Wednesday, October 30, 2013

Re: Under GWT Architecture, Should we validate InputData at Client Side or Server Side?

If you don't use SSL then data can always be altered during transfer. 

If you use SSL then there is still a very small chance for men in the middle attacks but something serious must go wrong to make them happen. For example the client must accept a fake certificate for your domain, or your SSL key must be stolen, or the CA root certificate that signed your certificate must be attacked, or the OpenSSL implementation has a bug...

So if you must validate data before it is stored in the database you should validate it on the server and not trust any client. Also keep in mind that data coming from the client could cause SQL injection on your server if you don't validate the data at all and you use it to build a DB query.

Client validation can be useful to avoid server requests though.

-- J.

You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

No comments:

Post a Comment