Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I have a UI with some set of fields where a field becomes mandatory based on value inserted in other field. So just wanted to know the best practice whether this validation needs to be done at server side as well as UI end or its enough if I do the validation at UI end but not at server end
There should be checks on both the client side and the server side.
The client should not be able to submit an incomplete form.
And if another frontend is ever developped, in let's say a webpage, the developer might forget to enforce the checks. The back-end then needs to be able to handle and reject an invalid form.
The rule with validation is never trust input. Assuming that you are building a web application you should at the very least validate when you first hit the server and report errors quickly. The reason being that user's behave unexpectedly and client-side javascript is easily subverted. Client side javascript should be viewed as a convenience for the user. If you expose your services on many fronts (thick client, web services, etc.) then you should also validate in your services.
I advise you to validate this at UI, when you are not using any framework. This will improve the responsiveness for your customer.
Validation on server side is also necessary if you need consistent data in your database.
Perhaps, think of using a framework like Java Server Faces
Frontend validation is easy to implement and the user gets a fast response to his actions. You will need this.
If you wanna persist or do some logic in the backend you should also validate it in the backend.
Java/JSF hibernate Example (backend):
#NotBlank(message = "{contact.firstName.isEmpty}")
#Size(min = 1, max = 255, message = "{contact.firstName.invalid}")
public String getFirstName() {
return firstName;
}
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I have a concern about security of JavaScript. It seems that one can edit the JavaScript code in browser to alter form validations so that he can submit something bad. I know that back-end validation is also necessary and important, but is there a way to prevent such modification of JS code at the front-end? Because, otherwise it seems like the effort paid to implement front-end validation with JavaScript can be easily wasted.
Javascript form validation is not meant to be your application's form of security. It's purpose is for a cleaner user experience that gracefully notifies the user of errors/progress/requirements of the form itself.
NEVER rely on client-side code as a point of security in your applications because, by nature, you're giving that code to everyone.
Also, don't think of it as a waste of effort. The more polite your app is in notifying and guiding what the user must do to properly fill out your forms, the better.
True security for your application must happen on the server side (PHP, Ruby, Nodejs, etc.).
Javascript validation used to validate the fields in client side to make validation faster instead of sending the request to the server and waiting for the response, Your server side security should not depend on the security of the Javascript, you should validate all submitted data to the server in back-end .
you can compress javascript file to get the mini file to make it little bit harder not to prevent the attack.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I have a simple reservation form with a JQ datepicker and I set the start date on the calendar based on JavaScript new Date().
Now without making things any more complicated and running some kind of Ajax request to grab the correct date from the server because obviously JS will return whatever time is set on the users device.
The app itself will validate the date on submit so the question is:
How many users has computers and devices running a wrong date/time?
Is it a good practice to disable the past days?
Should I rather allow the user to pick a whatever date and validate
with some kind of JS validation function or on form submit?
How many users has computers and devices running a wrong date/time?
Probably lots.
Is it a good practice to disable the past days?
There's nothing wrong with that at all
Should I rather allow the user to pick a whatever date and validate with some kind of JS validation function or on form submit?
This is the major point. You can use all the JS validation you want, but consider it only a courtesy to the user. All business critical validation should be done on the server - even if you validated the input on the client-side too. This is to ensure that data integrity is upheld even if a malicious user attempts to make requests to your server without using your front end website.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I have to build a website which involve e-commerce stuff like it should allow the users to login and then view the available items. Once the user selects the items and makes payment, it may need additional information in the form of some images/videos to complete the order. So, after payment step, it prompts the user to upload the file and when the file is uploaded on the server, request is complete and the user is kept informed about the status.
All the core functionality is already implemented using REST-ful webservices. I am not able to decide if I should implement the website using HTML+JS (using AJAX to call webservices) or should still use JSP and call webservices using java at server side? Someone suggested me that using JSP is better since it will execute on server side and hence will be secured and faster. But, I somehow feel that HTML+JS is easier to go. Is there some specific advantage to use a server side script like JSP for this purpose? Any ideas are most welcome.
Yes server side scripting will be fruitful for this purpose for security constraints. Or you can use angular js though they are easy to learn and they are secure and can make fast XHR request response. :)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I made a database that holds information about clinical trials and so far I have been accessing and writing to it using php. I was wondering if there was a way to read/write to a SQL Server database using javascript or jquery? The UI I am developing will be for adding clinical trial data to the database. Only the DB admins will have access to this UI so security should not be a "huge" problem.
You need a middle tier like php, rails, java... to do the database write. You can't do this from the browser with javascript. But there is Node.js, which allows you do write javascript on the server.
In short, no. Even if there was, you should never leave data validation to the client. Just because your DB Admins are trustworthy, doesn't mean those who break into your network will be. DROP TABLE ClinicalTrialData; would be a bad thing. Use PHP/backend of choice to do the donkeywork and use AJA[X|J] if you want a slick UI experience.
Only server side Javascript methods such as using NodeJS as your server. Never put your database credentials on the front end unless you want people to directly access your database.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I am testing a simple registration form (username, password, email... etc), where input validation is done on the client side every time the user writes/deletes a character (not allowing some characters, checking length... etc).
I have recently saw something about doing the email validation on the server side not only the client side because it is insecure since javascript can easily be deactivated on the client side.
Is that really a threat when using javascript only for validating the inputs before sending them with a submit ? or am I worrying for nothing ?
Attackers can send any HTTP request they want, without running any Javascript code.
Yes, it's a threat. Yes, you need to worry about it.