Hello,
We are having a discussion on controling user input on the frontend 
(client side javascript) or through procedures on the backend (oracle 
pl/sql packages on an oracle8i Database).

What are best practices?

Limit internet traffic as much as possible and have as much control as 
possible in the frontend (not very maintainable we think) or have more 
control at the backend and have much more traffic.

What would be the best strategy and does anyone know where we should look 
for an answer?

Thanks in advance for any help/advise.

Erik
Bauhaus ArchITects
Bussum, The Netherlands

IMHO, you really need to do both.  While Front-end validation should trap
95%+ of your data errors (and, as you point out, hopefully limit network
traffic), you still need to handle that last 5% on the server side.  Client
validation can fail for a number of reasons.  For example, users might have
their have client-side scripting turned off for security reasons; javascript
version differences might wreak havoc with your validation code; unscupulous
users can easily bypass client-side validation to probe for vulnerabilities
(i.e. - SQL injection attacks, etc.).

My personal opinion is that good coding practices should effectively rule
out the possibility of failing due to data input "errors," and in a web
application that means testing incoming data at all levels (client-side,
middle-tier and back-end).  How far you take all of this, however, is a risk
management decision based on the type of application with which you are
dealing...

Cheers,

Jack

-----Original Message-----
From: Erik Meesters [mailto:emeesters@b...]
Sent: Friday, June 21, 2002 10:40 AM
To: Application Development
Subject: [application_development] validate@f... or backdoor


Hello,
We are having a discussion on controling user input on the frontend 
(client side javascript) or through procedures on the backend (oracle 
pl/sql packages on an oracle8i Database).

What are best practices?

Limit internet traffic as much as possible and have as much control as 
possible in the frontend (not very maintainable we think) or have more 
control at the backend and have much more traffic.

What would be the best strategy and does anyone know where we should look 
for an answer?

Thanks in advance for any help/advise.

Erik
Bauhaus ArchITects
Bussum, The Netherlands

I agree with the previous post.  You should keep general validation on the 
client side, such as was this field filled in, but you need to keep 
business rule data validation on the server side (e.g. is this a valid 
client id).   It's a delicate balance, but you can't rely on the client-
side validation for the reasons mentioned above.  

One method I've used for data validation is to put the form request into 
an xml document and validate that xml against a pre-defined schema.  I've 
only used the Microsoft XML Parser V 4.0 for this, but it works 
brilliantly and returns excellent error messages.  Using the schema, you 
can define the data types, number of occurences, etc.  This would also 
move a great deal of the data validation out of your code and into schemas 
(you don't have to re-compile if you add a field to the form).

Just some thoughts.

Carl Langan.

Hey Carl I believe you meant to post this not mail it to everyone. 

-----Original Message-----
From: Carl Langan [mailto:langanc@h...]
Sent: Monday, June 24, 2002 12:13 PM
To: Application Development
Subject: [application_development] Re: validate@f... or backdoor


I agree with the previous post.  You should keep general validation on the 
client side, such as was this field filled in, but you need to keep 
business rule data validation on the server side (e.g. is this a valid 
client id).   It's a delicate balance, but you can't rely on the client-
side validation for the reasons mentioned above.  

One method I've used for data validation is to put the form request into 
an xml document and validate that xml against a pre-defined schema.  I've 
only used the Microsoft XML Parser V 4.0 for this, but it works 
brilliantly and returns excellent error messages.  Using the schema, you 
can define the data types, number of occurences, etc.  This would also 
move a great deal of the data validation out of your code and into schemas 
(you don't have to re-compile if you add a field to the form).

Just some thoughts.

Carl Langan.