Fog Creek Software
Discussion Board




Client side validation

I have a two web forms - one with only 3 fields the second one 15. My partner insists on having client and server side validation. I am trying to convince him that server side validation is good enough. I have checked many sites and they don't do any javascript client side validation.

Am I being irrational here?

Joe
P.S. alerts in Javascript makes me nausious.

Joe
Sunday, August 08, 2004

Client side validation is nice because it doesn't require a round trip to the server just to see if the user put in her password. Alerts are nice because they are cross-browser compatible. Combine it with highlighting of the rows the user needs to check using CSS and you have a nice client-side check.

But don't be fooled into thinking that is all you need. Obviously in your case you understand that. But in Javascript it is incredibly simple to have your validation overwritten. For example, if I have super validator:

function superValidator(){
  if(document.forms[0].password.length < 8){
    return false;
  }
}

A user can type into their location bar:

javascript:alert(superValidator=new Function("return true;"))

and your function is render useless.

So I think client side has it's place, and from a user would ask that you please use it, but just don't rely on it for anything more than a nicety for the user.

CF
Sunday, August 08, 2004

>they don't do any javascript client side validation.
Should be "they don't do any javascript client side validation anymore."

Too many hacks broke all sorts of client side validation. We only do it for making sure that the end user has actually typed stuff that resembles correct data before pressing submit.

One book I read (I think it was called web hacking) described a situation where the order form from the online store was all client side js. As a result, enterprising crooks would do "save as" then edit the price of the shirts from $50 to $5 and then do a submit from the edited page: instant 90% discount.

As a result, most folks do very little client side validation. And as more and more folks are disabling js totally, pages depending on js will find more and more breakage.

Peter
Sunday, August 08, 2004

"My partner insists on having client and server side validation. I am trying to convince him that server side validation is good enough. I have checked many sites and they don't do any javascript client side validation."

You didn't check any of my sites then -- we do client and server-side validation for all our forms.  Doing *just* server side validation is good enough but it's not good usability.  Client-side validation is a great benefit for your users.

My form-generation library handles both the server side and client side validation together.  So I don't have to worry about manually coding each form (which can take forever).
 

Almost Anonymous
Sunday, August 08, 2004

Imagine a form where the user enters a date, they enter 13/3/2004.  They fill the rest of the form and submit it, it comes back because that date doesn't validate for your system.

Locally validating though gives two wins, if its local its a small matter to determine the right date format for this user on this machine and if they do enter an invalid date you can tell them immediately and they can fix it and carry on.

Simon Lucy
Monday, August 09, 2004

*  Recent Topics

*  Fog Creek Home