Wednesday, October 30, 2013

Re: Under GWT Architecture, Should we validate InputData at Client Side or Server Side?

Client side validation can help provide a richer user experience, you don't want to waste your users' time and/or your servers' CPU cycles dealing with malformed input. It is easier on both parties to have bad data fixed as soon as possible after it is entered, or prevent bad data entry in the first place.
However, as David mentions above, it is very easy for a misbehaving user to hack your form to attempt to bypass client side validation, so you must do validation on the server.
The simple answer is that you should do both client and server side validation, but you must do server side.


On Wed, Oct 30, 2013 at 8:23 AM, David <david.nouls@gmail.com> wrote:
Sometimes customers try to hack your system by changing the GET/POST data to circumvent checks done in the client.
A Server should never trust that the client can be trusted.
 
The big advantage of GWT is that you can reuse the same code to perform validation on the serverside.
 


On Wed, Oct 30, 2013 at 11:52 AM, Jens <jens.nehlmeier@gmail.com> wrote:
If you don't use SSL then data can always be altered during transfer. 

If you use SSL then there is still a very small chance for men in the middle attacks but something serious must go wrong to make them happen. For example the client must accept a fake certificate for your domain, or your SSL key must be stolen, or the CA root certificate that signed your certificate must be attacked, or the OpenSSL implementation has a bug...

So if you must validate data before it is stored in the database you should validate it on the server and not trust any client. Also keep in mind that data coming from the client could cause SQL injection on your server if you don't validate the data at all and you use it to build a DB query.

Client validation can be useful to avoid server requests though.

-- J.

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/groups/opt_out.

No comments:

Post a Comment