client side verification code and enters invalid data in our database.
Ajax is a server roundtrip, even if it doesn't load the whole page. It puts load on the server (which admittedly may not be a issue for most sites with normal load except when you use schemes where you pay for processing time like Google App Engine). It is much slower, especially on mobile networks (modem times are back).
These may not be issues for a specific project. But you get it for free with an increased UX. You do have to implement the validation logic twice if you use different languages on server and client (e.g. with GWT you could reuse most Java validation on the client).
About security: That is not, in no way, the intended purpose of client side validation. It doesn't do that, and if anyone told so, he was plainly wrong. You always have to do server side validation.
Client side is an additional extra that you may or may not want. Server side is a must.