tags:

views:

408

answers:

5
+1  Q: 

Favorite Web Form Validation Technique

What is everyone's favorite way to sanitize user data?

I've been using Javascript, but have recently required something more secure (people can turn it off, after all), so I was looking at Flex, but thought I'd ask the community what they thought.

A: 

It's recommended to use both server- and client-side validation. I use JQuery for client side validation.

Paco  2008-10-06 21:26:55
+4  A: 

NEVER NEVER NEVER use javascript or any other client-side technology for the only validation. You can use client-side validation to save some load on your server or make your app seem more responsive by showing the error sooner when validation fails, but you should always validate using server-side code.

Personally, I like the ASP.Net validation controls because it gives you the benefit of client-side validation with security of server-side, without having to write your logic twice. Of course, the stock controls are pretty bare, but you can extend them.

Joel Coehoorn  2008-10-06 21:29:11
+1  A: 

Depending on the requirements of your project you may or may not want to implement client-side validation. However, server-side validation should ALWAYS be implemented. I prefer to white-list appropriate inputs and values as opposed to black-listing invalid data because this ensures that no one will ever slip something by that I failed to consider.

Noah Goodrich  2008-10-06 21:31:41
+3  A: 

Validation should ALWAYS be done server-side. Doing it client-side, in addition, is fine.

How you do it depends on what your app is written in. Any language should be able to handle validation; the logic used is what matters, not the language.

It also depends on what you're doing with the data you're given. Putting it in a URL or storing it in a SQL database requires two very different kinds of sanitization. If at all possible, white-list valid values--don't black-list invalid values. Someone will always be able to come up with a new mal-input you hadn't considered.

Lucas Oman  2008-10-06 21:44:32
+1  A: 
  • always use server side validation at the very least
  • use regular expressions

PHP Example:

preg_match('/^[\w][\w\,\-\.]*\@[\w]+[\w\-\.]*$/', $_GET['email'], $matches);
if (count($matches) > 0) {
  $_GET['email'] = $matches[0];
} else {
  die('invalid email address');
}
Bill  2008-10-06 21:46:45
But rfc 2821 denotes that never ever must anyone else that the host-server validate anything in the username-part, e.g. @anyhost.com is a valid smtp-address !-)
roenving  2008-10-06 21:54:27

related questions

Silverlight vs Flex
Executing JavaScript from Flex: Is this javascript function dangerous?
How To Get Label Of Combobox to Fade In Flex
How do I change the title bar icon in Adobe AIR?
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Flex: does painless programmatic data binding exist?
SoapException: Root element is missing occurs when .NET web service called from Flex
Any recommendations for in-depth Flex training?
How do I restyle an Adobe Flex Accordion to include a button in each canvas header?
Deleting / Replacing A Node in E4X (AS3 - Flex)
How can I "unaccept" a drag in Flex?
Printing Flex components in FireFox 3
Is it possible to add behavior to a non-dynamic ActionScript 3 class without inheriting the class?
How do I get rid of the "multiple describeType entries" warning?
Open local file with AIR / Flex
Flex / Air obfuscation
Adobe Flex component events
Can you access the windows registry from Adobe Air?
Actionscript 3 - Fastest way to parse yyyy-mm-dd hh:mm:ss to a Date object?
Adobe Air - Using multiple SQLite databases at once
How can I unit test Flex applications from within the IDE or a build script?
Best way to learn Flash?
Get the current logged in OS user in Adobe Air
Adobe air - SQLStatement.execute() - Multiple queries in one statement
Unloading a ByteArray in Actionscript 3.