Validating JSP's and HTML Forms, Server-side or Client-side, or both?

Question

I am aware that I can Google "HTML Form Validation" and would get a billion tutorials. I am well aware that I can use simple JavaScript to validate form input, but I have been told that this is not necessarily an efficient method. I have also heard that it is a best practice to validate both client and server-side code. OK! Well, What exactly does this mean besides writing code on both? Does it mean I do some with JavaScript and other with Servlet's or does it mean that I write identical validation methods on both?

My real question is can anybody give me insight and direction as how to go about validation my HTML forms. I am using JSP's and Servlet's and I have tons of form validation to do.

I have already done minor form validation with regex in Java, but want to figure out if Im heading in the right track before I write any more code.

Only productive answers please, If I wanted negative feedback on how inexperienced I was, I would have gone to Reddit.

Thanks!

Answer 1

• Serverside validation is needed because you cannot rely on clientside validation. Users can disable, bypass or change it.
• Clientside validation is handy because it already takes some load of the server and it alerts the user on common mistakes before he has to wait for the server to reply.

Serverside without clientside is ok, clientsite without serverside is a no-no.

How you validate on the serverside is really up to you. There are existing libraries out there that help you, but regexes are fine too. Do read up about why you need to validate, so you don't forget to check against possible attacks.

Same thing goes for clientside validation. The JQuery Validate module quite nice, but you can write your own, no problem.

Answer 2

Client-side validation is courteous to and convenient for the end user.

Server-side validation is an absolute necessity.

As you said, there are countless resources on how each one is best accomplished. One simple strategy is to screen for validity at the client-side and correctness at the server--that is, use Javascript to ensure that the inputs are of the correct type and form (e.g. "looks like a date") and server-side logic to additionally guarantee that the valid input makes sense (e.g. "is in a sensible range for this user"). This could save you some AJAX. It depends on the application, the users, and the resources you want to spend on it. If you don't mind the extra Javascript and HTTP requests, you could duplicate all of the server-side checking at the client-side, but then you'd have two separate programs written in different languages to maintain and keep synchronized.