views:

58

answers:

2

I'm developing this app which as a very basic Ajax form and I'm currently validating the form input through jQuery with it's default validation plugin.

I'm wondering if I should also do server-side validation after submitting the form or just ignore and assume everything is right since the client-side validation was successful?

There's two things to keep in mind though:

1) Although the form is capable of being submitted without JavaScript, the server-side script will not handle this behavior. I mean, the data will be processed and inserted into the database but it won't return anything, so the user would see an empty page after submitting the form. And besides, this application is strong on JavaScript and won't work without it (it's a Facebook application by the way).

2) Right now the application is very simple and there's only 2 options on that form. One is a textbox and it's the only thing being validated (it's required and must be only digits). The other option is a set of radio buttons which by default will have one of them selected, so even if the user forgets about this option, something will be selected. It's basically the default value for this option (there can be no default for the textbox though).

+1  A: 

Always validate server side! Besides the security issues, that may not play a big role here, there are other things to adhere:

  • What happens when I submit something like "q8" in the "two digits" field (bypassing the client side validation)?
  • It's not really user friendly to just set a default option, if nothing is selected by the user.

Furthermore, if there are only two fields in the form, I think, there's not that much of an effort to implement server-side validation...

Dave
When you submit "q8" the validation will fail (client-side). Server-side, it will probably be problematic when inserting that data into the database...
Nazgulled
It's always possible to circumvent client side validation...
Dave
+2  A: 

Server-side: Necessary. Always do this.

Client-side: Nice. Makes your app more responsive. Optional.

jm
Why necessary? And let's suppose something happens on the client-side, maybe the user is tampering with the app, and the server-side validation fails, what should I return to the client? I mean, the client-side validation displays inline error messages next to each field, what do I do with the server-side response?
Nazgulled
>> what do I do with the server-side response? Well, I hope you detect the server-side error and make sure NOT to write to the database. Then LOG it, so you can fix the client (if the client had a validation error). Probably you can display the server-side error at the TOP of the page for the client (maybe they can do something about it, or call you).
jm