I recently created a .net web app that used over 200 custom validators on one page. I wrote code for both ClientValidationFunction
and OnServerValidate
which results in a ton of repetitive code.
My sql statements are parameterized, I have functions that pull data from input fields and validates them before passing to the sql statements or stored procedures. And the javascript validates the fields before the page submits. So essentially the data is clean and valid before it even hits the OnServerValidate
and clean after it anyways due to the aforementioned steps.
This makes me question, is OnServerValidate
really needed when I validate on the clientside?
Edit:
My OnServerValidate
s do simple things like making sure a skip pattern is enforced or that a short appears in a text (which is enforced anyways with my code that pulls data from text fields into parameters i.e. GetShort()). And these are being place in patient surveys, which most of the time are filled out by staff members.
So it seems like if I didn't have the OnServerValidate
for these basic checks and just client side the following situations are:
- A user turns off javascript and cannot submit the form, which is
expected as buttons are javascript driven for postbacks. - A user forces a post. Which if this occurs my
OnServerValidate
would do jack to stop whatever they are trying to do since it is
just looking at skip patterns, or would it?
Situation 2 is where I am getting lost. It seems like the user forcing a post is more than likely not to be caught by these simple OnServerValidate
s
Best Answer
You do need them as the client can decide to allow javascript in their browsers. You also should consider those people who want to break your software. There are plenty of tools out there that can manufacture posts and submit them to your website without having used your front end.
Client side validation is nice for the user, but the server should never ever trust data that is sent to it.
--Update--
If I'm reading your edit properly, it sounds like the
OnServerValidate
s are duplicating validation functionality that is already present on the server. Since that's the case, then you shouldn't need theOnServerValidates
.Furthermore, you are correct that if a user manufactures a post to your service, it will not trigger the
OnServerValidates
so you are better off keeping that type of validation where you have it currently on the server.