First off, NEVER NEVER NEVER (should I say it again) assume that the data hitting the server or the database is coming from your form page. It is extremely easy for someone to do a view source and find out where the form data posts to. Then they can send all sorts of crap at the server just to see what happens (script kiddies anyone?). Because of that you have to do server side validation.
Client side validation is more for the (wait for it) "Client", It's much nicer to have the page say "sorry you put in bad data please fix it" then make them wait for a new page that says please go back and fix your data. Lastly, NEVER assume that your server application (CF, PHP, ASPX) is the only thing that will hit your database. Say someone finds your database and calls a procedure. You would really hate it if they passed in username = 'dummy';drop usertable;-- and your code didn't account for it. Suddenly your usertable is gone. Always check in each place. Think of it like a secure military base. You have to get thorough security at the gate, then you have to go through security at the building, then you have to go through security to get in the room (if what is inside is important enough to protect). At each level the guards are there to make sure that their specific area is protected. You can jump the fence, but it's harder to get in the building. If you find a way into the building, then it's almost impossible to get in the room. If you get in the room, no problem, we will shoot you when you come out! :) No one level of security can assume that the other has done its job. Steve -----Original Message----- From: Richard White [mailto:[email protected]] Sent: Thursday, September 23, 2010 8:01 AM To: cf-talk Subject: Re: 3 layers of validation? thanks for the replies. just so i understand: lets say the client (extjs) passes over a string to be stored in the database. Extjs has checked that it is a string and a length of 50, and that it doesnt have any speech marks. the server then tries to insert it into the database which has a cfqueryparam that checks it is a string and a max length of 50. do you think this is enough validation, or would you do any further checks? do you think the server should also check there are no speech marks in the text as well? thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:337371 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
