JavaScript ClientSide vs. ServerSide Validation

Question

Which is better to do client side or server side validation?

In our situation we are using - jQuery and MVC.
- jSon data to pass between our View and Controller.

Alot of the validation I do is validating data as users enter it. For example I use the the keypress event to prevent letters in a text box, set a max number of characters and that a number is with in a range.

I guess the better question would be, Are there any benefits to doing server side validation over client side?

---

Awesome answers everyone. The website that we have is password protected and for a small user base(<50). If they are not running javascript we will send ninjas. But if we were designing a site for everyone one I'd agree to do validation on both sides. ? No one suggested server side testing ? Brad8118 (a minute ago) [remove this comment]

Answer 1

javascript can be disabled

Answer 2

Yes, client side validation can be totally bypassed, always. You need to do both, client side to provide a better user experience, and server side to be sure that the input you get is actually validated and not just supposedly validated by the client.

Answer 3

If you are doing light validation, it is best to do it on the client. It will save the network traffic which will help your server perform better. If if it complicated validation that involves pulling data from a database or something, like passwords, then it best to do it on the server where the data can be securely checked.

Answer 4

The benefit of doing server side validation over client side validation is that client side validation can be bypassed/manipulated:

• The end user could have javascript switched off
• The data could be sent directly to your server by someone who's not even using your site, with a custom app designed to do so
• A Javascript error on your page (caused by any number of things) could result in some, but not all, of your validation running

In short - always, always validate server-side and then consider client-side validation as an added "extra" to enhance the end user experience.

Answer 5

You must always validate on the server.

Also having validation on the client is nice for users, but is utterly insecure.

Answer 6

I am just going to repeat it, because it is quite important:

Always validate on the server

and add JavaScript for user-responsiveness.

Answer 7

As others have said, you should do both. Here's why:

Client Side

You want to validate input on the client side first because you can give better feedback to the average user. For example, if they enter an invalid email address and move to the next field, you can show an error message immediately. That way the user can correct every field before they submit the form.

If you only validate on the server, they have to submit the form, get an error message, and try to hunt down the problem.

(This pain can be eased by making "sticky" forms where the server remembers what was entered in each field and fills it back in. Larry Ullman covers this concept in PHP 6 and MySQL 5 for Dynamic Web Sites: Visual QuickPro Guide.)

Server Side

You want to validate on the server side because you can protect against the malicious user, who will probably know how to bypass your JavaScript and submit dangerous input to the server. The server should never trust input from the user, no matter what validation you've tried to do on the client side.

Server side validation is also important for compatibility - not all users will have JavaScript enabled.