Eric Heflin <[EMAIL PROTECTED]> wrote:
>Why not have the client-side script not only do validation, but also set a
>hidden form field to a checksum (like a CRC) to indicate that the client
>side validation has occurred? The server-side scripting can first determine
>if the checksum was correct, and if so, it will know that the client-side
>scripting executed. If the checksum is wrong, then the server-side script
>will do full input validation. That way, if the client validation took
>place, you don't need to waste server processing cycles by redoing a
>validation that already occurred.
Eric,
I wouldn't recommend that. You should *always* do server side input validation. The
reason is very simple, never trust clients :)
It would be very easy for a person to see GET (or even POST) parameters passed to your
JSP or servlet, and then fake your "CRC".
Some other reasons;
o Code in client script might have errors that permit invalid data.
o Business Logic should be kept in the server.
o What happens if a user is using a cached version of your validation code ?
o Application State might have changed between the time the server & client
complete their transaction.
The way we have done this in the past where I work, is that for non ultra thin
clients, I do as much validation as possible, but once the data gets to the server we
do validation over there. It's just the safest way to get data.
----------
Message To Spammers -- Game Over! Get spam-free email at http://www.MsgTo.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
