{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 君临天下 的问题《Why is client-side validation not enough?》','https://www.manongdao.com/q-15502.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I saw here that:
As you probably already know, relying on client-side validation alone is a very bad idea. Always perform appropriate server-side validation as well.
Could you explain why server-side validation is a must?
相关问题
- Date with SimpleDateFormat in Java
- RegEx Max and Min length characters for a Text Box
- what's wrong in my URL validation Regex using
- jQuery validation - only show one error message
- Validation Attribute get triggered two times
相关文章
- Angular Material Stepper causes mat-formfield to v
- Why doesn't Django enforce my unique_together
- X/Html Validator in PHP
- Using CascadeMode.StopOnFirstFailure on a validato
- DDD Domain Model Complex Validation
- Laravel validator `required` fails for empty strin
- Magento, translate validation error messages
- React Native Input component takes ony numeric val
Client-side validation - I assume you are talking about web pages here - relies on JavaScript.
JavaScript powered validation can be turned off in the user's browser, fail due to a scripting error, or be maliciously circumvented without much effort.
Also, the whole process of form submission can be faked.
Therefore, there is never a guarantee that what arrives server side, is clean and safe data.
Client sided validation is for saving the client from entering wrong data. Server sided validation is for saving the server from processing wrong data. In the process, it also introduces some security into the submission process.
anyone who knows basic javascript can get around client side.
client side is just used to improve the user experience (no need to reload page to validate)
There is a simple rule in writing server application: Never trust the user data.
You need to always assume that a malicious user accesses your server in a way you didn't intend (e.g. in this case via a manual query via
curlinstead of the intended web page). For example, if your web page tries to filter out SQL commands an attacker already has a good hint that it might be a good attack vector to pass input with SQL commands.You should perform server-side validation on any data which, if invalid, could be harmful to anyone other than the entity posting the data. Client-side validation may be suitable in cases where invalid data would have no ill effects for anyone other than the entity posting it. Unless you can be certain that the ill effects from bad data will not spread beyond the entity posting it, you should use server-side validation to protect yourself against vandals or other rogue clients.
In general, it's best for EVERY piece of an app to do it's own checking/verifications.
Client-side checks are good for maximizing the user-experience and speeding up the feedback to the client that they need to fix something, and to reduce the amount of problems encountered in the server-side checks.
Then at each major point of transition on the server-side code, you should have checks in place there too. Verify inputs within the application code, preferably via whitelist input validation, and then have any interactions with the database use parameterized queries to further ensure problems do not occur.