I'm still debating whether I want to do this or not but what I'm considering is preventing users from entering hyperlinks into a HTML form in my app. This is to avoid spammy links from showing up for other uses of the app since the app is based on user generated content.
我还在争论是否要这样做,但我正在考虑的是阻止用户在我的应用程序中将超链接输入HTML表单。这是为了避免垃圾链接显示应用程序的其他用途,因为该应用程序基于用户生成的内容。
This is a Rails app, so I could do some backend validations on the model after the form is submitted by the user.
这是一个Rails应用程序,因此我可以在用户提交表单后对模型进行一些后端验证。
But I was wondering whether it might be preferable to perform the check in jQuery/JavaScript before any submission takes place. This way the user could be notified immediately without any backend processing.
但我想知道在提交任何提交之前是否可能更喜欢在jQuery / JavaScript中执行检查。这样,可以在没有任何后端处理的情况下立即通知用户。
Which would be preferable here - client-side or server-side validation?
哪个更适合这里 - 客户端或服务器端验证?
7 个解决方案
#1
6
You only have control over data when it arrives at your server. If you use JavaScript to try to strip out spam, then spammers are just going to turn JavaScript off.
您只有在数据到达服务器时才能控制数据。如果你使用JavaScript试图去除垃圾邮件,那么垃圾邮件发送者就会关闭JavaScript。
Build a server side solution.
构建服务器端解决方案。
Once you have that, think about duplicating the work client side to make things nicer for users.
一旦你有了这个,考虑重复工作客户端,使用户更好。
#2
2
Use both.
Client side validation lowers stress on the server when the client has the JavaScript turned on.
当客户端启用JavaScript时,客户端验证可以降低服务器上的压力。
Server-side is your last line of defense which should be there for the case the user has JavaScript turned off.
服务器端是你的最后一道防线,应该是用户关闭JavaScript的情况。
#3
2
You say :
你说 :
so I could do some backend validations on the model after the form is submitted by the user.
所以我可以在用户提交表单后对模型进行一些后端验证。
No ! You must do validations on the backend !
不!您必须在后端进行验证!
Javascript can be disabled, forms posting can be forged ; so you always need to develop validations / filtering / whatever security measure you want on the backend/server.
可以禁用Javascript,可以伪造表单发布;所以你总是需要在后端/服务器上开发验证/过滤/你想要的任何安全措施。
Only then, you can eventually add some JS thing, so your application is more user-friendly.
只有这样,你最终可以添加一些JS的东西,所以你的应用程序更加用户友好。
#4
1
Both............
#5
1
You should use both, use jQuery validation plugin on the client, and whatever method is appropriate on the back-end (I don't know ROR).
您应该同时使用两者,在客户端上使用jQuery验证插件,以及后端适用的任何方法(我不知道ROR)。
An ajaxy validation solution could perform server-side validation while the client is inputting information, and provide feedback/prevent submission accordingly.
当客户端输入信息时,ajaxy验证解决方案可以执行服务器端验证,并相应地提供反馈/阻止提交。
Hope that helps.
希望有所帮助。
#6
0
Spammers often uses some kind of script that analyses the form and builds form data and posts on it's own, so client script is totally useless against most spamming.
垃圾邮件发送者经常使用某种类型的脚本来分析表单并构建表单数据和帖子,因此客户端脚本对大多数垃圾邮件完全没用。
#7
0
JavaScript validation is great as a way to hold the hands of non-malicious users. "The passwords you entered don't match", "looks like an invalid e-mail address, please double-check", etc.
JavaScript验证非常适合握住非恶意用户。 “您输入的密码不匹配”,“看起来像无效的电子邮件地址,请仔细检查”,等等。
The downside of JavaScript is that there is no way to verify that it ran, nor that it ran as intended. A malicious user, or one with a glitchy browser plugin, or one with an overzealous firewall/content blocker, a spambot without JavaScript, a user with NoScript enabled, or any number of other situations can result in your validation never beeing triggered.
JavaScript的缺点是没有办法验证它是否运行,也没有按预期运行。恶意用户,或者带有故障浏览器插件的用户,或者带有过热的防火墙/内容阻止程序的用户,没有使用JavaScript的spambot,启用NoScript的用户或任何其他情况都可能导致您的验证永远不会被触发。
As such, your server should always validate data if validation is necessary. JavaScript can be a first line of defence, but it can never be the final one.
因此,如果需要验证,您的服务器应始终验证数据。 JavaScript可以是第一道防线,但它永远不会是最后一道防线。
#1
6
You only have control over data when it arrives at your server. If you use JavaScript to try to strip out spam, then spammers are just going to turn JavaScript off.
您只有在数据到达服务器时才能控制数据。如果你使用JavaScript试图去除垃圾邮件,那么垃圾邮件发送者就会关闭JavaScript。
Build a server side solution.
构建服务器端解决方案。
Once you have that, think about duplicating the work client side to make things nicer for users.
一旦你有了这个,考虑重复工作客户端,使用户更好。
#2
2
Use both.
Client side validation lowers stress on the server when the client has the JavaScript turned on.
当客户端启用JavaScript时,客户端验证可以降低服务器上的压力。
Server-side is your last line of defense which should be there for the case the user has JavaScript turned off.
服务器端是你的最后一道防线,应该是用户关闭JavaScript的情况。
#3
2
You say :
你说 :
so I could do some backend validations on the model after the form is submitted by the user.
所以我可以在用户提交表单后对模型进行一些后端验证。
No ! You must do validations on the backend !
不!您必须在后端进行验证!
Javascript can be disabled, forms posting can be forged ; so you always need to develop validations / filtering / whatever security measure you want on the backend/server.
可以禁用Javascript,可以伪造表单发布;所以你总是需要在后端/服务器上开发验证/过滤/你想要的任何安全措施。
Only then, you can eventually add some JS thing, so your application is more user-friendly.
只有这样,你最终可以添加一些JS的东西,所以你的应用程序更加用户友好。
#4
1
Both............
#5
1
You should use both, use jQuery validation plugin on the client, and whatever method is appropriate on the back-end (I don't know ROR).
您应该同时使用两者,在客户端上使用jQuery验证插件,以及后端适用的任何方法(我不知道ROR)。
An ajaxy validation solution could perform server-side validation while the client is inputting information, and provide feedback/prevent submission accordingly.
当客户端输入信息时,ajaxy验证解决方案可以执行服务器端验证,并相应地提供反馈/阻止提交。
Hope that helps.
希望有所帮助。
#6
0
Spammers often uses some kind of script that analyses the form and builds form data and posts on it's own, so client script is totally useless against most spamming.
垃圾邮件发送者经常使用某种类型的脚本来分析表单并构建表单数据和帖子,因此客户端脚本对大多数垃圾邮件完全没用。
#7
0
JavaScript validation is great as a way to hold the hands of non-malicious users. "The passwords you entered don't match", "looks like an invalid e-mail address, please double-check", etc.
JavaScript验证非常适合握住非恶意用户。 “您输入的密码不匹配”,“看起来像无效的电子邮件地址,请仔细检查”,等等。
The downside of JavaScript is that there is no way to verify that it ran, nor that it ran as intended. A malicious user, or one with a glitchy browser plugin, or one with an overzealous firewall/content blocker, a spambot without JavaScript, a user with NoScript enabled, or any number of other situations can result in your validation never beeing triggered.
JavaScript的缺点是没有办法验证它是否运行,也没有按预期运行。恶意用户,或者带有故障浏览器插件的用户,或者带有过热的防火墙/内容阻止程序的用户,没有使用JavaScript的spambot,启用NoScript的用户或任何其他情况都可能导致您的验证永远不会被触发。
As such, your server should always validate data if validation is necessary. JavaScript can be a first line of defence, but it can never be the final one.
因此,如果需要验证,您的服务器应始终验证数据。 JavaScript可以是第一道防线,但它永远不会是最后一道防线。