5

Which is best — client-side validation or server-side validation?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Bala
  • 1,386
  • 1
  • 14
  • 27
  • This needs to be left open, so the clear answer that server side validation is not optional. This is worth repeating as many times as it takes to get the message through. – Richard Sep 02 '10 at 11:34
  • 1
    possible duplicate of [Should you do validation on the server side?](http://stackoverflow.com/questions/1125772/should-you-do-validation-on-the-server-side) – Joel Etherton Sep 02 '10 at 11:35
  • Though it may be argumentative, i am in need of proper answer. So that i can use in my application. Please vote to reopen – Bala Sep 02 '10 at 11:40
  • @bzlm, @Alex Reitbort, @serg10, @Arcturus, @Joel Etherton: There is nothing subjective or argumentative about this question. It is a matter of security and usability. Please vote to reopen. – Klaus Byskov Pedersen Sep 02 '10 at 11:49
  • Wow, closed and reopened within 42 minutes! – Timwi Sep 02 '10 at 12:13

5 Answers5

10

Server side validation is a must since client side validation can be tampered. However, client side validation usually provides a better user experience, since it requires less post backs. So I would recommend using both.

Klaus Byskov Pedersen
  • 117,245
  • 29
  • 183
  • 222
4

You MUST do server side validation. Otherwise anyone can send anything they like (consider browser with JavaScript disabled, or a custom fake browser).

Client site validation can be used to provide a better user experience, but you should operate correctly if it is not available.

Richard
  • 106,783
  • 21
  • 203
  • 265
3

For security:

Server side validation.

A savvy client can remove the validation.

For best GUI experience:

Client side validation.

cjk
  • 45,739
  • 9
  • 81
  • 112
1

For the validation purpose in ASP.NET both are good, but it depends on the application. For the security purpose the server side validation is best, but it increases the overhead on the server, so we generally avoid to use the server side validation whenever it is not necessary.

The client-side validation is generally best for checking the input type parameter and its check on the client side means at your browser, so it does not puts a load on the server and less time taken and insecure.

In my point of view client-side validation is best.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
naval
  • 1,423
  • 1
  • 13
  • 26
0

I suggest server-side validation with AJAX only.

As others have pointed out, server-side validation is a must since client-side validation can be tampered with.

I've worked on projects where we've used client-side in addition to server-side validation believing this would be easier on the server and provide a better user experience. While it worked just fine, it came at the expense of violating the DRY (Don't Repeat Yourself) principle and risking inconsistent server/client side validation implementations (note: I gave up on the built in ASP.NET validators a long time ago).

Since then, I've found that in practice you can achieve very nearly just as good a user experience by performing all POSTS using Ajax: if validation on server succeeds, proceed with main purpose of the POST (saving data or something), and return a success JSON response and call a success callback to navigate to another page or something. If the validation fails, return a JSON response containing the failed fields and messages and call a failure callback to display them.

Assuming you take care to slim down your POSTs (a deliberate practice in ASP.NET I know), this strategy will be kind enough to your server in general.

Stephen Swensen
  • 22,107
  • 9
  • 81
  • 136