89  

Browser/client-side validation is a convenience. You cannot rely on it. You absolutely need to duplicate any client-level validation with server-side validation.

浏览器/客户端验证非常方便。你不能依赖它。您绝对需要使用服务器端验证来复制任何客户机级验证。

33  

Well, fine, all YOUR code is correct. What happens when a hacker replaces your javascript with one of their liking, or just plain submit POSTs and GETs as if it were your code?

好吧，你所有的代码都是正确的。当黑客用他们喜欢的东西替换你的javascript，或者仅仅是简单的提交文章，然后把它当成你的代码时，会发生什么?

Validating at the client is a usability issue.

在客户端验证是可用性问题。

Validating at the point of USAGE is a security issue.

在使用点验证是一个安全问题。

That last point is important, because if you do not validate at the point of usage, you are making your code highly coupled. If you change a module, it breaks things elsewhere because you validated at the wrong point.

最后一点很重要，因为如果您在使用时不进行验证，那么您将使您的代码高度耦合。如果您更改了一个模块，它会在其他地方破坏一些东西，因为您在错误的地方进行了验证。

For instance, you validate data against SQL injection before storing in a SQL database -- the library will do that for you if you choose a good one. You validate data against CSS when you display it as HTML. But if you expose the data it as XML, RSS or JSON, then the validation is different -- if you validated it just at input, you wouldn't prevent exploits for the other formats, AND your input routine would be tied to the output formats you choose.

例如，在将数据存储到SQL数据库之前，您要对SQL注入进行验证——如果您选择一个好的SQL数据库，库将为您实现这一点。当您将数据显示为HTML时，您将对CSS进行验证。但是，如果将数据公开为XML、RSS或JSON，那么验证就不同了——如果仅在输入时对其进行验证，就不会阻止对其他格式的利用，您的输入例程将与您选择的输出格式绑定。

14  

I always view it as

我总是把它看作

• Client validation is for useability
• 客户端验证是用于可用性的
• Server validation is for security.
• 服务器验证是为了安全。

8  

Yes, you should always do server-side validation. Javascript/AJAX is nice to give the user instant feedback, but it isn't giving you any protection whatsoever on the server side.

是的，您应该始终执行服务器端验证。Javascript/AJAX提供用户即时反馈很好，但是它在服务器端没有提供任何保护。

You just can't trust user input. Javascript validation is too easy to circumvent. Thus, you need to check the input on the server side.

你不能信任用户输入。Javascript验证太容易被绕过。因此，您需要检查服务器端上的输入。

6  

In short yes. You can never depend on what a browser sends you is legitimate.

简言之,是的。你永远不能依赖浏览器发送给你的内容是合法的。

3  

Client side validation can potentially be circumvented - and if you don't have server-side validations, you will end up processing or saving invalid or bad data.

客户端验证可能会被绕过——如果您没有服务器端验证，您将结束处理或保存无效或错误的数据。

The above could be because of browser issues, like some browser version that you dont support. Or Worse it could be due to a malicious user.

以上可能是由于浏览器问题，比如一些你不支持的浏览器版本。更糟糕的是，它可能是由恶意用户造成的。

Hence it's essential to have server-side validations.

因此，有服务器端验证是必要的。

3  

Actually, server-side validation is a must, client-side is nice but optional. That's because you have absolutely no control over what's happening on the client side.

实际上，服务器端验证是必须的，客户端是很好的但是可选的。这是因为你完全无法控制客户端发生的事情。

Worse case is that a custom browser is built which renders your client-side validation impotent. This is really no different to using URLs to pass sensitive information - it's quite easy for someone to suborn the URL to do what they wish (such as changing pricing information on an order or bypassing security by changing user IDs).

更糟糕的情况是，构建了一个自定义浏览器，使客户端验证无效。这与使用URL传递敏感信息没有什么区别——对某人来说，伪装URL来做他们想做的事情非常容易(例如更改订单上的价格信息或通过更改用户id绕过安全性)。

3  

It is absolutely essential to have server-side validation, as a user could turn off JavaScript or simply submit any data they wanted to your server-side handler, since they don't have to use your JS-enhanced form to submit the data.

有服务器端验证是绝对必要的，因为用户可以关闭JavaScript或简单地向服务器端处理程序提交他们想要的任何数据，因为他们不需要使用您的jsp增强表单来提交数据。

I've always thought of client-side/JavaScript validation as a UI enhancement, with the server-side validation as the "actual" validation. Having the JS validation is nice for immediate notification of improper data to help your users.

我一直认为客户端/JavaScript验证是一种UI增强，服务器端验证是“实际”验证。有了JS验证，可以立即通知不适当的数据，以帮助您的用户。

2  

In addition to the issue of a user with Javascript turned off, server-side validation is necessary for security. In addition to checking things like required fields, you also want to check the user-supplied data to prevent SQL injection attacks, cross-site scripting, etc. You have to do this on the server side, because a user can always bypass the Javascript and send you any data they want.

除了关闭Javascript用户的问题之外，服务器端验证对于安全性也是必要的。除了检查像required字段之类的内容之外，还需要检查用户提供的数据，以防止SQL注入攻击、跨站点脚本等。您必须在服务器端执行此操作，因为用户总是可以绕过Javascript并向您发送所需的任何数据。

2  

Yes, you still need to do validation server side. an AJAX post is still just a POST. Someone could easily enough write a page that does a POST with bad data, or even easier use a tool like the Tamper Data plugin in Firefox to change the data after your Javascript has validated it.

是的，您仍然需要执行验证服务器端。AJAX post仍然只是一个post。一个人可以很容易地写一个页面，用坏的数据做一个帖子，或者更容易使用一个工具，比如Firefox中的Tamper数据插件，在你的Javascript验证过之后，修改数据。

1  

I think you should do client-side AND server-side validation to be safe. You could have plenty of validation on the client, but if some circumvents that validation then you open yourself up to big problems. Whereas, having validation on the server-side too, protects you against that

我认为您应该进行客户端和服务器端验证以确保安全。您可以在客户端进行大量的验证，但是如果有一些规避验证的地方，那么您就会面临大问题。然而，在服务器端进行验证也可以防止这种情况的发生

1  

If you don't validate on the server, someone will overwrite your client-side validation using Firebug, or just go completely around it with another Firefox extension called Poster. Good luck cleaning you database!

如果您没有在服务器上进行验证，有人将使用Firebug覆盖您的客户端验证，或者使用另一个名为Poster的Firefox扩展完全覆盖它。祝您好运，清理您的数据库!

Client-side validation is only done so that the user knows that they messed up immediately. It is not intended to secure anything.

客户端验证只是为了让用户知道他们马上就搞砸了。它并不是为了确保什么。

1  

Yes, anything could happen with the client side and you should not trust it as a primary form of validation. You do not want bad data getting to a database or potential security issues that could arise from unchecked conditions. It can depend on the type of functionality, but you should validate on both sides.

是的，任何事情都可能发生在客户端，您不应该将它作为验证的主要形式。您不希望坏数据进入数据库，也不希望出现未经检查的条件可能导致的安全问题。它可以依赖于功能的类型，但是您应该在两边都进行验证。

1  

For additional spirited debate on what's basically the same subject, see Security in Flex – is it possible to manipulate downloaded code and execute web service.

有关基本相同主题的其他激烈讨论，请参阅Flex中的安全性——是否有可能操作下载的代码并执行web服务。

1  

Definitely do both. Client side validation is good for simple type validation (for example does this match a properly formated email address) but since you cannot ensure that your data is coming from your pages (form spoofing is a common hack) you should always duplicate the validation on the server side.

绝对两样都做。客户端验证对于简单的类型验证很有用(例如，它是否匹配正确格式的电子邮件地址)，但是由于您不能确保数据来自于您的页面(表单欺骗是一种常见的黑客)，您应该始终在服务器端重复验证。

Furthermore server side validation allows you to do more a more thorough business logic check of the data before committing it to your database.

此外，服务器端验证允许您在将数据提交到数据库之前对数据进行更全面的业务逻辑检查。

1  

While this strategy will work for good and legitimate users, it will not protect your site from a non-browser request using some hacker tool or a series of automated bot requests sending the HTTP POST command with the full load of crap which in the best case just pollute your system, in the worst damage your data consistency and that will cause error messages on multiple pages.

而这种策略将工作和合法用户,它不会保护你的网站从一个非浏览器请求使用黑客工具或一系列自动化机器人请求发送的HTTP POST命令满载垃圾的在最好的情况下系统污染,最严重的损害你的数据一致性,将导致错误信息在多个页面。

0  

Client side validation is against the concept of "world wide web" because the reason for which we made html text based is because each device must be able to process rsponce however small the device is. Now client side validation demands processing power of the device used which is not what "www" expects from a device consuming html. Client side validations are particularly important for saving bandwidth , as internet speeds are increasing day by day there will be a time when we no longer require client side validations.

客户端验证反对“万维网”的概念，因为我们基于html文本创建的原因是，无论设备多么小，每个设备都必须能够处理rsponce。现在，客户端验证需要处理设备的处理能力，而这不是“www”期望从一个使用html的设备中得到的。客户端验证对于节省带宽尤其重要，因为internet速度与日俱增，有时我们不再需要客户端验证。