Contact: Tel: 2726 - New Media Systems, 1st Floor South, Queens Walk You can't and you don't need to. If your server side failed the sematics check, you simply throw an exception or return an error page. if you by-pass the client validation and send some garbage data, you get error pages. On the other hand, if you by-pass security (hacking), then it is more desaterous as the web site can be damaged by the hacker in many ways. This is why many web site pages use JSP with session management which has embeded security measures. This is to ensure that even if you break into one page, the next page will still be able to stop you. We probably are walking away from original topic now. Charles Bing Zhang <[EMAIL PROTECTED]> on 10/31/2000 10:27:41 AM To: Charles Chen/YellowPages cc: From: Bing Zhang <[EMAIL PROTECTED]>, 31 October 2000, 10:27 a.m. RE: Design and Validation opinion. [Scanned by Yellow Pages PostM aster] [Scanned by Yellow Pages PostMaster] <ou have simply rewritten the HTML page in some other way to access the <ata. You haven't hacked anything. <acking means to break the security means to access data that is not <ntended for you. There is no security involved. You know how to login. <ou <robably have been given the password too. No hacking. <f a web site requires login with userid and password and you wrote a <rogram to by-pass that login process, or intercep it will be a hack. Hacking here means user by-pass validation and try to break your logic or put grabage in your data base. <client side validation is never meant to be a security measure. Cilent <side <validation is for prompt user interaction, to reduce round trips back to <server. After the form is finally accepted after having been validated <on <the client side, you don't expect errors such as wrong date format, or <alphabetic characters for numeric values. This is precisely my point, your server expects client side already check that date is in valid format, or alphabetic characters for numeric values. If user composes his own page, bypass validation, your server will throw out lots of runtime exception. Are you going to duplicate the error checking in server side? In some cases, you want do some semantics at client side for faster response and easy programming, such as resticting a range. You do not want to send the data to server, and bounce back the page again if data is out of range. <On the server side, you would <still have to check a correctly formated date may still be a out of <range <date. In most cases, it is like sematics check on the server side. For <security checks, you only do it on server side. Your semantics check is based on all data are in correct format. If they are not, what is the point of semantics? What I mean is that whether we have easy method to tell from server side that client side checking has already been done properly, not bypassed. ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
