-----Original Message-----
From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Heflin
Sent: Tuesday, December 07, 1999 9:27 AM
To: [EMAIL PROTECTED]
Subject: Re: New to JSPMatt:
Why not have the client-side script not only do validation, but also set a hidden form field to a checksum (like a CRC) to indicate that the client side validation has occurred? The server-side scripting can first determine if the checksum was correct, and if so, it will know that the client-side scripting executed. If the checksum is wrong, then the server-side script will do full input validation. That way, if the client validation took place, you don't need to waste server processing cycles by redoing a validation that already occurred.
Eric Heflin, Director of Software Development
Complete Data Solutions
[EMAIL PROTECTED]
801.362.9669 cell
801.765.0093 x208 office-----Original Message-----
From: Augusto Sellhorn [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 06, 1999 11:23 PM
To: [EMAIL PROTECTED]
Subject: Re: New to JSP
Matt Krevs <[EMAIL PROTECTED]> wrote:
>2. Its possible for the client to disable javascript. ie All javascript
>validation needs to be repeated on the server in your servlets/beans.
>
>Basically I work on the premise that any info sent to the server needs to be
>completely validated again.A good premise. You can't trust client validation.
The only good point I see for client side validation is that it's quicker,
since you can save network ops for simple errors like fill this field,
etc. But like you say in a way, what matters is the server side val.
----------
Message To Spammers -- Game Over! Get spam-free email at http://www.MsgTo.com===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
FAQs on JSP can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
Title: RE: New to JSP
Eric,
If you
use JAVAScript to create the checksum or other validating value, and then set a
hidden field with that value, anyone can look at the
page
source and identify your algorithm. Once that is know, it's certainly
possible to construct a request with "validated" fields which are actually
invalid. This would be a fairly big security
risk.
-AMT
- New to JSP pankajg
- Re: New to JSP Matt Krevs
- Re: New to JSP Matt Krevs
- Re: New to JSP Augusto Sellhorn
- Re: New to JSP Augusto Sellhorn
- Re: New to JSP Zeltser, Mark
- Re: New to JSP Eric Heflin
- Re: New to JSP Arun Thomas
- Re: New to JSP WHITESIDE, CHIP
- New to JSP Tolliver Reva
- Re: New to JSP Praveen Kumar S .
- New to JSP Juan Fu
- Re: New To JSP Gomez, Anthony
- Re: New To JSP Henki Lubis
- Re: New To JSP Wilson E. Lozano R. - Estudiante
- new to jsp Rakesh B Shah
- Re: new to jsp Antonio Jimenez
