Win a copy of Android Programming: The Big Nerd Ranch Guide this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Server-side validation for boolean  RSS feed

 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am working on a page where a yes/no field needs to be added. The requirement is this:

1) Show a yes/no check box on the front end
2) Show an error if the user doesn't make a selection
3) Pass the value to the back end

Should I do a back end check for this? The reason I ask this is because there are other boolean fields on this page that someone else added; they have made those fields Boolean and added null check for those fields.

I don't understand why that Boolean variable is required? Are these kind of fields validated only in the front end?

Thank you.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What kind of page? A JSP?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanna Raman wrote:
1) Show a yes/no check box on the front end
2) Show an error if the user doesn't make a selection

That makes no sense at all. A check box is either checked or not checked. What does it even mean for the user not to make a selection?
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear, I'm so sorry.. it's a radio button, not a check box.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Make one of the radio buttons checked by default. That way there is no error to check.

Designer's rule #2: eliminate the possibility of user error
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you, Bear. I don't think I'm allowed to do that because there are a lot of other radio buttons and they are not designed that way. Is there an alternative?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanna Raman wrote:Thank you, Bear. I don't think I'm allowed to do that because there are a lot of other radio buttons and they are not designed that way. Is there an alternative?


That is how they should be deigned. How are the other radio sets designed?
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
They don't have any default values selected.

Also, the form is allowed to "true/false" values only to the server.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanna Raman wrote:They don't have any default values selected.

That's poor design; you should take this opportunity to fix that.

Also, the form is allowed to "true/false" values only to the server.

I don't know what you mean by that.
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If the user selects yes, the form will send true. If no is selected, a value of false is sent to the server.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That's easy to accomplish via the value attributes on the radio buttons.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But, to go back to an earlier question: yes, you must validate on the server. You can never trust anything that happens on the client.
 
Dave Tolls
Ranch Hand
Posts: 2658
29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:But, to go back to an earlier question: yes, you must validate on the server. You can never trust anything that happens on the client.


However, going by the requirements, you should possibly also validate on the client.
There are frameworks that handle all this for you, but you may not be using any of them.

As asked before, though...what do the other fields do for their validation?

If it were me, I would follow what they do and raise any problems I had, for example if there is no server based validation.
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you. I am curious to know what kind of server validation needs to be done for boolean fields? In fact, the reason for my original question was to know this. How would I validate it? Supposing it's a required field, is there a risk that someone could manipulate the HTML or javascript to pass in an empty value?

As for the other validations, I don't think they've done it right. They've made the other fields Boolean, and are checking for null values. It doesn't feel right to me.
 
Dave Tolls
Ranch Hand
Posts: 2658
29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanna Raman wrote:Thank you. I am curious to know what kind of server validation needs to be done for boolean fields? In fact, the reason for my original question was to know this. How would I validate it? Supposing it's a required field, is there a risk that someone could manipulate the HTML or javascript to pass in an empty value?

As for the other validations, I don't think they've done it right. They've made the other fields Boolean, and are checking for null values. It doesn't feel right to me.


If it's a required field, then presumably something somewhere won't work properly if it's null.
So a null check validation makes sense.

You also don't want to use a primitive as if it isn't supplied then you will get an exception thrown over which you have little control.
A proper validation framework will allow you to control the response to the client.
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you, Dave. So you're saying using the wrapper class and checking for null is the right approach?


When you said it needs to be validated on the server side, is this what you always had in mind?
 
Dave Tolls
Ranch Hand
Posts: 2658
29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanna Raman wrote:Thank you, Dave. So you're saying using the wrapper class and checking for null is the right approach?


Well, I would be using a framework that does the validation for me based on annotations.
Spring has one, for example.

Prasanna Raman wrote:
When you said it needs to be validated on the server side, is this what you always had in mind?


Well, that was Bear, but I agree with him. Your server is exposed to the outside world, so it needs to ensure the data it receives is valid. It can't rely on the client doing the validation.

The client might well also do some validation, in order to avoid making unecessary calls, for example, but that should not be taken as an excuse not to do it on the server.
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you, Dave. What should I in my case where we're not using any framework?

Is using the wrapper class the only way?

What's the risk if I used a primitive? And how do I validate using a primitive?
I'd also like to clarify that the radio button is actually a required field on the penultimate page of the whole application. So the client code would prevent the user from even moving forward to the submit page.
 
Dave Tolls
Ranch Hand
Posts: 2658
29
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So the client already checks and you are just writing the server side validation?

If you are doing this by hand (eg request.getParameter("your_radio_button") then you can use either a wrapper or primitive.
Just check whether the value returned by getParameter is null or not.

I'm having trouble seeing what problem you are having with this?

Obviously, not seeing any of your code, or the code you have to incorporate your stuff into, it's hard to say what's correct for that environment.
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you. Sorry for not being very clear about this. I'm new here myself and I'm still trying to understand the existing structure. I'll try and provide more details later today.
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there an advantage to using primitive vs wrapper? The way they've done it for the other fields is:



I don't think I quite understand why I need to check for null if I use a primitive? Is there a possibility that someone could manipulate the html/javascript to pass null? I am trying to understand if this a possibility.

Also, if the above is possible, when the field is accessed, is the default not set to false in any case if the user doesn't select an option?

Thank you again for all your help so far! Wish I didn't have so many questions :(

Thanks,
Prasanna
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanna Raman wrote:
I don't think I quite understand why I need to check for null if I use a primitive?

Obviously a primitive cannot be null, but all data passed to the servlet is text -- that's the way HTTP works. What it gets converted to from the text is up to you.

Is there a possibility that someone could manipulate the html/javascript to pass null? I am trying to understand if this a possibility.

Absolutely and easily.

Also, if the above is possible, when the field is accessed, is the default not set to false in any case if the user doesn't select an option?

No, if the parameter is missing then a null is obtained. Remember, it's text, not a Boolean.
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you, Bear! I don't understand this statement:

"No, if the parameter is missing then a null is obtained. Remember, it's text, not a Boolean."

They are using Spring Web flow here, and it passes the user information to the model. So, if nothing is passed from the front end for just this field and if it was declared as primitive boolean in the back end, what would happen in this case? I'd love to try this out myself, but I don't have the necessary set up here :(

 
Winston Gutkowski
Bartender
Posts: 10573
65
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanna Raman wrote:If the user selects yes, the form will send true. If no is selected, a value of false is sent to the server.

I'm no expert on this, but the mere idea of using a radio button to effect a boolean (or Boolean) value strikes me as an odd way to do things...

Winston
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Winston, what should be used ideally then?
 
Winston Gutkowski
Bartender
Posts: 10573
65
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanna Raman wrote:Winston, what should be used ideally then?

Well I'd use a checkbox - but as I say, I'm no expert on the world of webpages.

Winston
 
Paul Clapham
Sheriff
Posts: 22215
38
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Winston Gutkowski wrote:I'm no expert on this, but the mere idea of using a radio button to effect a boolean (or Boolean) value strikes me as an odd way to do things...


You may have seen those online questionnaires which start out by asking if you're male or female. They are all implemented by a pair of radio buttons and not by a checkbox which says "Check here if you are female". Now probably the value isn't treated as true/false in the software at the back end in this case, but on the other hand we don't know what kind of data pairs are involved in Prasanna's system.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanna Raman wrote:They are using Spring Web flow here, and it passes the user information to the model. So, if nothing is passed from the front end for just this field and if it was declared as primitive boolean in the back end, what would happen in this case?

I do not know; you'd need to consult the documentation or try it yourself for what happens when the parameter is not sent as part of the request. But in the HTTP request it will be sent as either text, or not sent at all. What the framework does with it is up to the framework.

But, and I'll just say this one more time then shut up, setting up the user to enter an invalid form by not supplying a default (setting one of the radio buttons as checked) is bad UX and whoever is doing your design needs to reconsider it.

With regards to a checkbox versus radio group, checkboxes confuse some users and it's not unusual to use a set of Yes/No radio buttons instead of a checkbox for clarity. Espcially if the label indicates a question that can be answered Yes or No versus an Enabled/Disable scenario.
 
Paul Clapham
Sheriff
Posts: 22215
38
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:But, and I'll just say this one more time then shut up, setting up the user to enter an invalid form by not supplying a default (setting one of the radio buttons as checked) is bad UX and whoever is doing your design needs to reconsider it.


From one point of view that's true. But in the example I just mentioned, the questionnaire with "Male/Female" radio buttons, there isn't a reasonable default. It would absolutely be wrong for the designers to choose (say) Female for the default. In this case you want the user to positively choose one of the options and not just accept a default.
 
Winston Gutkowski
Bartender
Posts: 10573
65
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul Clapham wrote:You may have seen those online questionnaires which start out by asking if you're male or female. They are all implemented by a pair of radio buttons and not by a checkbox which says "Check here if you are female".

Yeah, that makes sense. Guess it's why I'm not an expert...

Winston
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul, I was actually going to ask that question. Because in my case, the question is if the user is a citizen and they need to select yes or no. I don't know if choosing one or the other by default for them would work here.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul Clapham wrote:
Bear Bibeault wrote:But, and I'll just say this one more time then shut up, setting up the user to enter an invalid form by not supplying a default (setting one of the radio buttons as checked) is bad UX and whoever is doing your design needs to reconsider it.


From one point of view that's true. But in the example I just mentioned, the questionnaire with "Male/Female" radio buttons, there isn't a reasonable default. It would absolutely be wrong for the designers to choose (say) Female for the default. In this case you want the user to positively choose one of the options and not just accept a default.


No argument on that one; but Yes/No is generally another matter.
 
Paul Clapham
Sheriff
Posts: 22215
38
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanna Raman wrote:Paul, I was actually going to ask that question. Because in my case, the question is if the user is a citizen and they need to select yes or no. I don't know if choosing one or the other by default for them would work here.


That's definitely a place where I would consider a checkbox rather than a pair of radio buttons. But anyway the question about defaults is independent of what you choose for the GUI -- if the project designers wanted a default then they should think carefully about which option it should be. And that strongly depends on what the project is doing. Remember that if you provide a default then a significant number of people will accept the default value by accident or laziness. You've probably seen the checkboxes in many forms which say "I accept that XXX Company will spam me with a whole lot of advertising" -- you may have noticed that it often comes checked by default.

And yes, by using a checkbox you do force yourself to decide on a default whereas with a pair of radio buttons you don't.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For that scenario I wouldn't present it as a Yes/No question, but a Citizen/Non-citizen choice.

And that's a good point about checkboxes; there's always a default.
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:I do not know; you'd need to consult the documentation or try it yourself for what happens when the parameter is not sent as part of the request. But in the HTTP request it will be sent as either text, or not sent at all. What the framework does with it is up to the framework


Thank you, Bear. OK, coming back to an old question, supposing Spring Web flow doesn't do anything and so the boolean variable never gets set. Doesn't it show a value of false by default when you try and access that field when there was no value set?

What exact validation would you do in this case? Would you make it Boolean and check for null? Is there a way to check if it's blank if it's a boolean primitive? Sorry, I don't know if all my questions are making sense here, I think I am a bit confused.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Prasanna Raman wrote:
Bear Bibeault wrote:I do not know; you'd need to consult the documentation or try it yourself for what happens when the parameter is not sent as part of the request. But in the HTTP request it will be sent as either text, or not sent at all. What the framework does with it is up to the framework


Thank you, Bear. OK, coming back to an old question, supposing Spring Web flow doesn't do anything and so the boolean variable never gets set. Doesn't it show a value of false by default when you try and access that field when there was no value set?

I would presume so, but I don't know for certain. You'd need to check. It certainly would make no sense for it to return true in that case.

What exact validation would you do in this case? Would you make it Boolean and check for null

This is what frameworks like Play do. Can't vouch for Spring. Again, you'll need to check what it does.

 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think I am missing something here. I thought Spring flow just sets the fields on the model and then we write the validations ourselves. At least that's how I think it's been done for the other fields here. As an example, one of the other fields on the same form I am talking about has been declared and validated like this:

Field declaration:


Validation:


So, my questions started from here. I was wondering what would happen if I just declared this a primitive boolean and not do the null check at all.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65970
140
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And again, I don't know. The framework may just default it to false (but can't imagine it would default to true, that would be nuts) or throw an error. Probably the first, but you need to check.

If you use a Boolean, it could do any of the above or leave it null. You need to check.
 
Prasanna Raman
Ranch Hand
Posts: 410
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
OK, thank you. Supposing that the framework would set a boolean value false, isn't it more efficient to use a primitive and save memory and also an extra null check?

If so, I would just declare a boolean variable and not do any validation on the primitive field, correct?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!