0

I have a sort of user inventory where user can activate products. Assuming that I'm going to do validation also on server, should this operation be done on client or are there any risks (JavaScript code alteration by user)?

Roman Hudylko
  • 43
  • 1
  • 1
  • 6
  • there is no replacement for server side validations just go for server side validations only.. – Kartikeya Khosla Sep 02 '14 at 09:33
  • here is one simple principle: every validation you do client side can be bypassed. You only do it for the comfort of your users. You server side validation should not be different whereas there is or there is not client side validation. – pomeh Sep 02 '14 at 09:35
  • @Exception I'm not trying to replace server side validation, I'm just asking if I can show a prompt on client and then validate on server, I need to know if I'm risking something by doing this. – Roman Hudylko Sep 02 '14 at 09:37
  • yes..you can do validations on client and server side both that will be a good idea... – Kartikeya Khosla Sep 02 '14 at 09:38
  • @Exception But can't an user bypass server validation by sending fake data (altering js)? – Roman Hudylko Sep 02 '14 at 09:40
  • 1
    What does “altering JS” have to do with server-side data validation? _Every single piece of data_ that your server receives is to be considered potentially malicious/tainted with, no matter what JS does on the client or not. Even the assumption that any JS got executed on the client would be totally wrong already. – CBroe Sep 02 '14 at 09:43

1 Answers1

0

Anything you do on the client is compromised as the user is fully in control of it.

The client basically sends requests to the server and you can send any request to any server you want even without a browser, so a user can bypass absolutely any JavaScript code that you expect to run on the client side. For that reason, any validation you want to do for security reasons must be done server-side.

That does not mean you should not also do it on the client-side. You can do the same validation on both the client-side and server-side where:

  • The client-side validation is done for convenience and website responsiveness (You don't really want the user to click Submit each time to see that they entered something incorreclty, do you?)
  • The server side-validation is done for security. This is the only way to ensure someone doesn't get unauthorised access, crash your website or populate your database with garbage.

Please also note that any client-side validation source code is visible to the user, so don't do something like password validation there.

neelsg
  • 4,802
  • 5
  • 34
  • 58