February 14th, 2002 07:08 PM
Data validation, how much is enough?
How much data validation is enough for your web applications? Do you trust client side code to do it? Do you validate at every level?
Personally I think client side is ok for some simple validation and formatting, but trust nothing sent from the client. It's far too easy to write code that changes the form, data sent from the form, etc.
I like to validate everything sent from the client in my asp/jsp/whatever stripping out the bogus characters for the expected data type, trimming it down to the appropriate number of characters or bouncing the user with an error message if necessary, and doing an explicit conversion to the data type I need. I strip out all code delimiting characters and make the appropriate conversions to keep my sql or other code from blowing up. Also I use constants to limit the size of the text boxes and then validate the amount of data sent from the client against those constants and take appropriate action if too much is sent.
Then the data is validated in the com component or other code that talks to the asp/jsp/whatever before sending it off to the database. Same kind of thing, check it's size, type, validity (positive, negative, numerical, etc).
I usually have a nice utils include that holds validation functions of every variety such as validateemail(), validatelong(), etc. for both the web and something similar for the compiled code.
What do you do?
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
February 15th, 2002 11:21 PM
client side is fine...if you only want to make sure someone entered an email address with a @ or similar...other than that...if you don't scour and filter yer gonna get burned...
i use coldfusion so i've got a nice file called application.cfm which every file "passes thru"
in this application.cfm is a cf custom tag which filters sql strings, html, cfml and profanity so every form submission gets filtered.
also setting form field widths is important...undefined lengths...people can submit whatever they want...possibly causing a buffer overflow or who knows what
i also always add user validation feedback to all my form fields...
to let em know why ...
all of this happens with session vars and then when i'm happy... and only then does the form input get to touch my backend...
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
February 19th, 2002 12:22 PM
I cant really comment as i usually allow third parties to do the user interaction parts. I stick to the main frontend
February 19th, 2002 05:18 PM
I agree Juridian, check everything otherwise there is some element of trust involved. We all know about trust......
.....Brain Failure....dumping core.... z z z
February 20th, 2002 01:41 PM
i validate on the client side, (ASP/JSP), and in the database layer. the more validation the better.l
--ssshhh, be vewry, vewry quiet...