Web applications, generally provide or gather information. In the case of the latter, it is important that you gather valid data, else there isn’t much point in collecting it, write Bill Evjen, Scott Hanselman, and Devin Rader in ‘Professional ASP.NET 4 in C# and VB’ (www.wileyindia.com).
Validation is a set of rules that you apply to the data you collect, and these rules can be many or few and enforced either strictly or in a lax manner; it really depends on you, the authors explain. “No perfect validation process exists because some users may find a way to cheat to some degree, no matter what rules you establish. The trick is to find the right balance of the fewest rules and the proper strictness, without compromising the usability of the application.”
Two types of validation
The book discusses two types of validation, viz. client-side and server-side. The former is performed on data entered in the web form before the form is posted back to the originating server; the task is usually carried out by a script in the page that is posted to the end of the user’s browser.
As opposed to this, the server-side validation happens on the server, after the submitted form of information is packaged in a request (in ASP.NET) and sent to the server where the application resides.
Both types of validation have their pros and cons, the authors note. Client-side validation is quick and responsive for the end user, they elaborate. “If something is wrong with the form, using client-side validation ensures that the end user knows about it as soon as possible. Client-side validation also pushes the processing power required of validation to the client, meaning that you don’t need to spin CPU cycles on the server to process the same information because the client can do the work for you.”
Security considerations
The flip side, however, is the absence of security. As the authors caution, when a page is generated in an end user’s browser, the user can look at the code of the page quite easily, simply by right-clicking his mouse in the browser and selecting ‘view code.’ In addition to seeing the HTML code for the page, the user can also see all the JavaScript that is associated with the page.
“If you are validating your form client-side, it doesn’t take much for the crafty hacker to repost a form (containing the values he wants in it) to your server as valid. Cases also exist in which clients have simply disabled the client-scripting capabilities in their browsers – thereby making your validations useless.”
The more secure form, therefore, is server-side validation, inform Evjen et al. It is more secure because the checks cannot be easily bypassed, they reason. “If the form isn’t valid, the page is posted back to the client as invalid.” A disadvantage, though, is the slowness of server-side validation in comparison to the other type. “It is sluggish simply because the page has to be posted to a remote location and checked. Your end user might not be the happiest surfer in the world if, after waiting 20 seconds for a form to post, he is told his email address isn’t in the correct format.”
Recommended approach
To those who wonder which is the correct path, the book says, ‘Actually, both!’ The best approach, one learns, is always to perform client-side validation first and then, after the form passes and is posted to the server, to perform the validation checks again using server-side validation.
Such an approach, the authors recommend, provides the best of both worlds. “It is secure because hackers can’t simply bypass the validation. They may bypass the client-side validation, but they quickly find that their form data is checked once again on the server after it is posted. This validation technique is also highly effective – giving you both the quickness and snappiness of client-side validation.”
For the hands-on techie readers.
**
Tailpiece
“To reduce our carbon footprint…”
“You are using more of videoconferencing in the place of travel?”
“Plus, we began imposing a fee on every email sent!”
**
BookPeek.blogspot.com
