Which is best — client-side validation or server-side validation?
-
This needs to be left open, so the clear answer that server side validation is not optional. This is worth repeating as many times as it takes to get the message through.Richard– Richard2010-09-02 11:34:23 +00:00Commented Sep 2, 2010 at 11:34
-
1possible duplicate of Should you do validation on the server side?Joel Etherton– Joel Etherton2010-09-02 11:35:31 +00:00Commented Sep 2, 2010 at 11:35
-
Though it may be argumentative, i am in need of proper answer. So that i can use in my application. Please vote to reopenBala– Bala2010-09-02 11:40:48 +00:00Commented Sep 2, 2010 at 11:40
-
@bzlm, @Alex Reitbort, @serg10, @Arcturus, @Joel Etherton: There is nothing subjective or argumentative about this question. It is a matter of security and usability. Please vote to reopen.Klaus Byskov Pedersen– Klaus Byskov Pedersen2010-09-02 11:49:15 +00:00Commented Sep 2, 2010 at 11:49
-
Wow, closed and reopened within 42 minutes!Timwi– Timwi2010-09-02 12:13:07 +00:00Commented Sep 2, 2010 at 12:13
Add a comment
|
5 Answers
Server side validation is a must since client side validation can be tampered. However, client side validation usually provides a better user experience, since it requires less post backs. So I would recommend using both.
answered Sep 2, 2010 at 11:33
Klaus Byskov Pedersen
122k31 gold badges192 silver badges223 bronze badges
Comments
You MUST do server side validation. Otherwise anyone can send anything they like (consider browser with JavaScript disabled, or a custom fake browser).
Client site validation can be used to provide a better user experience, but you should operate correctly if it is not available.
Comments
For security:
Server side validation.
A savvy client can remove the validation.
For best GUI experience:
Client side validation.
Comments
For the validation purpose in ASP.NET both are good, but it depends on the application. For the security purpose the server side validation is best, but it increases the overhead on the server, so we generally avoid to use the server side validation whenever it is not necessary.
The client-side validation is generally best for checking the input type parameter and its check on the client side means at your browser, so it does not puts a load on the server and less time taken and insecure.
In my point of view client-side validation is best.
Comments
I suggest server-side validation with AJAX only.
As others have pointed out, server-side validation is a must since client-side validation can be tampered with.
I've worked on projects where we've used client-side in addition to server-side validation believing this would be easier on the server and provide a better user experience. While it worked just fine, it came at the expense of violating the DRY (Don't Repeat Yourself) principle and risking inconsistent server/client side validation implementations (note: I gave up on the built in ASP.NET validators a long time ago).
Since then, I've found that in practice you can achieve very nearly just as good a user experience by performing all POSTS using Ajax: if validation on server succeeds, proceed with main purpose of the POST (saving data or something), and return a success JSON response and call a success callback to navigate to another page or something. If the validation fails, return a JSON response containing the failed fields and messages and call a failure callback to display them.
Assuming you take care to slim down your POSTs (a deliberate practice in ASP.NET I know), this strategy will be kind enough to your server in general.
Comments
