Is client-side validation unnecessary?

Question

Please check this question before. I frequently heard about

"... don't trust the client ! never trust the client ! never trust the user inputs !"

I agree with client-side validation alone is a very bad idea. But if so , what is the advantages of using client-side validation ? Is it necessary or not? When should I use client-side validation ?

Forget about some bad guys (who try to hack), please think about should every request reach to server side ? I don't think so . Normal users can input wrong datas and these should be mostly end at the client side. I believe that it may improve site's performance.

I tried to Disable developer tools in my site to moderate bad guys. I use both client-side and server-side validations for my sites. I believe client-side validations were also needed. Any suggestions for using client-side validation ?

convenience and user experience are important, and avoiding unnecessary trips to the server reduces the work the server does too — Matt Coubrough, May 27 '14 at 07:44
@MattCoubrough can client-side checking reduces the tasks of server-side checking ? — Cataclysm, May 27 '14 at 07:58
It can reduce the *number* of times the server must check things, (because often the client side validation will prevent an invalid POST) but the server must still *ALWAYS* validate every possible input, for the few (possibly malicious) cases where client-side validation is bypassed — Matt Coubrough, May 27 '14 at 08:04

Amit Joki · Answer 1 · 2014-05-27T07:47:00.583

3

Use client-side validations for better user experience. Having server-side validation is damn necessary, as validations on the client side can easily be tampered.

If you don't have client-side validation, then be ready to face the anger of your customers when your whole page reloads and then outputs "Sorry something was wrong"

edited May 27 '14 at 07:47

answered May 27 '14 at 07:41

Amit Joki

58,320
7
77
95

:-) Yes absolutely right ! I also hate for reloading with sigle validation error. Can you explain me more `Use client-side validations for only user experience` ? I didn't catch yet what you really meant ! Thanks – Cataclysm May 27 '14 at 07:45
1

@Cataclysm, taking care of your users by not letting them to hate you is called user experience – Amit Joki May 27 '14 at 07:47
1

You can have server-side validation that works like client-side validation. Just make sure to debounce your inputs and then send a request to the server to check if they're good. Which is what you would do for autocomplete fields and whatnot, anyway. Trivial stuff like an email regex can be done client-side *too* if it leads to a snappier experience but it seems like a huge waste of time to me. It's not like the server will kneel over and die over such a simple request, and at least you don't have to do everything twice if you keep it in the backend. – KappaG3 Jan 28 '23 at 20:05

score 1 · Answer 2 · answered May 27 '14 at 07:44

1

Yes, separate client-side validation can reduce the load on your server, and can make your app appear faster to the user. It may also make the interface between client and server more simple.

However, unless you can write the validation logic in a form that can be executed on both client and server side, you'll be duplicating logic, with all the problems that causes.

answered May 27 '14 at 07:44

Michael Borgwardt

342,105
78
482
720

Am I need to create same validation logic on both sides ? – Cataclysm May 27 '14 at 07:55
1

@Cataclysm: That's the whole point, isn't it? Of course some things can be validated on the server, but all validation logic that is on the client must be repeated on the server. – Michael Borgwardt May 27 '14 at 08:19

score 1 · Accepted Answer · answered May 27 '14 at 07:45

1

I personaly use like you both of them.

Imagine Email Regex:

Clientside:

You help the User do know about a mistake, if he forget @ or something like that

Serverside:

The best Regex can't help you, to know the Email is availible. You need to send him a Email.

General

Use Clientside Validation to help the User to detect Errors, use Serverside Validation, if you need some Data in a specific format.

answered May 27 '14 at 07:45

Christian Gollhardt

16,510
17
74
111

by the way , am I need to check validation for input email address syntax in server-side again before sending email ? – Cataclysm May 27 '14 at 07:59
In this case "you need them in a specific format" in order to have no error (Depending on your Mail Class). So yes. – Christian Gollhardt May 27 '14 at 08:02
If so , every legal requests may pass throught both client and server side checking. But I agree that was really needed. I will pay it for secure :) – Cataclysm May 27 '14 at 08:05

Is client-side validation unnecessary?

3 Answers3

Linked