Should you do validation on the server side?

Question

Should you do validation on the server side, or is it ok to just do the validation on the client side?

@TheTXI

I am happy your amazed I just did not want to leave anything out that could potential change someone answer to give me false information.

---

It seems alot of people touched on what I was going after but the part of the Ajax should have been kept in my question as this was the most important part.

However reading the posts I know see that a bad person could just easily load up firebug and change my button to a submit button and do a post. Or some other way.

Answer 1

In short yes. You can never depend on what a browser sends you is legitimate.

Answer 2

Browser/client-side validation is a convenience. You cannot rely on it. You absolutely need to duplicate any client-level validation with server-side validation.

Answer 3

Client side validation can potentially be circumvented - and if you don't have server-side validations, you will end up processing or saving invalid or bad data.

The above could be because of browser issues, like some browser version that you dont support. Or Worse it could be due to a malicious user.

Hence it's essential to have server-side validations.

Answer 4

Yes, you should always do server-side validation. Javascript/AJAX is nice to give the user instant feedback, but it isn't giving you any protection whatsoever on the server side.

You just can't trust user input. Javascript validation is too easy to circumvent. Thus, you need to check the input on the server side.

Answer 5

In addition to the issue of a user with Javascript turned off, server-side validation is necessary for security. In addition to checking things like required fields, you also want to check the user-supplied data to prevent SQL injection attacks, cross-site scripting, etc. You have to do this on the server side, because a user can always bypass the Javascript and send you any data they want.

Answer 6

Well, fine, all YOUR code is correct. What happens when a hacker replaces your javascript with one of their liking, or just plain submit POSTs and GETs as if it were your code?

Validating at the client is a usability issue.

Validating at the point of USAGE is a security issue.

That last point is important, because if you do not validate at the point of usage, you are making your code highly coupled. If you change a module, it breaks things elsewhere because you validated at the wrong point.

For instance, you validate data against SQL injection before storing in a SQL database -- the library will do that for you if you choose a good one. You validate data against CSS when you display it as HTML. But if you expose the data it as XML, RSS or JSON, then the validation is different -- if you validated it just at input, you wouldn't prevent exploits for the other formats, AND your input routine would be tied to the output formats you choose.

Answer 7

I think you should do client-side AND server-side validation to be safe. You could have plenty of validation on the client, but if some circumvents that validation then you open yourself up to big problems. Whereas, having validation on the server-side too, protects you against that

Answer 8

If you don't validate on the server, someone will overwrite your client-side validation using Firebug, or just go completely around it with another Firefox extension called Poster. Good luck cleaning you database!

Client-side validation is only done so that the user knows that they messed up immediately. It is not intended to secure anything.

Answer 9

Actually, server-side validation is a must, client-side is nice but optional. That's because you have absolutely no control over what's happening on the client side.

Worse case is that a custom browser is built which renders your client-side validation impotent. This is really no different to using URLs to pass sensitive information - it's quite easy for someone to suborn the URL to do what they wish (such as changing pricing information on an order or bypassing security by changing user IDs).

Answer 10

Yes, you still need to do validation server side. an AJAX post is still just a POST. Someone could easily enough write a page that does a POST with bad data, or even easier use a tool like the Tamper Data plugin in Firefox to change the data after your Javascript has validated it.

Answer 11

It is absolutely essential to have server-side validation, as a user could turn off JavaScript or simply submit any data they wanted to your server-side handler, since they don't have to use your JS-enhanced form to submit the data.

I've always thought of client-side/JavaScript validation as a UI enhancement, with the server-side validation as the "actual" validation. Having the JS validation is nice for immediate notification of improper data to help your users.

Answer 12

Yes, anything could happen with the client side and you should not trust it as a primary form of validation. You do not want bad data getting to a database or potential security issues that could arise from unchecked conditions. It can depend on the type of functionality, but you should validate on both sides.

Answer 13

For additional spirited debate on what's basically the same subject, see Security in Flex – is it possible to manipulate downloaded code and execute web service.

Answer 14

Definitely do both. Client side validation is good for simple type validation (for example does this match a properly formated email address) but since you cannot ensure that your data is coming from your pages (form spoofing is a common hack) you should always duplicate the validation on the server side.

Furthermore server side validation allows you to do more a more thorough business logic check of the data before committing it to your database.

Answer 15

While this strategy will work for good and legitimate users, it will not protect your site from a non-browser request using some hacker tool or a series of automated bot requests sending the HTTP POST command with the full load of crap which in the best case just pollute your system, in the worst damage your data consistency and that will cause error messages on multiple pages.

Answer 16

I always view it as

• Client validation is for useability
• Server validation is for security.

Answer 17

http://thedailywtf.com/Articles/Connect-Betterer.aspx

Answer 18

Client side validation is against the concept of "world wide web" because the reason for which we made html text based is because each device must be able to process rsponce however small the device is. Now client side validation demands processing power of the device used which is not what "www" expects from a device consuming html. Client side validations are particularly important for saving bandwidth , as internet speeds are increasing day by day there will be a time when we no longer require client side validations.