which one will be safe?

irrelevant as in irrelevant to my answer.

I program JSP's for a inhouse application and Javascript is always turned on.

I never said its only client validation, that would be virtually impossible to make failsafe because a smart user can do bad things if you dont protect the serverside

I just pointed out some advantages of client side validation.

I agree you need server validation to in most cases like queries for validation.

pgeuens at 2007-7-7 0:37:08 >

Why not use client and server side validations? We use javascript to validate field values before the user submits the request, and the we validate them again on the server.

This might be double the work, but in South Africa bandwidth is very scarce, so we don't wan't the client to pull out their hair over a field they missed, this is why we validate on the client side.

We also realize that client side validate gives you no guarantees, so we validate it again on the server side.

serlank at 2007-7-7 0:37:08 >

Here's my take on this:

client-side validation:

Pros:

- less network traffic (doesn't submit bad data)

- less server traffic (doesn't submit bad data)

Cons:

- Javascript may be disabled.

- Often limited to format validation (is it not blank, is it a number, is it an e-mail address format, etc.).

- Can't validate everything. It can't check for duplicate database entries, for example. And in that case, writing the DB data into the client-side script a) is not going to save bandwidth, b) may not be feasible for security reason, and c) creates a possible concurrency problem.

server-side validation:

Pros:

- Don't have to worry about if the client has Javascript enabled.

- Can check things like duplicate database entries or the like without concurrency or security problems.

- Can still check anything the client-side could have.

Cons:

- more network traffic (may submit bad data)

- more server traffic (server has more work to do)

Using both (server-side as a fall-through):

Pros:

- <include client-side pros>

- <include server-side pros>

Cons:

- <include server-side cons>

- Often checks same data twice. Client-side validates it, but server-side still has to check it. (However, you could set some hidden field value to identify that client-side checking was done.)

- Display of error messages often differs. (Although, one could use DHTML to add error messages to an DIV in the page instead of Javascript alerts for client-side validation, or one could use Javascript alerts written into the return page from server-side validation.)

As for which is safest, to make sure that the validation is truly done properly? Server-side is.

bsampieri at 2007-7-7 0:37:08 >